Securing the Linux boot process
Matthew Garrett
http://lca2018.linux.org.au/schedule/presentation/74/
Linux has had support for UEFI Secure Boot for some time, which helps secure part of the boot process - you can be reasonably sure that nobody's replaced your bootloader or kernel, and that's sufficient to cover a bunch of cases. But for various technical reasons there's still a number of security critical components that are entirely unverified and which can be replaced by an attacker, and that means anyone with access to your system can configure it to steal (say) your hard drive encryption password. That's suboptimal.
There are various solutions to this involving TPMs, but so far they've all involved a lot of manual configuration and run the risk of being locked out of your machine for upgrading your kernel at the wrong time. Surely we can do better?
Unsurprisingly, yes. This presentation will describe some light modifications to the way distributions ship components that will make it possible to ensure that systems boot without running the risk of sensitive credentials being stolen but also without compromising the flexibility of the existing Linux boot process.
This talk was given at Linux.conf.au 2018 (LCA2018) which was held on 22-26 January 2018 in Sydney Australia.
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see https://linux.conf.au/
#linux.conf.au #linux #foss #opensource
Видео Securing the Linux boot process канала LinuxConfAu 2018 - Sydney, Australia
http://lca2018.linux.org.au/schedule/presentation/74/
Linux has had support for UEFI Secure Boot for some time, which helps secure part of the boot process - you can be reasonably sure that nobody's replaced your bootloader or kernel, and that's sufficient to cover a bunch of cases. But for various technical reasons there's still a number of security critical components that are entirely unverified and which can be replaced by an attacker, and that means anyone with access to your system can configure it to steal (say) your hard drive encryption password. That's suboptimal.
There are various solutions to this involving TPMs, but so far they've all involved a lot of manual configuration and run the risk of being locked out of your machine for upgrading your kernel at the wrong time. Surely we can do better?
Unsurprisingly, yes. This presentation will describe some light modifications to the way distributions ship components that will make it possible to ensure that systems boot without running the risk of sensitive credentials being stolen but also without compromising the flexibility of the existing Linux boot process.
This talk was given at Linux.conf.au 2018 (LCA2018) which was held on 22-26 January 2018 in Sydney Australia.
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see https://linux.conf.au/
#linux.conf.au #linux #foss #opensource
Видео Securing the Linux boot process канала LinuxConfAu 2018 - Sydney, Australia
Показать
Комментарии отсутствуют
Информация о видео
25 января 2018 г. 5:22:08
00:45:42
Другие видео канала
Understanding the Linux Boot Process - CompTIA Linux+, LPIC-1
IPMI - because ACPI and UEFI weren't terrifying enough
Getting conned into writing IoTuz/ESP32 drivers and example code
Secure Boot for Small Microcontrollers
Hardening Access to Your Server | Linux Security Tutorial
Remote Work: My first decade working from the far end of the earth
Mass Production: Open-source Testing in Manufacturing
Secure Boot with ATECC608A
Setting up the YubiKey on Ubuntu (Desktop and Server)
UEFI Linux Secure Boot Kernel Signing and Verification demo
Configuring a Custom Linux Kernel (5.6.7-gentoo)
UEFI Boot for Mere Mortals
How To Use Linux LUKS Full Disk Encryption For Internal / External / Boot Drives![Reverse engineering vendor firmware drivers for little fun and no profit [linux.conf.au 2014]](https://i.ytimg.com/vi/j5NciKpHZzs/default.jpg)
Reverse engineering vendor firmware drivers for little fun and no profit [linux.conf.au 2014]
Linux Booting Process Steps - RHEL 8
Linux: the first second
Trusted Platform Module (TPM): Explained
Secure Boot from A to Z - Quentin Schulz & Mylène Josserand, Bootlin (formerly Free Electrons)
Embedded Linux Booting Process (Multi-Stage Bootloaders, Kernel, Filesystem)
Firmware security, why it matters and how you can have it