[gPXE-devel] Trusted boot for gPXE
Stefan Hajnoczi
stefanha at gmail.com
Sun May 23 03:31:48 EDT 2010
On Tue, May 18, 2010 at 3:17 PM, charles blundell <blundellc at gmail.com> wrote:
> hey stefan!
>
> this is cool! i think there are some issues:
> - MD5 is no good: it's basically broken for these purposes.
> - RSA 512-bit is too small.
>
> you might find:
> http://csrc.nist.gov/groups/ST/toolkit/index.html
> useful. in particular:
> http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf
> seems to be pretty sage advice. in particular, use sha-1 at least, RSA
> of key size >1024 bits.
Thanks for the links. gPXE has an SHA-1 implementation and using
larger RSA keys should be possible too.
> can you put comments in a gpxe script? if so, maybe you could just
> embed an openpgp signature?
>
> these signatures cannot expire (except if the key expires). so there's
> a simple attack: record the gpxe boot script (and kernel, etc). wait
> until a kernel vulnerability is found, wait for a reboot, replay what
> you recorded. now you have a vulnerable host running a trusted kernel.
Good point. The demo I posted would allow someone with a copy of old
signed files to replay them.
> do you have any thoughts about key management? e.g., could you just
> give the verisign root CA cert to gpxe
> and have everything signed with it accepted? or how about getting keys from gpg?
Currently there is no X.509 certificate verification in gPXE. Perhaps
this is the way to go instead of using raw RSA.
> if the signature is missing and TRUSTED_BOOT is enabled, the image is
> rejected, right?
Yes, that is the intent. Images start without the IMAGE_TRUSTED flag.
Attempts to exec an image will be rejected unless IMAGE_TRUSTED has
been set (using imgdigest or a script signature).
> can a trusted script load an untrusted image? e.g., if i miss out an
> imgdigest line, what happens?
The image execution will fail if IMAGE_TRUSTED is not set on the loaded image.
> is there any special syntax that you can put in the #!gpxe line? (i
> assume you strip the signature out of the script pretty carefully, i
> can imagine a lot going wrong here.)
At the moment there is no syntax other than the signature. However,
if additional options are added (e.g. #!gpxe --debug) then parsing the
signature and calculating the hash of the script without the signature
becomes more tricky. In a proper patch for mainline gPXE I'd like to
keep the #!gpxe line extensible and would need to be more careful.
Stefan
More information about the gPXE-devel
mailing list