Bootstraping a slightly more secure laptop
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 147 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/43905 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
33c321 / 147
1
3
4
6
7
9
11
13
15
16
17
19
22
23
28
31
32
33
37
39
40
41
43
44
45
46
48
49
51
53
54
55
57
58
62
64
65
66
68
71
72
73
74
77
78
82
84
85
90
93
96
98
100
102
103
104
105
108
110
111
112
113
115
118
119
120
121
122
123
125
126
127
131
133
134
137
139
140
141
143
146
147
00:00
LaptopSystem programmingOrdinary differential equationLaptopVideo gameUltraviolet photoelectron spectroscopyOpen sourceInformation securityServer (computing)Mobile appInheritance (object-oriented programming)RootField (computer science)Computer animationLecture/Conference
00:40
Ordinary differential equationBootingSystem programmingComputer wormPhysical systemFirmwareVulnerability (computing)MotherboardSoftwareWindowGroup actionProcess (computing)Lecture/Conference
01:23
ZugriffskontrolleOpen sourceBootingRandom numberEntropie <Informationstheorie>Computing platformMotherboardVirtual machineSoftwareCodeBootingOpen sourceBuildingPhysical systemProjective planeDisk read-and-write headFirmwareCASE <Informatik>LaptopTracing (software)Server (computing)Distribution (mathematics)Lecture/Conference
02:20
FirmwareComputer hardwareVirtual machineQuicksortCodeInformation securityPosition operatorDivisorIntelFirmwareMalwarePatch (Unix)Vulnerability (computing)Software bugLecture/ConferenceComputer animation
03:32
Tablet computerVideoconferencingPhysical systemRootkitHacker (term)MalwareComputer hardwareInformation managementLaptopState of matterTheorySelf-organizationGroup actionSoftware development kitRoutingVulnerability (computing)RootkitOperational amplifierMotherboardHard disk driveNP-hardBootingComputer animationLecture/Conference
04:09
Computer wormRootkitSoftwarePhysical systemVulnerability (computing)AdditionRevision controlOperating systemCASE <Informatik>Patch (Unix)Virtual machineCartesian coordinate system
04:48
BefehlsprozessorSoftwareChainIndependence (probability theory)Software developerService (economics)VacuumCartesian coordinate systemVulnerability (computing)Operating systemVirtual machinePatch (Unix)MereologyFirmwareOpen sourceImplementationMotherboardNetwork topologyIndependence (probability theory)Point (geometry)IntelLecture/ConferenceComputer animation
05:50
Computer wormSoftwareChainIndependence (probability theory)Software developerBefehlsprozessorComputerException handlingOperating systemMultiplication signProduct (business)Patch (Unix)ResultantComputer clusterComputer hardwareFirmwareLecture/ConferenceComputer animation
06:30
Computer wormInterface (computing)Kolmogorov complexityKernel (computing)Operating systemEntire functionSet (mathematics)CodeMultiplication signComplex (psychology)Physical systemSurfaceModule (mathematics)Vector potentialSoftware bugVulnerability (computing)Asynchronous Transfer ModeReal numberComputer animation
07:15
Physical systemState of matterSurfaceVector potentialFirmwareMultiplication signSoftware bugClosed setModule (mathematics)Open sourceConnectivity (graph theory)Vulnerability (computing)SoftwarePatch (Unix)Process (computing)Lecture/Conference
07:58
MeasurementOpen setKernel (computing)Information securitySoftwareBuildingChainPhysical systemInformation securityFreewareDisk read-and-write headGoodness of fitCore dumpKernel (computing)FirmwareBootingKey (cryptography)Virtual machineScaling (geometry)Gene clusterComputer animationLecture/Conference
08:53
Web pageComputerComputer hardwareVirtual machineLocal GroupInheritance (object-oriented programming)ComputerSoftwareGene clusterScaling (geometry)Kernel (computing)BootingState observerVirtual machineBit rateFrustrationLength of stayComputer animation
09:35
Electronic data interchangeRevision controlProjective planeCore dumpGraphical user interfaceLaptopPoint (geometry)Virtual machinePower (physics)BootingFirmwareLecture/Conference
10:22
Software testingRead-only memoryComputer wormLevel (video gaming)Cache (computing)Enumerated typeTable (information)Projective planeCore dumpBootingConfiguration spaceFirmwareBitVirtual machineReal numberLaptopLevel (video gaming)Group actionAsynchronous Transfer ModeFluid staticsSystem administratorComputer wormCodeCache (computing)MeasurementDisk read-and-write headFraction (mathematics)ComputerBlock (periodic table)Run-time systemRootProcess (computing)Figurate numberDynamic random-access memoryGastropod shellData compression2 (number)Bus (computing)Letterpress printingBit rateData managementHydraulic jumpInternet service providerInteractive televisionData recoveryPower (physics)Computer animation
12:25
Executive information systemCache (computing)SCSIMiniDiscZugriffskontrolleBridging (networking)Process capability indexDrill commandsCore dumpInterface (computing)Keyboard shortcutExecution unitMaizeoutputMathematical optimizationPhysical systemCoprocessorEvent horizonTime zoneWärmestrahlungPower (physics)Kernel (computing)BootingInteractive televisionData recoveryPower (physics)Gastropod shellImplementationPhysical systemBootingScripting languageState of matterFile systemFormal languageFunctional (mathematics)Multiplication signPoint (geometry)Link (knot theory)Different (Kate Ryan album)EncryptionRun time (program lifecycle phase)Limit (category theory)Cartesian coordinate systemComputer animationSource codeLecture/Conference
13:08
Kernel (computing)Open sourceNetwork topologyPulse (signal processing)Graph (mathematics)Machine codeFile systemBootingContrast (vision)Cartesian coordinate systemEncryptionOpen sourceSoftware bugDevice driverLevel (video gaming)Revision controlTurbo-CodeSurfaceTablet computerLimit (category theory)Source codeTableLecture/ConferenceComputer animation
14:09
Address spaceConfiguration spaceArrow of timeKey (cryptography)Menu (computing)Online helpBinary fileIntelData storage deviceBefehlsprozessorInclusion mapNetwork topologyInheritance (object-oriented programming)Game controllerFirmwareComputing platformComputer wormPhysical systemMiniDiscComputer-generated imageryKernel (computing)Open sourceSurfaceCore dumpGoodness of fitDevice driverComputer fileRevision controlKernel (computing)System callDisk read-and-write headProjective planeBootingSoftware bugProcess (computing)File systemConnectivity (graph theory)BuildingCASE <Informatik>Cartesian coordinate systemPhysical systemLecture/Conference
15:10
Kernel (computing)Structural loadHypercubeQuicksortDisk read-and-write headSurvival analysisCASE <Informatik>Scripting languageSet (mathematics)MiniDiscWhiteboardGastropod shellGoodness of fitDegree (graph theory)Information securityLecture/ConferenceComputer animation
15:57
Structural loadHypercubeKernel (computing)BefehlsprozessorData modelBuildingBlock (periodic table)Endliche ModelltheorieGoodness of fitAdditionCore dumpInformation securityComputing platformDegree (graph theory)Staff (military)BootingDifferent (Kate Ryan album)Computer animationLecture/Conference
16:36
Execution unitTask (computing)Video gameKeyboard shortcutPlastikkarteOpen sourceEndliche ModelltheoriePhysical systemFirmwareBefehlsprozessorBootingProcess (computing)Virtual machineGame controllerLecture/Conference
17:18
Hacker (term)Computer hardwareLine (geometry)ComputerLaptopAreaComputer wormTable (information)Einstein field equationsVirtual machineData managementMereologySocial classFrustrationMotherboardComputerWritingBootingPersonal identification numberFlash memoryBlock (periodic table)LaptopPhysical systemComputer hardwareRootkitDescriptive statisticsRight angleSystem callAsynchronous Transfer ModeClosed setReading (process)IntelComputer animation
18:59
Physical systemData managementComputer networkPlastikkarteInterface (computing)BefehlsprozessorIntelComputing platformIntercept theoremPeripheralGame controllerGraphics processing unitFunknetzData storage deviceArc (geometry)BefehlsprozessorVirtual machineJava appletBytecodePhysical systemData managementVideoconferencingSemiconductor memoryCAN busProcess (computing)SoftwareKeyboard shortcutCodeLecture/Conference
19:47
Inclusion mapFirmwareOSI modelComputer wormExecution unitEvent horizonCache (computing)Convex hullTable (information)Error messageProcess capability indexMachine codeEmulationTablet computerLibrary (computing)Normed vector spacePhase transitionRootkitFunctional (mathematics)Medical imagingMultiplication signFirmwareSpacetimeModule (mathematics)Process (computing)Virtual machineJava appletDevice driverBridging (networking)Graphics tabletPascal's triangleComputer hardwareView (database)Graphical user interfaceComputer animationSource codeLecture/Conference
20:56
IntelMemory managementData managementBootingFirmwareFreewareComputer hardwareOnline helpMenu (computing)Electronic program guideComputer animation
21:43
PasswordComputer configurationRootkitCache (computing)Kernel (computing)Computer fileOpen sourceLogical constantBootingComputer configurationPasswordProcess (computing)QuicksortGroup actionDevice driverCodeBootingVulnerability (computing)Turbo-CodeFunctional (mathematics)Physical systemCausalityLecture/ConferenceComputer animation
22:26
Computer configurationPhysical systemFunction (mathematics)PCI ExpressProcess capability indexStructural loadConfiguration spaceBootingCausalityCore dumpComputer configurationPhysical systemDevice driverFunctional (mathematics)ArmCodeBuildingBlock (periodic table)Virtual machineInternet service providerHand fanWave packetModule (mathematics)Computing platformProcess (computing)Computer animation
23:19
Module (mathematics)FreewareDigital rights managementComputing platformSoftwareBlock (periodic table)CodeDynamic random-access memoryTrailPhysical systemGoodness of fitBootingEndliche ModelltheorieChainSuite (music)Matching (graph theory)Lecture/Conference
24:01
Module (mathematics)ChainCodeHash functionDescriptive statisticsDisk read-and-write headMatching (graph theory)Key (cryptography)MiniDiscComputer animation
24:42
Execution unitComputer wormKey (cryptography)MereologyPasswordMeasurementComputer hardwareTransport Layer SecurityLimit (category theory)Type theoryMiniDiscEncryptionVirtual machineBit rateInsertion lossDisk read-and-write headDescriptive statisticsField (computer science)Heegaard splittingLecture/Conference
25:27
CryptographyMeasurementMiniDiscEmailKey (cryptography)Secret sharingEncryptionService (economics)CryptographyMiniDiscBackupDescriptive statisticsEmailLine (geometry)Gastropod shellScripting languageSocial classEndliche ModelltheorieComputer animation
26:21
Virtual machinePhysical systemPasswordCodeComputerFirmwareBit rateAuthenticationElectronic visual displayConnectivity (graph theory)Multiplication signMessage passingGoogolLecture/Conference
27:08
BootingTotal S.A.Electric currentMultiplication signTouchscreenBootingFirmwareVirtual machineMatching (graph theory)Hash functionScripting languageGastropod shellLecture/Conference
27:57
Fluid staticsGame controllerComputerKey (cryptography)Information securityGroup actionRootRandomizationComputer hardwareMalwareVulnerability (computing)Scripting languageGodRevision controlDisk read-and-write headLevel (video gaming)Gastropod shellBootingKernel (computing)
29:12
Interior (topology)Android (robot)EncryptionComputer wormOpen sourceBulletin board systemAuthenticationBootingPartition (number theory)Electronic signatureHash functionFormal verificationPhysical systemKernel (computing)Block (periodic table)Data integritySurjective functionRootkitMacro (computer science)Android (robot)Key (cryptography)Read-only memoryFile systemRootConfidence intervalDean numberHash functionLogarithmBlock (periodic table)Physical systemNetwork topologyMultiplication signRoutingElectronic signatureKernel (computing)Reading (process)Computer fileInformation securityGroup actionDisk read-and-write headCubeOpen sourceVirtual machineComputer animationLecture/Conference
30:18
Hash functionOpen sourceComputer hardwareInformation securityCubeBootingPhysical systemCore dumpInformation securityCubePhysical systemSoftwareDisk read-and-write headConfiguration spaceVirtual machineOpen sourceRead-only memoryRootData recoveryComputer fileAsynchronous Transfer ModeFile systemReal number
31:07
Data bufferConvex hullMathematicsMatching (graph theory)CASE <Informatik>Disk read-and-write headPatch (Unix)Group actionCubeDistribution (mathematics)Open sourceNetwork topologyMiniDiscSource codeLecture/Conference
31:44
Library (computing)Computer wormHash functionDiscrete element methodBootingMathematicsOpen sourceAreaQuicksortGraphical user interfaceState of matterGame controllerRootComputing platformIntelPlastikkarteComputer animationLecture/Conference
32:20
Point cloudProjective planeServer (computing)LaptopOpen setInformation securityBuildingPoint cloudDifferent (Kate Ryan album)Cloud computingGame controllerIntelligent NetworkCore dumpEndliche ModelltheorieMassOpen sourceBootingData managementComputing platformCollaborationismFirmwareIntegrated development environmentComputer animation
33:12
Core dumpBootingLaptopFlash memoryProgrammer (hardware)WebsiteRevision controlProjective planeOpen sourceDisk read-and-write headSource codeInstallation artFirmwareFeedbackLecture/ConferenceComputer animation
34:12
IntelVirtual machineCASE <Informatik>LaptopExtension (kinesiology)FirmwareBefehlsprozessorOpen sourceLecture/Conference
35:19
Computer wormPhysical systemComputer hardwareInformation securityElectronic program guidePersonal identification numberArmSelectivity (electronic)Service (economics)BefehlsprozessorLaptopChainProcess (computing)40 (number)Computer animationLecture/Conference
35:55
Computer hardwareBootingAsynchronous Transfer ModeGame controllerComputer wormCodeRootArmCore dumpWeb pageDisk read-and-write headMetropolitan area networkLecture/Conference
37:09
Computer worm10 (number)InternetworkingOpen sourceTerm (mathematics)Mobile WebBlock (periodic table)NumberBinary codeBootingCore dumpSystem callFirmwareSemiconductor memoryGame controllerBridging (networking)DemosceneGroup actionComputing platformOrder (biology)View (database)BefehlsprozessorComputer animationLecture/Conference
38:13
Game controllerState of matterMeasurementSemiconductor memoryQuicksortPhysical systemFreewareOpen sourceTotal S.A.ArmNumberAreaLaptopSoftwareComputer animation
39:12
Core dumpConnectivity (graph theory)BootingCombinational logicSpacetimeHeat transferTerm (mathematics)Axiom of choiceSystem callProjective planeKernel (computing)Latent heatDisk read-and-write headComputer wormMeasurementInstance (computer science)MultiplicationKey (cryptography)Decision theoryRow (database)Functional (mathematics)Lecture/Conference
40:43
Physical systemCore dumpMeasurementKey (cryptography)InternetworkingConfiguration spaceHash functionBootingFirmwareTerm (mathematics)Process (computing)Device driverBinary codeMereologyLevel (video gaming)Human migrationDisk read-and-write headEncryptionComputer wormCASE <Informatik>Cache (computing)Web pageLecture/Conference
42:17
Disk read-and-write headInformation securityCore dumpBootingFirmwareOpen sourceMeasurementCuboidPatch (Unix)ResultantMathematicsGraphics tabletGroup actionGraphical user interfaceLecture/ConferenceComputer animation
43:09
10 (number)Suite (music)BootingBuildingCommunications protocolFirmwareComputing platformCuboidGraphical user interfaceArmTerm (mathematics)Game controllerCore dumpMereologyCompilerBus (computing)Open sourceBefehlsprozessorLecture/Conference
44:22
Computer wormInheritance (object-oriented programming)Graphics tabletPrototypeEndliche ModelltheorieOpen sourceParticle systemService (economics)FamilyModule (mathematics)CASE <Informatik>Communications protocolFirmwareComputer animation
45:13
Computer wormArithmetic progressionPrototypeComputing platformBitOpen sourcePosition operatorSystem callKeyboard shortcutAreaGraphics tabletOpen setExtension (kinesiology)Beat (acoustics)BootingPhysical systemProcess (computing)Computer animation
46:05
Programmer (hardware)FirmwareOnline helpFlash memoryComputer hardwareProcedural programmingDimensional analysisComputer programmingRight angleBootingSoftwareSpacetimeCartesian coordinate systemComputer animation
46:44
10 (number)MedianHypermediaCartesian closed categoryCartesian coordinate systemBlock (periodic table)BootingFirmwareComputer animationLecture/ConferenceJSON
Transcript: English(auto-generated)
00:13
So the last speaker for this morning is Trammel. He's doing awesome research on bootstrapping more secure laptops or servers.
00:22
And he's doing that basically by moving the root of trust into the right protected realm. He's building an open source custom firmware, so big apps for that, and also encouraging the research on this field, which I believe it's super interesting. Thanks.
00:47
So I'm Trammel Hudson with Two Sigma Investments. And for the past several years, I've been researching firmware security vulnerabilities and looking at how they affect systems. Two years ago, I presented my work on Thunder Strike
01:00
here at CCC. And this was the first firmware attack against MacBooks that allowed an attacker to overwrite the motherboard bootrom. The year after that, I collaborated with Zeno Kova and Corey Kallenberg from Legbook Core, both of whom are now at Apple doing firmware work. And we ported a bunch of Windows UEFI vulnerabilities
01:23
over to the Mac and showed that the software platform, the UEFI software platform, allowed very portable attacks to be done. This also allowed a remote attacker with code execution on your machine to overwrite the motherboard bootrom.
01:41
But more than just breaking things, what I would like to do is take things apart and understand how they work and document them. So that other people can build systems on top of them. And that's why I'm really excited to be talking to you all about my project, Heads, which is a open source firmware and bootloader
02:00
for laptops and servers. The name is kind of a play on the popular Tails distribution, which is a stateless Linux for when you don't want to leave any traces of what you're doing on your machine. Heads is for the opposite case. It's where you want to be able to trust the machine and you want to be able to trust that the data you store
02:21
on the machine is safe and unmodified. And let's back up for a quick minute and just talk about why firmware security is so important. That this is the code that is executed by the CPU when it comes out of reset. This is the first instruction that the CPU executes.
02:41
And so it's in a really privileged position to be able to circumvent any sort of OS or other policies. And there's no shortage of talks that you can watch on interesting attack factors using firmware-based malware. One that I really liked was last year at DEF CON,
03:01
the Intel Advanced Threat Research presented an attack that showed how firmware could, malicious firmware could circumvent the hypervisors. They then went further and showed how buggy firmware allowed a unprivileged guest inside a virtual machine to escalate into privileges inside the hypervisor.
03:25
And for that reason, it's really important that firmware vulnerabilities and firmware bugs have a way to get patched. These aren't just theoretical research vulnerabilities either. We know that there are malicious organizations and hacking groups that are selling firmware rootkits
03:44
to whoever will pay, including nation-state adversaries that are using them for their persistent threats. And they are very persistent because they are in the motherboard boot ROM. So you reinstall the OS, they're still there.
04:01
You swap out the hard drive, they're still there. And some vendors are even bundling these rootkits into their official ROMs, that they are using them to install the bloatware or whatever adware they want to put into the OS.
04:23
So even after you reinstall a clean version of the OS, this particular vendor's system would install its own additions. Some of those had vulnerabilities that could then be exploited by attackers. This particular case, the vendor received enough bad press
04:43
that they released a firmware update that patched this vulnerability. And they had to do that. This wasn't something that the users could do on their own. They couldn't update the software, the firmware in their machine the way they do with their operating system or an application. And in fact, most firmware vulnerabilities
05:03
never see patches get deployed out to the end user. Part of the reason for that is that the firmware is usually four or five companies removed from the end user. That there's the open source reference implementation
05:22
from Intel called TianoCore or EDK2. When vulnerabilities are patched in there, they have to get pulled by the independent BIOS vendor and merged into the IPV tree. And then the BIOS vendor sells that to the device manufacturers.
05:41
So they have to package up a release that then gets pulled by the device manufacturer. It has to get QA'd against however many motherboards they want to test it on. And then it has to get again pulled by the original equipment manufacturer to get rebranded and whatever value they want to add.
06:00
And then sometimes it has to go through the operating system vendor to even make it out to the end user. And as a result of this, most of the time products do not receive any updates after they've been sold. There's one exception. In this chart you can see that Apple builds their own firmware. And in my work with them I've been really pleased
06:21
that they've rolled out patches for eight years of hardware which is above and beyond what any other firmware vendor is doing right now. When EFI was introduced, it brought a lot of complexity and that the Linux community was very skeptical
06:43
as to what the value was going to be provided by all this complexity. It's basically an entire operating system's worth of code. And it's not that the 16-bit real mode BIOS was all that much better. In fact, it had its own set of issues. But it was small, it was simple, it did one thing,
07:04
it did it okay. And it took a long time for UEFI to even become widely supported. But even now, most systems ship with both the UEFI and a BIOS compatibility module. So they've basically doubled their attack surface
07:21
for potential bugs and vulnerabilities. So the state of the firmware world today is that updates are rare, patches, if they ever come out, take a long time to make it through the process. Users can't fix things on their own. And we can't see what's inside
07:41
since most of them are built with closed source components. And that's not a great state for something that is as privileged as firmware. So it's my belief that firmware needs to be built with open source. It must be flexible so we can adapt it to our needs for our systems. It needs to be built with software that we understand
08:02
and we use in other applications so that it can get widely tested and well tested. It needs to be built in a reproducible manner so that we can be secure against build chain attacks. And it needs to be cryptographically measured so that we can be sure that what we flash on the system
08:23
is what is actually running on the system. And that's the philosophy behind heads. It's built on the free software core boot firmware plus a Linux kernel and ROM that acts as a bootloader. And then a lot of security research and tools
08:43
that help us try to build slightly more secure systems. Using Linux as a bootloader is not a particularly new idea. Back in the 1990s, when we started building large scale Linux clusters, we were very frustrated with the inflexibility
09:05
of DHCP and pixie booting large machines. Even with those frustrations, we built one that was about the 30th fastest in the world on the top 500. Meanwhile, my colleague Ron Minick at Los Alamos
09:22
was also building large clusters and had the observation that the BIOS enumerates all the buses, initializes a bunch of devices, finds the Linux kernel, and then the Linux kernel enumerates all the buses, initializes all the devices. And he thought, this is silly.
09:41
Why are we doing this twice? So he had the idea to build a version of Linux that ran in the ROM. He called this project Linux BIOS, and it went on to power the MRC cluster, which was the third fastest machine in the world in 2003.
10:02
In 2008, Linux BIOS underwent a major refactoring, and it was renamed to core boot. And Google chose to use core boot as the firmware on their Chromebooks, which are, at this point, the only non UEFI x86-based laptops that you can buy.
10:22
And they've done really some great work in trying to lock down the configuration and the firmware on the Chromebooks. Ron coincidentally moved to Google in 2011 and is continuing to work on the core boot project there.
10:43
So core boot has three stages that it goes through as it starts up the machine. The first one is a very small amount of real mode assembly, because your modern 64-bit laptop still boots up in real mode with 16-bit,
11:01
just like its 1970s. So that's a very small amount of code, about one and a half K. That, in turn, sets up a C runtime environment with what's called cache as RAM mode, and it calls into the ROM stage, which is about 70K. Heads has moved the TPM initialization
11:22
early in the ROM stage before DRAM is set up to help measure the boot block and provide a static root of trust that's hopefully a little bit more secure. And because that measurement is done early on, our trusted computing base is actually quite small.
11:40
This is a fraction of 1% of the size of a UEFI firmware, which is usually about 16 megs once it's uncompressed. The ROM stage then measures and executes the RAM stage, which does the more traditional walk the bus, figure out what devices are on there,
12:01
but it doesn't initialize them. It just enumerates them and generates the descriptors for Linux. It also installs the SMM handler for system management mode. It then measures and jumps into the payload, and that whole process takes less than a second.
12:21
It's able to get into the payload and actually get to the user code very, very quickly. On something like the X230, it's able to go from power on to a interactive recovery shell in less than two seconds, and that includes bringing up the TPM, doing cryptographic measurements, and assessing the state of the system.
12:43
Because we now have Linux at this point, we have all the flexibility that comes with that. We can implement boot scripts as with the full power of the shell or the C language runtime. We're not stuck with the limited functions of UEFI. Linux supports lots of different file systems.
13:02
It supports lots of different devices. It supports lots of different encryption methods, and this gives us the ability to use any of them for your specific application. In contrast to UEFI, which supports unencrypted FAT file systems on the first drive that have to be in the first one gig or something.
13:22
It's really, really limited as to how it can find its boot device. There's a saying in the open source community that with enough eyes, all bugs are shallow, and Linux has a lot more eyes looking at it,
13:40
that the device drivers and the file systems and the encryption have been reviewed by both white hat and black hat people around the world. The UEFI versions of these do not have that same level of scrutiny. So using both the UEFI drivers
14:01
and then having to run whatever on top of it increases the attack surface, but by putting Linux in the ROM and depending on its drivers, we've reduced our attack surface very dramatically. More importantly though, Coreboot and Linux are open source. So it is possible to build custom versions
14:22
for the device drivers that you need, for the file systems that you need. It's possible to fix bugs when they come out and sign and install your own kernels. You don't have to wait for the vendor to get around to doing it. And the third major component of heads
14:42
is a tool called kexec, which is a system call that was added for the Linux BIOS project back in 2003 by Eric Biederman that allows a running kernel to do a graceful shutdown and start a new kernel without having to go through the reboot process. So this allowed, on their application,
15:02
it allowed them to do very fast reboots of their cluster nodes. And in the heads case, it allows us to act as a bootloader where we can find the real kernel that you want to run and exec it. Because heads is quite small. It has to fit in four megabytes of ROM. So it's not something that you're going to run
15:22
as a day-to-day sort of OS. Hopefully this won't explode on me again. Because we have the BORN shell, most of the policies and the startup scripts in heads
15:41
are implemented as shell scripts. In this case, we're able to pass in a new set of command line parameters, a new initial RAM disk, and in this case, we can even start a hypervisor. And all of that can happen very, very quickly, as well as with a good degree of security.
16:05
So those are the building blocks that heads is built on. Core boot, Linux, and tools like kexec. But it now gives us a really nice platform to begin experimenting with additional security features. And before we go too deep down the rabbit hole
16:22
of security and threat models, I want to quote my friend Steph who said that, your threat model is not my threat model, but your threat model is okay as well. That we all have different things we want to protect from different attackers who are willing to spend different amounts of effort to go after them. And the nice thing about having an open source
16:41
is we can build systems tailored to your individual threat model. So a lot of these things may not actually apply to your specific threats, but the fact that we can build them is a great capability. Last year, Johanna Ratauska reminded us
17:02
that firmware is not just in our CPU. Firmware is in our Wi-Fi card. It is in our GPU. It is in our SSD. It is in our keyboards. And all of these devices might be trying to subvert the boot process. One way to handle that is to take Peter Studer's advice
17:23
of just assembling the machine and ripping out anything we can't control. If this is your threat model, his instructions are really worth following. They're really thorough about what pieces are potentially of concern. And right now, you'll have to open up your laptop
17:42
to install heads. It's not quite as easy to install as most Linux distributions, because we have to flash it into the motherboard boot ROM. While we're in there, we take advantage of some features that, to the best of my knowledge, no UEFI system is using.
18:00
These flash chips have a hardware write protect mode, where you can specify part of the chip is write only, excuse me, is read only, write once. And this gives us our immutable boot block in which to store the trusted computing base, the TCB, so that we can measure the rest of the system.
18:22
We also then suggest disconnecting the write protect pin from the motherboard, which protects against certain classes of attacks like the Intel closed chassis adapter that allows external JTAG of the CPU. Depending on your threat model, you might want to cover that chip in epoxy as well
18:42
to frustrate evil maid attacks that want to do physical programming on it. Disconnecting the write protect pin also serves to protect from other devices on the machine that have access to those pins. Devices like the management engine, which is a really scary CPU inside the CPU.
19:06
Rudolph Marek, two years ago at CCC, called it the Matryoshka CPU. And Igor Skoczynski detailed, what are the capabilities of the management engine? And they're really worrisome that it runs
19:22
a opaque obfuscated blob of code, about five megabytes, that the CPU can't see. The management engine can read and write all of main memory. It can read from the keyboard and video. It can receive Java byte codes over the network
19:41
and execute them on behalf of someone outside the machine. And it's listening on the network, even when the system's powered off. So this is basically a rootkit inside the chipset, as some folks have called it. So that concerned me a lot. And I spent some time looking at how its firmware images are built
20:01
and realized that we can build modified, reduced functionality firmware for it that removes all of the rootkit functions and just leaves the CPU bring up module. This takes that five megabytes and shrinks it down to about 40K of space.
20:21
So we don't know exactly what it's doing in that 40K, but we at least know it doesn't have a device driver or a Java virtual machine or a lot of the other functions. And we've successfully done this on both Sandy Bridge and Ivy Bridge, like the X230 Thinkpads, as well as modern Skylake CPUs, like the Chell Chromebook.
20:43
And that's really encouraging, that if we can apply this to more modern hardware, that allows us to move away from our five-year-old Thinkpads to something a little shinier. So the management engine isn't the only device that might be trying to support the boot process.
21:03
You again, Johanna showed us there are lots of things to be worried about. Intel's UEFI architects, Yao and Zimmer, recommend that firmware turn on the IO MMU, called VTD, to protect against rogue devices. To the best of my knowledge,
21:20
since they've written this guide, no UEFI firmware is taking advantage of the IO MMU. So it's a great piece of hardware to have, but it doesn't help if you don't turn it on. Linux, meanwhile, has no problem taking advantage of it. So we use it, essentially we get that DMA protection
21:40
for free by using Linux as our bootloader in the ROM. Another way rogue devices can try to interfere with the boot process is by providing option ROMs, which are executable code to be run by the BIOS that have a sort of a device driver. And this code can do things like log keystrokes
22:03
and then try to exfiltrate passwords, as we see here. That problem was initially reported in 2007 by John Heesman at Black Hat, again by Snare in 2012, and then again by my work on Thunder Strike. And as of last week, a official fix has finally rolled out for it
22:23
to close that particular vulnerability. Folks who are using Core Boot have this as a option, that they can say, I am concerned about this threat, let me fix this, let me disable this function. And they point out that it might cause
22:41
degraded functionality, but that's something you can QA on your own system. And in practice, with Linux as your bootloader in the ROM, you don't use the option ROMs for anything. Everything is done with Linux's own device drivers, so you're not dependent on whatever limited functionality
23:02
the option ROM provided. So now that we've taken our building blocks and we hopefully have protected the boot process and hopefully the code that's running is what we think it is, we need to turn to how do we secure the secrets on the machine. And I'm a huge fan of the TPM,
23:22
the Trusted Platform Module. And I know in the free software community, it's been largely unwelcome, it has not received a very welcome reception, because of the way it's been used for DRM and other user hostile things. Since we control the TPM from the first instruction
23:43
in the boot block, we're able to use it in ways that we want to, so we don't have to enable DRM, but we can use it to protect our secrets. And the way that it does that is it keeps track of what code is executed as the system boots.
24:01
And it hashes that code into special registers called PCRs, and the idea is that you can extend the PCR by hashing the next module of code and then hashing that with the previous hash and this creates a chain of trust that allows us to say, if these hashes match the expected values, only the code
24:23
that we want to have run has run. And then the TPM will only decrypt the disk encryption key if those PCRs match, which means that the code that we want to have run is what has been executed.
24:41
This means if someone manages to overwrite the non-write protected part of the ROM, that will change those measurements and the TPM won't reveal the key to them. It also takes a user password, and that password is validated by the TPM hardware itself,
25:02
which gives us hardware rate limiting on how often an attacker can try. It also gives us the ability to do hardware-based retry limits so that the TPM will flush the key if an attacker in possession of your machine tries too long. That does mean there's now another way
25:22
to lose your disk encryption key, and there's the old joke about there are two types of people with encrypted drives, those who have lost data due to forgetting their key and those who will. So what Heads does when you generate your key is it takes that key and splits it into multiple pieces
25:41
that you can then share either to friends or to backup services where each piece doesn't let you decrypt it, but you can combine them with Shamir secret sharing to regenerate the cryptographic disk encryption key. We're also able to take advantage of best practices
26:01
like including the disk encryption key headers in the PCRs that we use to seal the disks. This avoids a certain class of evil mate attack where someone swaps out your drive. May not be in your threat model, but it's easy to do with just a few lines of shell script.
26:24
So hopefully we now trust that the system is running the code we think it is, but how does it prove to us that it is actually our machine, that someone hasn't snuck into our hotel room and swapped out everything and carefully replaced our stickers to make us believe we're typing
26:42
our password into our own computer. Some anti-evil made toolkits will encrypt a secret phrase and then display it to you if and only if the PCRs match, but that's subject to a replay attack. What Matthew Garrett demonstrated last year at 32C3
27:03
was using the time-based one-time password used by Google Authenticator to protect the firmware and have it attest to the user that it is unmodified. So when the system boots and it goes through measuring all of the various components,
27:22
the TPM will only release the secret if those PCRs match. The firmware then hashes that along with the current time and generates a six-digit value that it prints on the screen. You compare that to what's on your phone and that tells you whether or not you can trust
27:41
the machine. It's a great idea and it's implemented, again, as a very small shell script to read the value from the TPM, unseal it, and then compute the hash of it. This also allows us to start making a transition
28:01
from the TPM-static root of trust to a PGP-based trust, where most importantly, this is a PGP key that you, the owner of the computer control, not some random vendor or some random hardware device manufacturer that's going to lose the key
28:21
and allow malware like Stuxnet to use it to circumvent security. The boot script in heads, again, it's a small shell script is able to use GPG to verify the next stages of the hypervisor, the initial RAM disk, and the kernel.
28:42
And it's also then uses the TPM's counters to help prevent against rollback, where someone takes your drive and rolls it back to a previous version, perhaps with a vulnerability that they can exploit. So this allows us to be sure that not only
29:00
are we running the OS that we think we should be running it ensures us that someone hasn't been able to substitute one that, a vulnerable version. Having the PGP key also allows us to take advantage of an idea from Android and Chrome OS,
29:20
which is the DM Verity read-only root file system. This hashes all of the blocks and it hashes all of the hashes and so on up until it gets to a root hash in the tree that is then signed. This allows the kernel on every read access
29:41
in logarithmic time to verify essentially a signature on that data. This does require a read-only root file system, but it gives us even more confidence that the system has been untampered with. Once you're running your OS, it's good to have
30:03
some security conscious thoughts as well. Heads is mostly focused on how do we securely transition to an OS, and that OS you run is up to you. I like cubes, it's reasonably secure, it's highly recommended by people who know
30:20
about endpoint security, and the cubes team recognizes that firmware security is a vital piece of system security. For their next release, cubes are for, they're going to require the machines have open source firmware, such as core boot, and I hope that heads is going to be a piece of that.
30:41
I've also been working with the cube software and have modified it to work with things like the DM Verity read-only root file system. This now allows the user to lock down the configuration so that someone can't tamper with their setup.
31:00
It also gives you a recovery mode that allows you to fix things up and re-sign the OS. Reproducible builds are really important so that everyone can verify that the builds match what they should. In the case of heads, we have a lot of upstream
31:20
dependencies that aren't reproducible, so we're working with them to try to patch them. We've patched as in, they've accepted that commit. We've also built some tools to let you build initial RAM disks in a reproducible way. Now this works with cubes, with heads, and we're hoping other Linux distributions pick it up as well. All of our tree is cryptographically signed,
31:42
so hopefully GitHub's not trying to slip in any patches. And it is open source, so we encourage everyone to read through it. No NDA is required, unlike most of the UEFI sources. So that's sort of the state of where things are. It's pretty much in very beta, but it is usable.
32:03
But there are a lot of areas where we could continue to do research, things like the embedded controllers on Chromebooks or open source. We can use those to help with our root of trust as well. Porting Coreboot to more modern platforms would let us take advantage of things like tamper switches and Intel Bootguard.
32:21
I'm also working on porting Coreboot over to server platforms so that we can use it for more secure cloud hosting. Servers have a very different threat model from laptops, and a lot of things have firmware that we have to be concerned about. One collaboration I'm looking at there
32:41
is with the Open BMC project to be able to take advantage of the open source in the management controller for the servers. And I'm also collaborating with the mass open cloud project that's trying to build secure bare metal clouds. I'm cautiously optimistic about Enclaves
33:03
and how they will help us with security, especially in a environment where we control the firmware and we can ensure that the Enclaves are set up in a safe way. There are a lot of issues on GitHub. Again, please welcome contributions.
33:20
I hope everyone gets inspired to work on installing this on their laptop. And if you are interested, I'll be hanging out at the Coreboot assembly later today and occasionally this week. The Coreboot team has a bunch of people here. They have flash programmers
33:41
and can help you install Coreboot on your laptop. Source code for heads is available on GitHub, and a annotated version of this talk is up on my website and welcome comments and feedback on it. So thank you all for coming to hear about this project.
34:01
I hope that everyone is as excited about open source firmware as I am, and I'd love to take any questions that you all have.
34:28
Thanks for your great talk. This is very interesting. Do you have any advice for the 95% of us who are stuck on non-Coreboot compatible laptops? Buy a Chromebook?
34:44
It's hard to trust the closed source firmware. Certainly, there are people we have to trust. There are institutions we have to trust. We have to trust Intel to some extent, and Intel is responsible for both our CPUs
35:01
and a lot of the firmware. Depending on your threat model, firmware attacks may not be a huge concern for your particular machine, or they might be of grave concern, in which case, even just doing some of the things that Peter Suj suggested,
35:21
Suj suggested of clipping the right protect pin on the chip, removing things that might be hostile and attacking your system. His guide is a really good one to follow for the hardware security.
35:42
I was wondering if you also support ARM. I just saw Intel laptops and I was wondering. So ARM, it has a lot of advantages as a CPU. It only has 20 years of legacy baggage rather than 40, and the boot process on it is much, much simpler
36:01
since it doesn't have to go through real mode to long mode to paging and all the other steps. The downside to a lot of ARMs is that their boot code is on die, and outside of the control of the user.
36:21
Luckily, most of that boot code is fairly simple, and some of them will establish a hardware root of trust. But in general, the ARM to U-Boot to whatever seems to work out pretty well.
36:40
I know there's been some interest in can U-Boot be replaced with a Linux BIOS or core boot-like thing, and I suspect the folks at the booth would be able to talk more about that. And then just a follow-up. So if core boot or libre boot supports the platform, it heads will work too, right? Is this?
37:00
Essentially, yes. It heads as a payload for core boot. Okay. It's there on the left. Thank you, there's a question from the internet about core boot. Core boot has blobs included,
37:20
and for example, binary blobs from Intel with all the firmware support package and all that stuff. How can we call core boot secure then in the light of this, let alone open source? So the Intel FSP is a significant concern. This is the firmware support package that is required to initialize the memory controllers
37:42
on modern Intel CPUs. On older CPUs, such as the Sandy Bridge and Ivy Bridge, the core boot and libre boot are able to initialize the memory natively without having to go into the FSP.
38:01
However, if you look at what core boot is doing in the MRC on those platforms, it tends to just be poking a bunch of registers with values that seem to work. And it's, modern memory controllers are so complex that an Intel is unwilling to document them
38:22
that without extensive NDAs, that it's very hard to build any sort of memory initialization. So while we can't say it's 100% free software, we can at least, we can ensure that the FSP is measured and it's unchanging.
38:41
We can also look at the state of things that it sets up and include those in our measurements. So even if it doesn't give us 100% open source, and as far as I know, the only system that does that right now is a bunnies and novena laptop.
39:03
At least we can measure it and we can know that it hasn't been tampered with from what we initially installed. Number four. Hi, so this is a great project and I'd like to ask why you did certain architectural decisions,
39:21
the specific combination of Linux and Shell. So why didn't you choose a BSD kernel which are usually perceived to be more secure and of a higher quality? And why did you choose a Shell over, let's say Python or Haskell, which are also often perceived of a higher quality?
39:40
So there is a lot of desire to support Python in heads. The downside is that there's very limited space. The X230 boot rom, for instance, has four megabytes of available space. The Python interpreter's a couple of megs already.
40:01
In terms of why Linux over BSD, the kexec system call is a core component of this to be able to do a creaseful shutdown and transfer from the Linux kernel to another kernel or to any multi-boot compliant kernels, which includes BSD, is a necessary feature.
40:24
If BSD had such functionality, that it would be a fine choice for the internal boot rom bootloader.
40:45
Thanks for your great work. How to perform updates of core boot and its payload? When its binary is used in measurement for releasing encryption key,
41:01
then when you update core boot, this measurement will change and you will no longer be able to boot the system. How to solve that problem? So migrating encryption keys with TPM requires a explicit step of retrieving the key from the TPM with the current configuration
41:23
and then resealing it with the new configuration. One advantage of a reproducible build is the hashes of all the firmware stages can be published, can be precomputed, and then the PCR values can be precomputed. So you can seal the keys for the new values.
41:45
In terms of the update process for the heads payload, one of the things that we're working on is being able to have even more minimal heads that has just a USB device driver that you can boot into, copy your new payload,
42:04
and then install that elsewhere on the chip. And part of that process would involve resealing any of the keys that you need to transfer. Another question from the internet. Thank you. On your webpage, you implemented head on Thinkpads only.
42:21
How much work is still needed to translate this to, let's say, non-Thinkpads? Thinkpads are really popular with the security community. It's quite interesting to look out at the hall here and see how many Thinkpads there are. And as a result, the Core Boot community has been very supportive of Thinkpads.
42:43
Other than the Thinkpads and the Chromebooks, there aren't a lot of devices that support Core Boot out of the box. And that's something that I hope would change. I hope that some OEMs would realize there is value in providing open source firmware
43:01
and move to using it, both as a cost-saving measure as well as a freedom measure. In terms of the difficulty importing Core Boot to a platform, I haven't successfully done that yet, but I suspect the people at the assembly would be happy to discuss that further.
43:23
Would you plan to rework an embedded control firmware or on Thinkpads because it's a remaining closed part which still has an access to the LPC bus and probably couldn't be trusted?
43:41
So your question was how do we replace the EC? Yes, do you plan to replace EC with open source firmware as in Chromebooks? So the Chromebook has open source EC. The part of building Core Boot for Chromebook involves installing the ARM cross compiler
44:01
to build the EC firmware. And the Chromebooks actually have a really elegant protocol for the EC to attest to the CPU that it is running the firmware that you think it is running. On other platforms, this would require a lot more research.
44:20
Many of the EC chipsets have data sheets available, so it's possible to read through and see how they work. And most of them have updatable firmware. In the case of the Thinkpads, there's a module in the Thinkpad BIOS that will do that update. We would need to figure out what that protocol looks like.
44:41
Sorry. Yes, I mean if you have a working prototype on Thinkpads, probably want to add remain bit as open source EC on Thinkpads as well, the first place. I'm sorry, I don't think I understood your follow up.
45:03
Okay. So if you have a working prototype on Thinkpads and only on Thinkpads, will you finish someone soon a current existing prototype of open source EC
45:24
existing on H8 by Linux, or you're planning to extend your work on other platforms and finish these bits later? Yeah, right now I have not personally made any progress
45:41
on the Thinkpad EC. I was looking into it because I have a modified keyboard on my Thinkpad that needs a updated EC firmware, but I haven't actually gotten into that. That's an area of open research.
46:01
Thank you, two quick questions from the IRC. Are you planning to use systemd in the boot process? Is the first one. And the second one, let's say you flash your firmware at the congress, right here, with the help of a hardware programmer. Can you update when there's a new version?
46:20
Or do you have to currently need the hardware access to update? Right now, you can update afterwards at great risk, because you can leave the flash writeable, and then you can, which would allow you
46:40
to flash after the fact. We are still working on a good procedure for doing software-only firmware updates once the immutable boot block is installed. And to the other question, did I mention that we are really short on space, and we don't want to put any large applications
47:02
like systemd on there? It was a good one. Thanks. Thank you all.