SlideShare a Scribd company logo

SUSE shim and things related to it

SUSE Labs Taipei
SUSE Labs Taipei

SUSE Labs Conference 2023 Shim is a first-stage UEFI bootloader. SLE/openSUSE uses it to enable secure boot and MOK, loading/verify grub2. This talk will share current status of SUSE shim. And it will also introduce information about shim development. e.g. maintenance process, features, upstream review, process... so on.

Software
1 of 45
Download to read offline
Copyright © SUSE SUSE shim and things related to it SUSE Labs Conference 2023, Plzeň Joey Lee <jlee@suse.com>, Dennis Tseng <dennis.tseng@suse.com>
Copyright © SUSE 1. Shim Shim and SUSE Shim 2. Processes Review, Signing and Delivery 3. Microsoft Requirements Microsoft requirements, NX and 4K-alignment 4. SBAT SBAT and Security Violation error Agenda 2
Copyright © SUSE Shim 3
Copyright © SUSE — Shim is a trivial EFI application that, when run, attempts to open and execute another application. – License: BSD-2-Clause-Patent Copyright Red Hat, Inc Author: Matthew Garrett — Binary validation – UEFI db, MOK — shim will extend various PCRs with the digests of the targets it is loading. – PCR 7: SBAT_VAR – PCR 14: MokList, MokListX, MokSBState, MokListTrusted, MokPolicy A first-stage UEFI bootloader Shim 4
Copyright © SUSE Shim 5 Image loader UEFI Firmware Shim 15.7 Grub2 Load Load Load Kernel
Copyright © SUSE Verify shim 6 Image loader UEFI Firmware Shim 15.7 Grub2 shim_verify Verify Verify Verify Kernel NVRAM db
Copyright © SUSE — Base on upstream version, applied some SUSE downstream patches. — All SLE/Leap versions are shared one shim binary (SLE CA). Shim of openSUSE Tumbleweed uses same code, the only difference is the built-in certificate. (openSUSE CA) — Must be reviewed by shim-view project and signing by Microsoft before release by SLE/openSUSE update channel. — Version upgrade timing: serious security issues in shim or grub2. e.g. boothole series Shim for SLE and openSUSE 7
Copyright © SUSE Processes for shim 8
Copyright © SUSE Building process for new shim and shim-review docker file 9 openSUSE:Factory :shim openSUSE:Factory:secure-boot :shim Latest SLE stable release 15.4 SUSE:SLE-15-SP4:Update Create SUSE security team Shim openSUSE signkey Signature openSUSE CA Shim SLE signkey Signature SLE CA Dockerfile to reproduce the build of the shim EFI binary 15.4 Dockerfile to reproduce the build of the shim EFI binary SLE-15-SP4 SUSE security team Shim openSUSE CA Strip SUSE security team strip_signature.sh SUSE security team Shim SLE CA strip_signature.sh Create Strip
Copyright © SUSE Process for review/signing a new shim 10 shim-review https://github.com/rhboot/shim-review shim-review fork openSUSE Dockerfile openSUSE Shim Microsoft Signing Submit SUSE security team SUSE security team MS Send back to SUSE security team shim-review fork SLE Dockerfile SLE Shim Shim openSUSE CA Microsoft Signature Shim SLE CA Microsoft Signature Create SUSE security team Send Send back
Copyright © SUSE Process for review/signing a new shim 11 shim-review https://github.com/rhboot/shim-review shim-review fork openSUSE Dockerfile openSUSE Shim Microsoft Signing Submit SUSE security team SUSE security team MS Send back to SUSE security team shim-review fork SLE Dockerfile SLE Shim Shim openSUSE CA Microsoft Signature Shim SLE CA Microsoft Signature Create SUSE security team Send Send back
Copyright © SUSE shim-review project 12
Copyright © SUSE shim-review project (cont.) 13
Copyright © SUSE New shim delivery 14 extract Microsoft Signature extract_signature.sh Shim openSUSE CA Microsoft Signature Shim SLE CA Microsoft Signature openSUSE:Factory:secure-boot :shim signature-opensuse.*.asc Update Latest SLE stable release SUSE:SLE-15-SP4:Update signature-sles.*.asc 15.4 Shim openSUSE signkey Signature openSUSE CA Microsoft Signature Shim openSUSE signkey Signature openSUSE CA Microsoft Signature Shim openSUSE signkey Signature openSUSE CA Microsoft Signature Shim SLE signkey Signature SLE CA Microsoft Signature signature-opensuse.*.asc timestamp, linker, checksum Hash of signed back shim Microsoft Signature signature-sles.*.asc timestamp, linker, checksum Hash of signed back shim Microsoft Signature Deliver Update Deliver
Copyright © SUSE Double check the hash of shim 15 openSUSE:Factory:secure-boot :shim signature-opensuse.*.asc update 15.4 extract Microsoft Signature extract_signature.sh Shim (signed back) openSUSE CA Microsoft Signature signature-opensuse.*.asc timestamp, linker, checksum Hash of signed back shim Microsoft Signature pesign -h -P PE header Timestamp, linker, checksum timestamp.pl pesign -a -f -e Update Shim openSUSE CA PE header Shim openSUSE CA PE header timestamp, linker, checksum timestamp.pl --set-from-file 1. restore Hash of restored shim pesign -h -P Shim openSUSE CA PE header Microsoft Signature 2. compare 3. attach shim.spec
Copyright © SUSE Repackage and deliver 16 16 Latest SLE stable release SUSE:SLE-15-SP3:Update shim-15.4.tar.bz2 shim-15.4-4.7.1.x86_64.rpm SUSE:SLE-15-SP4:Update Inherit from SUSE:SLE-15-SP5:GA SUSE:SLE-15-SP1:Update SUSE:SLE-15:Update SUSE:SLE-11-SP3:Update SUSE:SLE-12-SP3:Update Repacking from shim-15.4-3.32.1.x86_64.rpm shim-15.4-7.23.1.x86_64.rpm shim-15.4-25.21.1.x86_64.rpm SUSE:SLE-12-SP2:Update shim-15.4-12.11.1.x86_64.rpm SUSE:SLE-15-SP2:Update Inherit from SUSE:SLE-12-SP4:Update SUSE:SLE-12-SP5:Update openSUSE:Leap:15.4:Update Inherit from SUSE:SLE-12-SP4:Update Inherit from
Copyright © SUSE Microsoft Requirements 17
Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — 1. UEFI submissions require an EV certificate and an Azure Active Directory (AAD) account. — 2. Only production quality code (for example, “release to manufacturing” code, rather than test or debug modules) that will be released to customers (no internal-only code or tools) are eligible for UEFI signing. — 4. Code submitted for UEFI signing must not be subject to GPLv3 or any license that purports to give someone the right to demand authorization keys to be able to install modified forms of the code on a device. Code that is subject to such a license that has already been signed might have that signature revoked. For example, GRUB 2 is licensed under GPLv3 and will not be signed. Microsoft updated UEFI Signing Requirements 18
Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — 12. If your submission is a SHIM (handing off execution to another bootloader), then you must first submit to the SHIM review board and be approved before a submission will be signed. This review board will check to ensure the following: A. Code signing keys must be backed up, stored, and recovered only by personnel in trusted roles, using at least dual-factor authorization in a physically secured environment. i. The private key must be protected with a hardware cryptography module. … ii. The operating environment must achieve a level of security at least equal to FIPS 140-2 Level iii. If embedded certificates are EV certificates, you should meet all of the above requirements. We recommend that you use an EV certificate because this will speed up UEFI CA signing turnaround. Microsoft updated UEFI Signing Requirements for shim 19
Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — 12. If your submission is a SHIM (handing off execution to another bootloader), … A. Code signing keys must be backed up, stored… B. Submitter must design and implement a strong revocation mechanism for everything the shim loads, directly and subsequently. C. If you lose keys or abuse the use of a key, or if a key is leaked, any submission relying on that key will be revoked. D. Some shims are known to present weaknesses into the SecureBoot system. For a faster signing turnaround, we recommend that you use source code of 0.8 or higher from shim... Microsoft updated UEFI Signing Requirements for shim (cont.) 20
Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — Effective 11/30/2022 all submissions must satisfy and attest to NX compatibility as described by: New UEFI CA memory mitigation requirements for signing [2] — Section Alignment of the submitted PE file must be aligned with 4KB page size. — Section Flags must not combine IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE for any given section. — DLL Characteristics must include IMAGE_DLLCHARACTERISTICS_NX_COMPAT NX and 4K alignment 21
Copyright © SUSE — https://github.com/tianocore/edk2-pytool- extensions/blob/HEAD/docs/user/tools/using_image_validation_tool.md — The PE/COFF image validation tool is a command line tool used to verify that memory protection requirements such as section alignment and write / execute settings are applied correctly. This tool also provides the ability to check, set, and clear the NX_COMPAT flag found in OPTIONAL_HEADER.DllCharacteristics. — pip install --upgrade edk2-pytool-extensions — python3 image_validation.py --get-nx-compat --file /usr/lib64/efi/shim.efi python3 image_validation.py --clear-nx-compat -i shim-15.7-test.efi python3.6 image_validation.py -i shim.efi --set-nx-compat PE/COFF Image Validation Tool 22
Copyright © SUSE — commit 7c7642530fab73facaf3eac233cfbce29e10b0ef Author: Peter Jones <pjones@redhat.com> Date: Thu Nov 17 12:31:31 2022 -0500 Enable the NX compatibility flag by default. – Out of shim 15.7, backported. – Using post-process-pe -N when building can disable this bit. Shim and NX 23
Copyright © SUSE — OVMF, OvmfPkg/OvmfPkgX64.dsc — Add GCC:*_GCC*_*_DLINK_FLAGS = -z common-page-size=0x1000 to the following sections # Force PE/COFF sections to be aligned at 4KB boundaries to support page level protection [BuildOptions.common.EDKII.DXE_SMM_DRIVER, BuildOptions.common.EDKII.SMM_CORE] # Force PE/COFF sections to be aligned at 4KB boundaries to support MemoryAttribute table [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] # Force PE/COFF sections to be aligned at 4KB boundaries to support NX protection [BuildOptions.common.EDKII.DXE_DRIVER, BuildOptions.common.EDKII.DXE_CORE, BuildOptions.common.EDKII.UEFI_DRIVER, BuildOptions.common.EDKII.UEFI_APPLICATION] NX and 4K alignment in firmware memory protection 24
Copyright © SUSE — OVMF, OvmfPkg/OvmfPkgX64.dsc [PcdsFixedAtBuild] ## Set image protection policy. The policy is bitwise. # If a bit is set, the image will be protected by DxeCore if it is aligned. # The code section becomes read-only, and the data section becomes non-executable. gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x00000002 ## Set DXE memory protection policy. The policy is bitwise. # If a bit is set, memory regions of the associated type will be mapped non-executable. gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0x0000000000007FD4 NX and 4K alignment in firmware memory protection (cont.) 25
Copyright © SUSE — https://microsoft.github.io/mu/ Project Mu is a modular adaptation of TianoCore's edk2 tuned for building modern devices using a scalable, maintainable, and reusable pattern. — Mu Tiano Platforms Repository https://github.com/microsoft/mu_tiano_platforms.git https://microsoft.github.io/mu/dyn/mu_tiano_platforms/RepoDetails/ Mu Tiano Platform is a public repository of Project Mu based firmware for the QEMU processor emulator. It contains a QemuQ35Pkg that is customized to enable many of the features of Project Mu. It also contains the original upstream OvmfPkg from edk2 which supports IA32/X64 virtual firmware for QEMU. [3] — The only implementation of EFI_MEMORY_ATTTRIBUTE_PROTOCOL. (37.7.1, UEFI spec 2.10) Project Mu 26
Copyright © SUSE — 82e0d6d76 efi: libstub: ensure allocated memory to be executable v5.19-rc1, Baskov Evgeniy <baskov@ispras.ru> CONFIG_EFI_DXE_MEM_ATTRIBUTES – Uses DXE services EFI_SET_MEMORY_SPACE_ATTRIBUTES (4.1, PI spec 1.7) — [PATCH v5 00/27] x86_64: Improvements at compressed kernel stage Baskov Evgeniy <baskov@ispras.ru> – support EFI_MEMORY_ATTRIBUTE_PROTOCOL (37.7.1, UEFI spec 2.10) — [RFC PATCH 0/3] efi: Implement generic zboot support [PATCH 0/6] efi/x86: Avoid legacy decompressor during EFI boot Ard Biesheuvel <ardb@kernel.org> Kernel boot with NX support 27
Copyright © SUSE SBAT 28
Copyright © SUSE — The limitation of dbx space on UEFI platform ~= 32kB – Until February 2021, already 50% be used. [4] — SUSE shim 15.4 supported SBAT self check (self-block) SUSE shim 15.7 fully supported SBAT policy — objdump -j .sbat -s shim.efi — SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23 SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 — mokutil --set-sbat-policy <latest/previous/delete> mokutil --list-sbat-revocations UEFI Secure Boot Advanced Targeting SBAT 29
Copyright © SUSE SbatLevel variable 30 Shim 15.4 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn shim.sle,1,SUSE Linux Enterprise,shim,15.4,mail:security-team@suse.den SBAT_VAR sbat,1,2021030218n NVRAM SbatLevel sbat,1,2021030218n Create UEFI Firmware sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2021030218n component_name: sbat component_generation: 1 sbat_datestamp: 2021030218
Copyright © SUSE Replace SbatLevel variable 31 Shim 15.7 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,3,UEFI shim,shim,1,https://github.com/rhboot/shimn shim.sle,1,SUSE Linux Enterprise,shim,15.7,mail:security@suse.den SBAT_VAR_ORIGINAL (SBAT_POLICY_RESET) sbat,1,2021030218n SBAT_VAR_PREVIOUS (SBAT_POLICY_PREVIOUS) [default] sbat,1,2022052400ngrub2,2 SBAT_VAR_LATEST (SBAT_POLICY_LATEST) sbat,1,2023012900nshim,2ngrub,3n NVRAM SbatLevel sbat,1,2021030218n UEFI Firmware sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2023012900nshim,2ngrub,3n sbat,1,2022111500 component_name: sbat component_generation: 1 sbat_datestamp: 2022111500 shim,2 grub,3 sbat,1,2022111500nshim,2ngrub,3n 1. compare (generation, datestamp) 2. replace
Copyright © SUSE Shim SBAT self check 32 32 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware sbat_section_entry (CSV format) component_name,component_generation, vendor_name,vendor_package_name,vendor_version,vendor_url e.g. sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn component_name: shim component_generation: 1 shim.sle,1,SUSE Linux Enterprise,shim,15.4,mail:security-team@suse.den Shim 15.4 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn shim.sle,1,SUSE Linux Enterprise,shim,15.4,mail:security-team@suse.den SBAT_VAR sbat,1,2021030218n sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2022111500nshim,2ngrub,3n sbat,1,2022111500n shim,2n component_name: shim component_generation: 2 grub,3n shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn Compare (name, generation) component_generation: 1 < 2 Self Block!
Copyright © SUSE Grub2 SBAT check 33 33 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2022111500nshim,2ngrub,3n sbat,1,2022111500n shim,2n grub,3n component_name: grub component_generation: 3 2. Compare (name, generation) component_generation: 2 < 3 Block! Shim 15.7 Grub2 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn grub,2,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/n grub.opensuse,1,The openSUSE Project,grub2,2.06,mailto:security@suse.den 1. Load grub,2,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/n sbat_section_entry (CSV format) component_name,component_generation, vendor_name,vendor_package_name,vendor_version,vendor_url e.g. sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn grub,2,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/n component_name: grub component_generation: 2 grub.opensuse,1,The openSUSE Project,grub2,2.06,mailto:security@suse.den
Copyright © SUSE Verify kernel binary 34 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware Shim 15.7 Grub2 1. Load Kernel db mok PE signature 2. Call SHIM_LOCK protocol shim_verify .sbat section (option) 4. verify kernel’s PE signature with 3. verify SBAT (option)
Copyright © SUSE Verify kernel binary 35 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware Shim 15.7 Grub2 1. Load Kernel db mok PE signature 2. Call SHIM_LOCK protocol shim_verify .sbat section (option) 4. verify kernel’s PE signature with 3. verify SBAT (option) Kernel doesn’t support yet
Copyright © SUSE ● Shim verification failed (UEFI firmware → shim): invalid shim signature – check keys in db, or check signature of shim. Security Violation error – case 1 36
Copyright © SUSE Security Violation error – case 2 37 ● Shim verification failed (shim self-check): shim SBAT doesn’t match, old shim self- blocked – check SBAT of shim.
Copyright © SUSE Security Violation error – case 3 38 ● Grub2 verification failed (shim → grub2): invalid grub2 signature or grub2 SBAT doesn’t match – check keys in db/mok, embedded key in shim. Or check signature of grub2. – check SBAT.
Copyright © SUSE Security Violation error – case 4 39 ● Kernel verification failed (grub2 → shim → kernel): kernel signature doesn’t match – Check keys in db/mok, or embedded key in shim. Check signature of kernel
Copyright © SUSE — SUSE shim 15.7 fully supported SBAT policy — objdump -j .sbat -s shim.efi — SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23 SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 — mokutil --set-sbat-policy <latest/previous/delete> mokutil --list-sbat-revocations — e.g. Shim 15.7 – delete (original): sbat,1,2021030218 – previous: sbat,1,2022052400ngrub2,2n – latest: sbat,1,2022111500nshim,2ngrub,3 SBAT Policy 40
Copyright © SUSE version: Shim 15.7 SBAT Policy transitions 41 SBAT Policy transitions (Secure Boot OFF) old policy new policy delete (original) previous latest delete (original) N/A YES YES previous YES N/A NO (1) latest YES YES N/A SBAT Policy transitions (Secure Boot ON) old policy new policy delete (original) previous latest delete (original) N/A NO (2) NO (2) previous YES N/A NO (1) latest YES YES N/A (1) blocked by datestamp (2) blocked by secure boot The original state only be kept in one boot cycle. Next boot/reboot, the SbatLevel will be auto-changed to previous state because datestamp. Cannot directly transform from latest state to previous state because datestamp. It should transform from latest to original state first, then transform to previous state. Which means that secure boot must be disabled first
Copyright © SUSE SBAT Policy transitions (chart) 42 previous latest delete (original) Secure boot must be OFF Secure boot must be OFF
Copyright © SUSE — Working on upstream, improve credit. – shim-review, shim projects ← Dennis Tseng — Reduce downstream patches for SLE/openSUSE. — Upstream features: – Multiple second stage bootloader – Merge fallback.efi and MokManager.efi to shim.efi Next 43
Copyright © SUSE — [1] UPDATED: UEFI Signing Requirements https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing- requirements/ba-p/1062916 — [2] New UEFI CA memory mitigation requirements for signing https://techcommunity.microsoft.com/t5/hardware-dev-center/new-uefi-ca-memory-mitigation- requirements-for-signing/ba-p/3608714 — [3] Bug 1205588 - Page Fault when booting with PE NX-compatibility DLL Characteristic flag — [4] https://github.com/rhboot/shim/blob/main/SBAT.md Reference 44
Copyright © SUSE © SUSE LLC. All Rights Reserved. SUSE and the SUSE logo are registered trademarks of SUSE LLC in the United States and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Frankenstrasse 146 90461 Nürnberg www.suse.com Thank you

Recommended

Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and ToolsBrendan Gregg
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Multi-signed Kernel Module
Multi-signed Kernel ModuleMulti-signed Kernel Module
Multi-signed Kernel ModuleSUSE Labs Taipei
 
Docker実践入門
Docker実践入門Docker実践入門
Docker実践入門hiro nemu
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usagevincentvdk
 

Recommended

Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and ToolsBrendan Gregg
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Multi-signed Kernel Module
Multi-signed Kernel ModuleMulti-signed Kernel Module
Multi-signed Kernel ModuleSUSE Labs Taipei
 
Docker実践入門
Docker実践入門Docker実践入門
Docker実践入門hiro nemu
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usagevincentvdk
 
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
Docker Container
Docker ContainerDocker Container
Docker ContainerSeung-Hoon Baek
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VRISC-V International
 
Linux power management: are you doing it right?
Linux power management: are you doing it right?Linux power management: are you doing it right?
Linux power management: are you doing it right?Chris Simmonds
 
RHEL8 Kernel Management Manual in Korean
RHEL8 Kernel Management Manual in KoreanRHEL8 Kernel Management Manual in Korean
RHEL8 Kernel Management Manual in KoreanJun Hee Shin
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Novell
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
Linux Kernel Programming
Linux Kernel ProgrammingLinux Kernel Programming
Linux Kernel ProgrammingNalin Sharma
 
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation Manish Jaggi
 
Installing Aix
Installing AixInstalling Aix
Installing AixFrederick James Rathweg
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedStefano Stabellini
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...The Linux Foundation
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New HardwareRuggedBoardGroup
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Universal flash storage
Universal flash storageUniversal flash storage
Universal flash storageDooyong Lee
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeAcademy
 
해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack SolutionNalee Jang
 
The kvm virtualization way
The kvm virtualization wayThe kvm virtualization way
The kvm virtualization wayFrancisco Gonçalves
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part IIEmertxe Information Technologies Pvt Ltd
 
Xen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsXen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 

More Related Content

What's hot

Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VRISC-V International
 
Linux power management: are you doing it right?
Linux power management: are you doing it right?Linux power management: are you doing it right?
Linux power management: are you doing it right?Chris Simmonds
 
RHEL8 Kernel Management Manual in Korean
RHEL8 Kernel Management Manual in KoreanRHEL8 Kernel Management Manual in Korean
RHEL8 Kernel Management Manual in KoreanJun Hee Shin
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Novell
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
Linux Kernel Programming
Linux Kernel ProgrammingLinux Kernel Programming
Linux Kernel ProgrammingNalin Sharma
 
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation Manish Jaggi
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedStefano Stabellini
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...The Linux Foundation
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New HardwareRuggedBoardGroup
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Universal flash storage
Universal flash storageUniversal flash storage
Universal flash storageDooyong Lee
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeAcademy
 
해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack SolutionNalee Jang
 
Xen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsXen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
 

What's hot (20)

Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
 
Docker Container
Docker ContainerDocker Container
Docker Container
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
 
Linux power management: are you doing it right?
Linux power management: are you doing it right?Linux power management: are you doing it right?
Linux power management: are you doing it right?
 
RHEL8 Kernel Management Manual in Korean
RHEL8 Kernel Management Manual in KoreanRHEL8 Kernel Management Manual in Korean
RHEL8 Kernel Management Manual in Korean
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
Linux Kernel Programming
Linux Kernel ProgrammingLinux Kernel Programming
Linux Kernel Programming
 
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation
PCI Passthrough and ITS Support in Xen / ARM :Xen Dev Summit 2015 Presentation
 
Installing Aix
Installing AixInstalling Aix
Installing Aix
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for Embedded
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
Universal flash storage
Universal flash storageUniversal flash storage
Universal flash storage
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
 
해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution해외 사례로 보는 Billing for OpenStack Solution
해외 사례로 보는 Billing for OpenStack Solution
 
The kvm virtualization way
The kvm virtualization wayThe kvm virtualization way
The kvm virtualization way
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
Xen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsXen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systems
 

Similar to SUSE shim and things related to it

Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootJonathan MICHEL-VILLAZ
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryDocker, Inc.
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefAlert Logic
 
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseBootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseEric Koeppen
 
Chef arista devops days a'dam 2015
Chef arista devops days a'dam 2015Chef arista devops days a'dam 2015
Chef arista devops days a'dam 2015Edwin Beekman
 
Building PoC ready ODM Platforms with Arm SystemReady v5.2.pdf
Building PoC ready ODM Platforms with Arm SystemReady v5.2.pdfBuilding PoC ready ODM Platforms with Arm SystemReady v5.2.pdf
Building PoC ready ODM Platforms with Arm SystemReady v5.2.pdfPaul Yang
 
Linux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversLinux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversVladimir Shakhov
 
CCNAv5 - S3: Chapter9 IOS Images and Licensing
CCNAv5 - S3: Chapter9 IOS Images and LicensingCCNAv5 - S3: Chapter9 IOS Images and Licensing
CCNAv5 - S3: Chapter9 IOS Images and LicensingVuz Dở Hơi
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
 

Similar to SUSE shim and things related to it (20)

Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and Notary
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
 
EFI Secure Key
EFI Secure KeyEFI Secure Key
EFI Secure Key
 
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseBootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-release
 
Slimline Open Firmware
Slimline Open FirmwareSlimline Open Firmware
Slimline Open Firmware
 
Chef arista devops days a'dam 2015
Chef arista devops days a'dam 2015Chef arista devops days a'dam 2015
Chef arista devops days a'dam 2015
 
Building PoC ready ODM Platforms with Arm SystemReady v5.2.pdf
Building PoC ready ODM Platforms with Arm SystemReady v5.2.pdfBuilding PoC ready ODM Platforms with Arm SystemReady v5.2.pdf
Building PoC ready ODM Platforms with Arm SystemReady v5.2.pdf
 
Linux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversLinux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy servers
 
CCNAv5 - S3: Chapter9 IOS Images and Licensing
CCNAv5 - S3: Chapter9 IOS Images and LicensingCCNAv5 - S3: Chapter9 IOS Images and Licensing
CCNAv5 - S3: Chapter9 IOS Images and Licensing
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
 

More from SUSE Labs Taipei

Locked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelLocked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelSUSE Labs Taipei
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingSUSE Labs Taipei
 
Kernel debug log and console on openSUSE
Kernel debug log and console on openSUSEKernel debug log and console on openSUSE
Kernel debug log and console on openSUSESUSE Labs Taipei
 
The bright future of SUSE and openSUSE
The bright future of SUSE and openSUSEThe bright future of SUSE and openSUSE
The bright future of SUSE and openSUSESUSE Labs Taipei
 
Convert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceConvert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceSUSE Labs Taipei
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernetSUSE Labs Taipei
 
Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your programSUSE Labs Taipei
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceSUSE Labs Taipei
 

More from SUSE Labs Taipei (19)

Locked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelLocked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernel
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux Kernel
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event Handing
 
Kernel debug log and console on openSUSE
Kernel debug log and console on openSUSEKernel debug log and console on openSUSE
Kernel debug log and console on openSUSE
 
The bright future of SUSE and openSUSE
The bright future of SUSE and openSUSEThe bright future of SUSE and openSUSE
The bright future of SUSE and openSUSE
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
Convert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceConvert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build Service
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernet
 
Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your program
 
Hands-on ethernet driver
Hands-on ethernet driverHands-on ethernet driver
Hands-on ethernet driver
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
 
openSUSE12.2 Review
openSUSE12.2 ReviewopenSUSE12.2 Review
openSUSE12.2 Review
 
oS KDE Repos & MM
oS KDE Repos & MMoS KDE Repos & MM
oS KDE Repos & MM
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
 
Coscup 2012-urfkill
Coscup 2012-urfkillCoscup 2012-urfkill
Coscup 2012-urfkill
 

Recently uploaded

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 

Recently uploaded (20)

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 

SUSE shim and things related to it

  • 1. Copyright © SUSE SUSE shim and things related to it SUSE Labs Conference 2023, Plzeň Joey Lee <jlee@suse.com>, Dennis Tseng <dennis.tseng@suse.com>
  • 2. Copyright © SUSE 1. Shim Shim and SUSE Shim 2. Processes Review, Signing and Delivery 3. Microsoft Requirements Microsoft requirements, NX and 4K-alignment 4. SBAT SBAT and Security Violation error Agenda 2
  • 4. Copyright © SUSE — Shim is a trivial EFI application that, when run, attempts to open and execute another application. – License: BSD-2-Clause-Patent Copyright Red Hat, Inc Author: Matthew Garrett — Binary validation – UEFI db, MOK — shim will extend various PCRs with the digests of the targets it is loading. – PCR 7: SBAT_VAR – PCR 14: MokList, MokListX, MokSBState, MokListTrusted, MokPolicy A first-stage UEFI bootloader Shim 4
  • 5. Copyright © SUSE Shim 5 Image loader UEFI Firmware Shim 15.7 Grub2 Load Load Load Kernel
  • 6. Copyright © SUSE Verify shim 6 Image loader UEFI Firmware Shim 15.7 Grub2 shim_verify Verify Verify Verify Kernel NVRAM db
  • 7. Copyright © SUSE — Base on upstream version, applied some SUSE downstream patches. — All SLE/Leap versions are shared one shim binary (SLE CA). Shim of openSUSE Tumbleweed uses same code, the only difference is the built-in certificate. (openSUSE CA) — Must be reviewed by shim-view project and signing by Microsoft before release by SLE/openSUSE update channel. — Version upgrade timing: serious security issues in shim or grub2. e.g. boothole series Shim for SLE and openSUSE 7
  • 9. Copyright © SUSE Building process for new shim and shim-review docker file 9 openSUSE:Factory :shim openSUSE:Factory:secure-boot :shim Latest SLE stable release 15.4 SUSE:SLE-15-SP4:Update Create SUSE security team Shim openSUSE signkey Signature openSUSE CA Shim SLE signkey Signature SLE CA Dockerfile to reproduce the build of the shim EFI binary 15.4 Dockerfile to reproduce the build of the shim EFI binary SLE-15-SP4 SUSE security team Shim openSUSE CA Strip SUSE security team strip_signature.sh SUSE security team Shim SLE CA strip_signature.sh Create Strip
  • 10. Copyright © SUSE Process for review/signing a new shim 10 shim-review https://github.com/rhboot/shim-review shim-review fork openSUSE Dockerfile openSUSE Shim Microsoft Signing Submit SUSE security team SUSE security team MS Send back to SUSE security team shim-review fork SLE Dockerfile SLE Shim Shim openSUSE CA Microsoft Signature Shim SLE CA Microsoft Signature Create SUSE security team Send Send back
  • 11. Copyright © SUSE Process for review/signing a new shim 11 shim-review https://github.com/rhboot/shim-review shim-review fork openSUSE Dockerfile openSUSE Shim Microsoft Signing Submit SUSE security team SUSE security team MS Send back to SUSE security team shim-review fork SLE Dockerfile SLE Shim Shim openSUSE CA Microsoft Signature Shim SLE CA Microsoft Signature Create SUSE security team Send Send back
  • 13. Copyright © SUSE shim-review project (cont.) 13
  • 14. Copyright © SUSE New shim delivery 14 extract Microsoft Signature extract_signature.sh Shim openSUSE CA Microsoft Signature Shim SLE CA Microsoft Signature openSUSE:Factory:secure-boot :shim signature-opensuse.*.asc Update Latest SLE stable release SUSE:SLE-15-SP4:Update signature-sles.*.asc 15.4 Shim openSUSE signkey Signature openSUSE CA Microsoft Signature Shim openSUSE signkey Signature openSUSE CA Microsoft Signature Shim openSUSE signkey Signature openSUSE CA Microsoft Signature Shim SLE signkey Signature SLE CA Microsoft Signature signature-opensuse.*.asc timestamp, linker, checksum Hash of signed back shim Microsoft Signature signature-sles.*.asc timestamp, linker, checksum Hash of signed back shim Microsoft Signature Deliver Update Deliver
  • 15. Copyright © SUSE Double check the hash of shim 15 openSUSE:Factory:secure-boot :shim signature-opensuse.*.asc update 15.4 extract Microsoft Signature extract_signature.sh Shim (signed back) openSUSE CA Microsoft Signature signature-opensuse.*.asc timestamp, linker, checksum Hash of signed back shim Microsoft Signature pesign -h -P PE header Timestamp, linker, checksum timestamp.pl pesign -a -f -e Update Shim openSUSE CA PE header Shim openSUSE CA PE header timestamp, linker, checksum timestamp.pl --set-from-file 1. restore Hash of restored shim pesign -h -P Shim openSUSE CA PE header Microsoft Signature 2. compare 3. attach shim.spec
  • 16. Copyright © SUSE Repackage and deliver 16 16 Latest SLE stable release SUSE:SLE-15-SP3:Update shim-15.4.tar.bz2 shim-15.4-4.7.1.x86_64.rpm SUSE:SLE-15-SP4:Update Inherit from SUSE:SLE-15-SP5:GA SUSE:SLE-15-SP1:Update SUSE:SLE-15:Update SUSE:SLE-11-SP3:Update SUSE:SLE-12-SP3:Update Repacking from shim-15.4-3.32.1.x86_64.rpm shim-15.4-7.23.1.x86_64.rpm shim-15.4-25.21.1.x86_64.rpm SUSE:SLE-12-SP2:Update shim-15.4-12.11.1.x86_64.rpm SUSE:SLE-15-SP2:Update Inherit from SUSE:SLE-12-SP4:Update SUSE:SLE-12-SP5:Update openSUSE:Leap:15.4:Update Inherit from SUSE:SLE-12-SP4:Update Inherit from
  • 17. Copyright © SUSE Microsoft Requirements 17
  • 18. Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — 1. UEFI submissions require an EV certificate and an Azure Active Directory (AAD) account. — 2. Only production quality code (for example, “release to manufacturing” code, rather than test or debug modules) that will be released to customers (no internal-only code or tools) are eligible for UEFI signing. — 4. Code submitted for UEFI signing must not be subject to GPLv3 or any license that purports to give someone the right to demand authorization keys to be able to install modified forms of the code on a device. Code that is subject to such a license that has already been signed might have that signature revoked. For example, GRUB 2 is licensed under GPLv3 and will not be signed. Microsoft updated UEFI Signing Requirements 18
  • 19. Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — 12. If your submission is a SHIM (handing off execution to another bootloader), then you must first submit to the SHIM review board and be approved before a submission will be signed. This review board will check to ensure the following: A. Code signing keys must be backed up, stored, and recovered only by personnel in trusted roles, using at least dual-factor authorization in a physically secured environment. i. The private key must be protected with a hardware cryptography module. … ii. The operating environment must achieve a level of security at least equal to FIPS 140-2 Level iii. If embedded certificates are EV certificates, you should meet all of the above requirements. We recommend that you use an EV certificate because this will speed up UEFI CA signing turnaround. Microsoft updated UEFI Signing Requirements for shim 19
  • 20. Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — 12. If your submission is a SHIM (handing off execution to another bootloader), … A. Code signing keys must be backed up, stored… B. Submitter must design and implement a strong revocation mechanism for everything the shim loads, directly and subsequently. C. If you lose keys or abuse the use of a key, or if a key is leaked, any submission relying on that key will be revoked. D. Some shims are known to present weaknesses into the SecureBoot system. For a faster signing turnaround, we recommend that you use source code of 0.8 or higher from shim... Microsoft updated UEFI Signing Requirements for shim (cont.) 20
  • 21. Copyright © SUSE — UPDATED: UEFI Signing Requirements [1] — Effective 11/30/2022 all submissions must satisfy and attest to NX compatibility as described by: New UEFI CA memory mitigation requirements for signing [2] — Section Alignment of the submitted PE file must be aligned with 4KB page size. — Section Flags must not combine IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE for any given section. — DLL Characteristics must include IMAGE_DLLCHARACTERISTICS_NX_COMPAT NX and 4K alignment 21
  • 22. Copyright © SUSE — https://github.com/tianocore/edk2-pytool- extensions/blob/HEAD/docs/user/tools/using_image_validation_tool.md — The PE/COFF image validation tool is a command line tool used to verify that memory protection requirements such as section alignment and write / execute settings are applied correctly. This tool also provides the ability to check, set, and clear the NX_COMPAT flag found in OPTIONAL_HEADER.DllCharacteristics. — pip install --upgrade edk2-pytool-extensions — python3 image_validation.py --get-nx-compat --file /usr/lib64/efi/shim.efi python3 image_validation.py --clear-nx-compat -i shim-15.7-test.efi python3.6 image_validation.py -i shim.efi --set-nx-compat PE/COFF Image Validation Tool 22
  • 23. Copyright © SUSE — commit 7c7642530fab73facaf3eac233cfbce29e10b0ef Author: Peter Jones <pjones@redhat.com> Date: Thu Nov 17 12:31:31 2022 -0500 Enable the NX compatibility flag by default. – Out of shim 15.7, backported. – Using post-process-pe -N when building can disable this bit. Shim and NX 23
  • 24. Copyright © SUSE — OVMF, OvmfPkg/OvmfPkgX64.dsc — Add GCC:*_GCC*_*_DLINK_FLAGS = -z common-page-size=0x1000 to the following sections # Force PE/COFF sections to be aligned at 4KB boundaries to support page level protection [BuildOptions.common.EDKII.DXE_SMM_DRIVER, BuildOptions.common.EDKII.SMM_CORE] # Force PE/COFF sections to be aligned at 4KB boundaries to support MemoryAttribute table [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] # Force PE/COFF sections to be aligned at 4KB boundaries to support NX protection [BuildOptions.common.EDKII.DXE_DRIVER, BuildOptions.common.EDKII.DXE_CORE, BuildOptions.common.EDKII.UEFI_DRIVER, BuildOptions.common.EDKII.UEFI_APPLICATION] NX and 4K alignment in firmware memory protection 24
  • 25. Copyright © SUSE — OVMF, OvmfPkg/OvmfPkgX64.dsc [PcdsFixedAtBuild] ## Set image protection policy. The policy is bitwise. # If a bit is set, the image will be protected by DxeCore if it is aligned. # The code section becomes read-only, and the data section becomes non-executable. gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x00000002 ## Set DXE memory protection policy. The policy is bitwise. # If a bit is set, memory regions of the associated type will be mapped non-executable. gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0x0000000000007FD4 NX and 4K alignment in firmware memory protection (cont.) 25
  • 26. Copyright © SUSE — https://microsoft.github.io/mu/ Project Mu is a modular adaptation of TianoCore's edk2 tuned for building modern devices using a scalable, maintainable, and reusable pattern. — Mu Tiano Platforms Repository https://github.com/microsoft/mu_tiano_platforms.git https://microsoft.github.io/mu/dyn/mu_tiano_platforms/RepoDetails/ Mu Tiano Platform is a public repository of Project Mu based firmware for the QEMU processor emulator. It contains a QemuQ35Pkg that is customized to enable many of the features of Project Mu. It also contains the original upstream OvmfPkg from edk2 which supports IA32/X64 virtual firmware for QEMU. [3] — The only implementation of EFI_MEMORY_ATTTRIBUTE_PROTOCOL. (37.7.1, UEFI spec 2.10) Project Mu 26
  • 27. Copyright © SUSE — 82e0d6d76 efi: libstub: ensure allocated memory to be executable v5.19-rc1, Baskov Evgeniy <baskov@ispras.ru> CONFIG_EFI_DXE_MEM_ATTRIBUTES – Uses DXE services EFI_SET_MEMORY_SPACE_ATTRIBUTES (4.1, PI spec 1.7) — [PATCH v5 00/27] x86_64: Improvements at compressed kernel stage Baskov Evgeniy <baskov@ispras.ru> – support EFI_MEMORY_ATTRIBUTE_PROTOCOL (37.7.1, UEFI spec 2.10) — [RFC PATCH 0/3] efi: Implement generic zboot support [PATCH 0/6] efi/x86: Avoid legacy decompressor during EFI boot Ard Biesheuvel <ardb@kernel.org> Kernel boot with NX support 27
  • 29. Copyright © SUSE — The limitation of dbx space on UEFI platform ~= 32kB – Until February 2021, already 50% be used. [4] — SUSE shim 15.4 supported SBAT self check (self-block) SUSE shim 15.7 fully supported SBAT policy — objdump -j .sbat -s shim.efi — SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23 SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 — mokutil --set-sbat-policy <latest/previous/delete> mokutil --list-sbat-revocations UEFI Secure Boot Advanced Targeting SBAT 29
  • 30. Copyright © SUSE SbatLevel variable 30 Shim 15.4 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn shim.sle,1,SUSE Linux Enterprise,shim,15.4,mail:security-team@suse.den SBAT_VAR sbat,1,2021030218n NVRAM SbatLevel sbat,1,2021030218n Create UEFI Firmware sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2021030218n component_name: sbat component_generation: 1 sbat_datestamp: 2021030218
  • 31. Copyright © SUSE Replace SbatLevel variable 31 Shim 15.7 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,3,UEFI shim,shim,1,https://github.com/rhboot/shimn shim.sle,1,SUSE Linux Enterprise,shim,15.7,mail:security@suse.den SBAT_VAR_ORIGINAL (SBAT_POLICY_RESET) sbat,1,2021030218n SBAT_VAR_PREVIOUS (SBAT_POLICY_PREVIOUS) [default] sbat,1,2022052400ngrub2,2 SBAT_VAR_LATEST (SBAT_POLICY_LATEST) sbat,1,2023012900nshim,2ngrub,3n NVRAM SbatLevel sbat,1,2021030218n UEFI Firmware sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2023012900nshim,2ngrub,3n sbat,1,2022111500 component_name: sbat component_generation: 1 sbat_datestamp: 2022111500 shim,2 grub,3 sbat,1,2022111500nshim,2ngrub,3n 1. compare (generation, datestamp) 2. replace
  • 32. Copyright © SUSE Shim SBAT self check 32 32 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware sbat_section_entry (CSV format) component_name,component_generation, vendor_name,vendor_package_name,vendor_version,vendor_url e.g. sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn component_name: shim component_generation: 1 shim.sle,1,SUSE Linux Enterprise,shim,15.4,mail:security-team@suse.den Shim 15.4 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn shim.sle,1,SUSE Linux Enterprise,shim,15.4,mail:security-team@suse.den SBAT_VAR sbat,1,2021030218n sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2022111500nshim,2ngrub,3n sbat,1,2022111500n shim,2n component_name: shim component_generation: 2 grub,3n shim,1,UEFI shim,shim,1,https://github.com/rhboot/shimn Compare (name, generation) component_generation: 1 < 2 Self Block!
  • 33. Copyright © SUSE Grub2 SBAT check 33 33 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware sbat_var_entry (CSV format) component_name,component_generation,sbat_datestamp e.g. sbat,1,2022111500nshim,2ngrub,3n sbat,1,2022111500n shim,2n grub,3n component_name: grub component_generation: 3 2. Compare (name, generation) component_generation: 2 < 3 Block! Shim 15.7 Grub2 .sbat section sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn grub,2,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/n grub.opensuse,1,The openSUSE Project,grub2,2.06,mailto:security@suse.den 1. Load grub,2,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/n sbat_section_entry (CSV format) component_name,component_generation, vendor_name,vendor_package_name,vendor_version,vendor_url e.g. sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.mdn grub,2,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/n component_name: grub component_generation: 2 grub.opensuse,1,The openSUSE Project,grub2,2.06,mailto:security@suse.den
  • 34. Copyright © SUSE Verify kernel binary 34 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware Shim 15.7 Grub2 1. Load Kernel db mok PE signature 2. Call SHIM_LOCK protocol shim_verify .sbat section (option) 4. verify kernel’s PE signature with 3. verify SBAT (option)
  • 35. Copyright © SUSE Verify kernel binary 35 NVRAM SbatLevel sbat,1,2022111500nshim,2ngrub,3n UEFI Firmware Shim 15.7 Grub2 1. Load Kernel db mok PE signature 2. Call SHIM_LOCK protocol shim_verify .sbat section (option) 4. verify kernel’s PE signature with 3. verify SBAT (option) Kernel doesn’t support yet
  • 36. Copyright © SUSE ● Shim verification failed (UEFI firmware → shim): invalid shim signature – check keys in db, or check signature of shim. Security Violation error – case 1 36
  • 37. Copyright © SUSE Security Violation error – case 2 37 ● Shim verification failed (shim self-check): shim SBAT doesn’t match, old shim self- blocked – check SBAT of shim.
  • 38. Copyright © SUSE Security Violation error – case 3 38 ● Grub2 verification failed (shim → grub2): invalid grub2 signature or grub2 SBAT doesn’t match – check keys in db/mok, embedded key in shim. Or check signature of grub2. – check SBAT.
  • 39. Copyright © SUSE Security Violation error – case 4 39 ● Kernel verification failed (grub2 → shim → kernel): kernel signature doesn’t match – Check keys in db/mok, or embedded key in shim. Check signature of kernel
  • 40. Copyright © SUSE — SUSE shim 15.7 fully supported SBAT policy — objdump -j .sbat -s shim.efi — SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23 SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 — mokutil --set-sbat-policy <latest/previous/delete> mokutil --list-sbat-revocations — e.g. Shim 15.7 – delete (original): sbat,1,2021030218 – previous: sbat,1,2022052400ngrub2,2n – latest: sbat,1,2022111500nshim,2ngrub,3 SBAT Policy 40
  • 41. Copyright © SUSE version: Shim 15.7 SBAT Policy transitions 41 SBAT Policy transitions (Secure Boot OFF) old policy new policy delete (original) previous latest delete (original) N/A YES YES previous YES N/A NO (1) latest YES YES N/A SBAT Policy transitions (Secure Boot ON) old policy new policy delete (original) previous latest delete (original) N/A NO (2) NO (2) previous YES N/A NO (1) latest YES YES N/A (1) blocked by datestamp (2) blocked by secure boot The original state only be kept in one boot cycle. Next boot/reboot, the SbatLevel will be auto-changed to previous state because datestamp. Cannot directly transform from latest state to previous state because datestamp. It should transform from latest to original state first, then transform to previous state. Which means that secure boot must be disabled first
  • 42. Copyright © SUSE SBAT Policy transitions (chart) 42 previous latest delete (original) Secure boot must be OFF Secure boot must be OFF
  • 43. Copyright © SUSE — Working on upstream, improve credit. – shim-review, shim projects ← Dennis Tseng — Reduce downstream patches for SLE/openSUSE. — Upstream features: – Multiple second stage bootloader – Merge fallback.efi and MokManager.efi to shim.efi Next 43
  • 44. Copyright © SUSE — [1] UPDATED: UEFI Signing Requirements https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing- requirements/ba-p/1062916 — [2] New UEFI CA memory mitigation requirements for signing https://techcommunity.microsoft.com/t5/hardware-dev-center/new-uefi-ca-memory-mitigation- requirements-for-signing/ba-p/3608714 — [3] Bug 1205588 - Page Fault when booting with PE NX-compatibility DLL Characteristic flag — [4] https://github.com/rhboot/shim/blob/main/SBAT.md Reference 44
  • 45. Copyright © SUSE © SUSE LLC. All Rights Reserved. SUSE and the SUSE logo are registered trademarks of SUSE LLC in the United States and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Frankenstrasse 146 90461 Nürnberg www.suse.com Thank you