SlideShare ist ein Scribd-Unternehmen logo

Upgrade Ubuntu 18.04 Security with Secureboot

Als PPTX, PDF herunterladen
J
Jonathan MICHEL-VILLAZ

The presentation discusses upgrading Linux security with SecureBoot on Ubuntu 18.04 LTS. It covers safety backup prerequisites, enabling SecureBoot, signing third-party kernel drivers, and demonstrates checking SecureBoot settings through listing keys, verifying signatures, and enabling or disabling validation.

Software
1 von 28
1 HashNet Upgrade Linux Security with SecureBoot Event: ESGI, Security Day 2019 Speaker: J. Michel-Villaz Date: 02/04/2019
22 The following presentation contains instructions that can damage software and firmware assets if executed with misuse. Hashnet disclaims any liability in case of damage you may encounter. By using this support, puts you at risk of loosing your data and you are agreeing to undertake any and all risks associated with the resulting consequences. It remains a work in progress. Remarks to improve this draft are welcomed. Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Disclaimer
33 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Agenda
44Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Safety backup prerequisite Cases for restoration Upgrading your master (here with SecureBoot) within 15 minutes Incident : Software / Hardware failure Incident : OS Compromised
55Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Fancy Bear Equation Group Safety backup prerequisite Example of material kit 15/03/2019 REX 1 : MAY NEED LARGER BACKUP DISK REX 3 : LATEST LAPTOPS USE TORX T4 SCREWS REX 2: MUST FILE YOUR DISK REX 4 : ALTERNATIVE TO (MULTIBOOT) DISK FOR CLONEZILLA SHELL
66Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Safety backup prerequisite USB transfer feedbacks Connectors USB 1.0 1996 USB 2.0 2001 USB 2.0 Revised USB 3.0 2011 USB 3.1 2014 USB 3.2 2017 USB4 2019 Theorical Data rate 1.5 Mbit/s Low Speed 480 Mbit/s High Speed 5 Gbit/s SuperSpeed 10 Gbit/s SuperSpeed + 20 Gbit/s SuperSpeed + 40 Gbit/s SuperSpeed +12 Mbit/s Full Speed Source: https://en.wikipedia.org/wiki/USB REX 5 : IVOLER ADAPTATERS DECREASE SPEED WITH AVERAGE RATE OVER 38 Mo/s REX 6 : IMPACT ON SPEED TRANSFER W/ VS WITHOUT SECUREBOOT ?
77Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Safety backup prerequisite Baremetal copies w/ Partclone 1/ Making a CloneZilla live shell & booting on it linux '(loop)/live/vmlinuz' boot='live' union='overlay' username='user' config components noswap edd='on' nomodeset nodmraid noeject locales='' keyboard-layouts='fr' ocs_live_run='ocs-live-general' ocs_debug ocs_live_extra_param='' ocs_live_batch='yes' ip='' acpi='off' irqpoll noapic noapm nodma nomce nolapic nosmp nomodeset nosplash findiso="${isofile_abspath}" * /boot/grub/grub.cfg Source: https://clonezilla.org/show-live-doc-content.php?topic=clonezilla-live/doc/99_Misc Kernel boot parameters
88Upgrade Linux Security with SecureBoot ESGI Security Day 2019 2/ Backuping logical volumes ‘/boot’ and ‘/’ (rootfs) Safety backup prerequisite Baremetal copies w/ Partclone /dev/sdc # cryptsetup luksOpen /dev/sda5 latroot # mount /dev/sdc1 /mnt # partclone.ext4 -d -c -s /dev/sda1 -o /mnt/`date +%Y%m%d-%H%M%S`-latboot.img # partclone.ext4 -d -c -s /dev/xubuntu-vg/root -o /mnt/`date +%Y%m%d-%H%M%S`-latroot.img
99Upgrade Linux Security with SecureBoot ESGI Security Day 2019 3/ Restoring logical volumes ‘/boot’ and ‘/’ (rootfs) Safety backup prerequisite Baremetal copies w/ Partclone /dev/sdc # cryptsetup luksOpen /dev/sda5 latroot # mount /dev/sdc1 /mnt # partclone.ext4 -d -r –s /mnt/YYYYMMDD-HHMMSS-latboot.img -o /dev/sda1 # partclone.ext4 -d –r -s /mnt/YYYYMMDD-HHMMSS-latroot.img -o /dev/xubuntu-vg/root
1010 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sommaire
1111Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Ubuntu 18.04 LTS SecureBoot Prerequisites 1/ Protect your disk filesystem w/ LUKS encryption 2/ Protect your BIOS w/ an Admin password + UPDATES 3/ Backup your disk boot & rootfs partitions (or LVs)
1212Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sources [1] https://odm.ubuntu.com/docs/ubuntu-bios-uefi-requirements.pdf [2] https://blogs.technet.microsoft.com/dubaisec/2016/03/14/diving-into-secure-boot/ Ubuntu 18.04 LTS SecureBoot Ubuntu Boot Process PK – Platform Key represents the root of trust and is used to protect the KEK (Key Exchange Key) database. The platform vendor puts public portion of the Platform Key (PK) into UEFI Firmware during manufacturing. Its private portion stays with the vendor. When updating the PK, the new PK certificate must be signed with the old one. KEK - The KEK (Key Exchange Key) database contains trusted certificates that are allowed to modify the Allowed Signature database (db), Disallowed Signature database (dbx) or Timestamp signature database (dbt) described below. KEK database usually contains certificates of Operating System Vendor (OSV) and is secured by the Platform Key (PK).
1313Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sources [1] https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot [2] https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html [3] https://lektiondestages.blogspot.com/2018/04/signing-your-kernel-modules-on-ubuntu.html [4] https://askubuntu.com/questions/342365/what-is-the-difference-between-grubx64-and-shimx64#342382 [5] cf BIOS Ubuntu 18.04 LTS SecureBoot Protocol keypoints • Many ‘out of the box’ distributions are secureboot-ready [1] • Ubuntu binaries (shim & bootloader) are compiled respectively with Microsoft's WinQual and Canonical pubkeys [2] • UEFI firmware allows key reconfiguration (enrolling a self-sign PK or the Ubuntu key) [2] • Ubuntu will not require signed kernel images or kernel modules [2] • Ubuntu provides updates for the revoked signature database, to be protected against known-compromised UEFI binaries [2] • Ubuntu can (in theory) auto-update (DKMS post-build script) the kernel drivers signatures [3] • There are specificities with the naming of the bootloader when not using GRUB [4] • When enabled, SecureBoot can (1) enforce the signatures checks and block the boot process in case of violation (2) audit the violations without blocking the boot process [5]
1414Upgrade Linux Security with SecureBoot ESGI Security Day 2019 # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv) Sign-file is a Perl script. It requires that you provide both the files that contain your private and the public key as well as the kernel module file that you want to sign. Your kernel module is in ELF image format and this script computes and appends the signature directly to the ELF image in your my_module.ko file. Note that this appended signature is not contained in an ELF image section and is not a formal part of the ELF image. Therefore, tools such as readelf will not be able to display the signature on your kernel module. Your kernel module is now ready for loading. Note that your signed kernel module is also loadable on systems where UEFI Secure Boot is disabled or on a non-UEFI system. That means you do not need to provide both a signed and unsigned version of your kernel module. Sources [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html Ubuntu 18.04 LTS SecureBoot Signing third-party kernel drivers “sign-file” perl script
1515Upgrade Linux Security with SecureBoot ESGI Security Day 2019 cd /boot sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/" ls $(dirname $(modinfo -n vboxdrv))/vbox*.ko sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv) sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetadp) sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetflt) sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxpci) tail $(modinfo -n vboxdrv) |grep "Module signature appended" sudo mokutil --import MOK.der reboot sudo mokutil --sb-state sudo mokutil --password reboot sudo modprobe vboxdrv sudo mokutil --test-key MOK.der cd /boot; shred –u MOK.priv Sources [1] https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur Ubuntu 18.04 LTS SecureBoot Signing third-party kernel drivers Signing the VirtualBox kernel drivers ➜ virtualbox l total 12K drwxr-xr-x 3 root root 4,0K avril 11 10:39 . drwxr-xr-x 4 root root 4,0K mars 31 13:37 .. drwxr-xr-x 6 root root 4,0K avril 11 10:39 5.2.18 lrwxrwxrwx 1 root root 29 avril 3 11:49 kernel-4.15.0-1035-oem-x86_64 -> 5.2.18/4.15.0-1035-oem/x86_64 lrwxrwxrwx 1 root root 29 avril 10 11:45 kernel-4.15.0-1036-oem-x86_64 -> 5.2.18/4.15.0-1036-oem/x86_64 lrwxrwxrwx 1 root root 31 avril 4 21:20 kernel-4.15.0-48-generic-x86_64 -> 5.2.18/4.15.0-48-generic/x86_64 ➜ virtualbox pwd /var/lib/dkms/virtualbox => A NEW KERNEL VERSION REQUIRES NEW KERNEL DRIVERS THUS SIGNING THOSE NEW KERNEL DRIVERS
1616 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sommaire
1717Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Fancy Bear Equation Group Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS Checklist :  What is the SecureBoot status ? How to enable/disable it ?  How to list the SB keys stored in the MOK ?  How to verify the signature of the boot binaries (shim, grub, kernel) ?  How to self-sign and test kernel binaries ?  How to install Canonical-signed kernel binaries ?
1818Upgrade Linux Security with SecureBoot ESGI Security Day 2019 LIVE DEMO
1919Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS What is the SecureBoot status ? How to enable/disable it ? Check the binaries called within the boot process: ➜ r8168 efibootmgr -v BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0000,0001,0003,0004 Boot0000* ubuntu HD(1,GPT,869b1c66-5611-4f81-a8b3-d085cf9c9251,0x800,0x177000)/File(EFIubuntushimx64.efi) Boot0001* UEFI: PC401 NVMe SK hynix 512GB, Partition 1 HD(1,GPT,869b1c66-5611-4f81-a8b3-d085cf9c9251,0x800,0x177000)/File(EFIbootbootx64.efi)..BO Boot0003* USB NIC(IPV4) PciRoot(0x0)/Pci(0x14,0x0)/USB(12,0)/MAC(00e0970033e7,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO Boot0004* USB NIC(IPV6) PciRoot(0x0)/Pci(0x14,0x0)/USB(12,0)/MAC(00e0970033e7,0)/IPv6([::]:<->[::]:,0,0)..BO Check the SecureBoot status with the following command: $ mokutil --sb-state SecureBoot enabled Enable / disable SecureBoot status with the following commands: $ mokutil –-disable-validation $ mokutil –-enable-validation Check the keys knowned by the kernel: $ sudo cat /proc/keys |grep asymm Check the blacklisted binaries: $ sudo cat /proc/keys |grep blacklist Sources http://manpages.ubuntu.com/manpages/xenial/man1/mokutil.1.html Checking the UEFI parameters $ grep -v ^# /boot/config-$(uname -r) |grep _SIG CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT $ grep -v ^# /boot/config-$(uname -r) |grep MODULE_SIG CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_SHA512=y
2020Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to list the SB keys stored in the MOK ? $ /boot mokutil --pk |grep Issuer Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key $ /boot mokutil --kek |grep Issuer Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt $ /boot mokutil --db |grep Issuer Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Key Exchange Key Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt $ /boot mokutil --dbx |grep Issuer Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt Sources https://go.microsoft.com/fwlink/?LinkId=321185
2121Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to list the SB keys stored in the kernel ? SB keys loaded during the boot process ➜ ~ dmesg |grep UEFI [ 0.000000] ACPI: UEFI 0x000000003F0B4A98 000042 (v01 DELLx CBX3 00000002 01000013) [ 1.045927] Loaded UEFI:db cert 'Dell Inc. UEFI DB: 5ddb772dc880660055ba0bc131886bb630a639e7' linked to secondary sys keyring [ 1.045944] Loaded UEFI:db cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to secondary sys keyring [ 1.045957] Loaded UEFI:db cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to secondary sys keyring [ 1.048247] Loaded UEFI:MokListRT cert 'Descriptive common name: cd813275407f4bda0a9438e8fffc7f70125a2fd8' linked to secondary sys keyring [ 1.048392] Loaded UEFI:MokListRT cert 'PPA canonical-kernel-team ppa: 55c04961f1043a73e150d05bceea207320d885fe' linked to secondary sys keyring [ 1.048538] Loaded UEFI:MokListRT cert 'ubuntu Secure Boot Module Signature key: e914584544ef4c7731cd2a4f3ad15f0072eb13ee' linked to secondary sys keyring [ 1.048687] Loaded UEFI:MokListRT cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' linked to secondary sys keyring SB keys loaded in the kernel key ring ➜ ~ sudo cat /proc/keys |grep asymm [sudo] Mot de passe de jomivz : 03c82c0a I------ 1 perm 1f030000 0 0 asymmetri sforshee: 00b28ddf47aef9cea7: X509.rsa [] 05da5292 I------ 2 perm 1f010000 0 0 asymmetri Dell Inc. UEFI DB: 5ddb772dc880660055ba0bc131886bb630a639e7: X509.rsa 30a639e7 [] 0888675b I------ 1 perm 1f030000 0 0 asymmetri Build time autogenerated kernel key: d1f53b42ca7020dcdd24c66b9ed7819b4575644b: X509.rsa 4575644b [] 0a6bbf9b I------ 2 perm 1f010000 0 0 asymmetri PPA canonical-kernel-team ppa: 55c04961f1043a73e150d05bceea207320d885fe: X509.rsa 20d885fe [] 0bb5924c I------ 2 perm 1f010000 0 0 asymmetri Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63: X509.rsa 8e345a63 [] 104d7550 I------ 2 perm 1f010000 0 0 asymmetri Descriptive common name: cd813275407f4bda0a9438e8fffc7f70125a2fd8: X509.rsa 125a2fd8 [] 1757cdfa I------ 2 perm 1f010000 0 0 asymmetri ubuntu Secure Boot Module Signature key: e914584544ef4c7731cd2a4f3ad15f0072eb13ee: X509.rsa 72eb13ee [] 27fb5eff I------ 2 perm 1f010000 0 0 asymmetri Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4: X509.rsa 988a1bd4 [] 2d977696 I------ 2 perm 1f010000 0 0 asymmetri Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53: X509.rsa 7c55af53 [] Sources http://manpages.ubuntu.com/manpages/xenial/man1/keyctl.1.html
2222Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to verify the signature of the boot binaries (shim, grub, kernel) ? Export and identify the keys in the MOK : $ cd /tmp; mokutil export $ openssl x509 -inform der -in MOK-000X.der -noout –text The Microsoft certificate signing the shim bootloader is available online. Caution to extension, the certificate is in DER format. Verify the signature as per below: $ wget http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt $ openssl x509 -in MicCorThiParMarRoo_2010-10-05.crt -inform DER -out MicCorThiParMarRoo_2010-10-05.pem -outform PEM $ sbverify --cert ./microsoft-uefica-public.pem /boot/efi/EFI/ubuntu/shimx64.efi Password: Signature verification OK The grub bootloader is signed by Canonical. []. To verify the signature use the following commands: $ openssl x509 -inform DER -in ./MOK-0002.der -outform PEM -out ./canonical-master-public.pem $ sudo sbverify --cert ./canonical-master-public.pem /boot/efi/EFI/ubuntu/grubx64.efi Password: Signature verification OK The ‘out-of-box’ Ubuntu kernel is signed by Ubuntu. Extract the signature from the kernel image, then use sbverify to verify the image with the detached signature: $ openssl x509 -pubkey -in ./canonical-master-public.pem -noout > ./canonical-signing-public.pem $ cat /tmp/canonical-master-public.pem /tmp/canonical-signing-public.pem > /tmp/canonical-master-signing-public-chain.pem $ sbattach --detach /tmp/vmlinuz-4.15.0-1027-oem.efi.signature /boot/vmlinuz-4.15.0-1027-oem.efi.signed $ sudo sbverify --cert /tmp/canonical-master-signing-public-chain.pem --detached /tmp/vmlinuz-4.15.0-1027-oem.efi.signature /boot/vmlinuz-4.15.0-1027-oem.efi.signed Password: Signature verification OK Testing failed
2323Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to self-sign and test kernel binaries ? Sources https://wiki.ubuntu.com/UEFI/SecureBoot/Testing?action=show&redirect=SecurityTeam%2FSecureBoot#Verifying_the_signature_on_a_signed_PE.2FCOFF_or_signed_kernel_image Work in progress
2424Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS APT Process dead Sources https://wiki.ubuntu.com/UEFI/SecureBoot/Testing?action=show&redirect=SecurityTeam%2FSecureBoot#Verifying_the_signature_on_a_signed_PE.2FCOFF_or_signed_kernel_image Identifying the third party repository for Canonical kernels: $ cd /boot; strings vmlinuz-4.15.0-1027-oem.efi.signed |grep -i Canonical PPA canonical-kernel-team ppa0 PPA canonical-kernel-team ppa0 PPA canonical-kernel-team ppa PPA canonical-kernel-team ppa Adding to the package manager the third party repository for Canonical kernels : $ sudo add-apt-repository ppa:canonical-kernel-team/ppa $ sudo apt-get update $ sudo apt upgrade How to install Canonical-signed kernel binaries ?
2525Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS Sources https://paste.ubuntu.com/p/3d6nw4PJ43/ $ sbattach --detach ~/canonical-kernel-team.p7s vmlinuz-4.15.0-1027-oem.efi.signed $ openssl pkcs7 -inform der -in ~/canonical-kernel-team.p7s -print_certs | openssl x509 -out ~/canonical-kernel-team.der -outform der $ mokutil --import ~/canonical-kernel-team.der How to extract /install the public key from Canonical-signed kernel ? ➜ mok pwd /var/lib/shim-signed/mok ➜ mok l total 20K drwxr-xr-x 2 root root 4,0K mars 6 03:41 . drwxr-xr-x 3 root root 4,0K avril 10 11:46 .. -rw-r--r-- 1 root root 910 mars 6 03:41 MOK.der -rw------- 1 root root 1,7K mars 6 03:41 MOK.priv -rw------- 1 root root 1,0K mars 6 03:41 .rnd
2626 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sommaire
2727Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Fancy Bear Equation Group • https://www.slideshare.net/CanSecWest/csw2017-bazhaniuk-exploringyoursystemdeeperupdated • https://www.youtube.com/watch?v=QDSlWa9xQuA • https://github.com/chipsec/chipsec • https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ • https://osintbrasil.blogspot.com/2017/01/building-reliable-smm-backdoor-for-uefi.html SECURITY SecureBoot Weaknesses & Audit 1/ Weaknesses references : 2/ Auditing Weaknesses : 3/ Bootkits references : # apt install python-pip # pip install setuptools # pip install nasm # python setup.py install
28 jmv@hashnet.consulting www.hashnet.consulting/#career Merci

Empfohlen

Introduction to s cons
Introduction to s consIntroduction to s cons
Introduction to s consdcshi
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinuxandroid sola
 
User management
User managementUser management
User managementMufaddal Haidermota
 
Intro to Linux Shell Scripting
Intro to Linux Shell ScriptingIntro to Linux Shell Scripting
Intro to Linux Shell Scriptingvceder
 
Jenkins Pipelines
Jenkins PipelinesJenkins Pipelines
Jenkins PipelinesSteffen Gebert
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2Acácio Oliveira
 
Introduction to Globus for System Administrators
Introduction to Globus for System AdministratorsIntroduction to Globus for System Administrators
Introduction to Globus for System AdministratorsGlobus
 

Empfohlen

Introduction to s cons
Introduction to s consIntroduction to s cons
Introduction to s consdcshi
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinuxandroid sola
 
User management
User managementUser management
User managementMufaddal Haidermota
 
Intro to Linux Shell Scripting
Intro to Linux Shell ScriptingIntro to Linux Shell Scripting
Intro to Linux Shell Scriptingvceder
 
Jenkins Pipelines
Jenkins PipelinesJenkins Pipelines
Jenkins PipelinesSteffen Gebert
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2Acácio Oliveira
 
Introduction to Globus for System Administrators
Introduction to Globus for System AdministratorsIntroduction to Globus for System Administrators
Introduction to Globus for System AdministratorsGlobus
 
Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep DiveDocker, Inc.
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To LinuxIshan A B Ambanwela
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編OESF Education
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX ContainerAraf Karsh Hamid
 
【学習メモ#1st】12ステップで作る組込みOS自作入門
【学習メモ#1st】12ステップで作る組込みOS自作入門【学習メモ#1st】12ステップで作る組込みOS自作入門
【学習メモ#1st】12ステップで作る組込みOS自作入門sandai
 
Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Wave Digitech
 
Linux kernel
Linux kernelLinux kernel
Linux kernelGoutam Sahoo
 
Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1Lilesh Pathe
 
step by step to install the ubuntu
step by step to install the ubuntustep by step to install the ubuntu
step by step to install the ubuntuDr.M.G.R. University,chennai
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 
Ubuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUbuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUniversity of Technology
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
ELCE 2012 - Dive into Android Networking: Adding Ethernet Connectivity
ELCE 2012 - Dive into Android Networking: Adding Ethernet ConnectivityELCE 2012 - Dive into Android Networking: Adding Ethernet Connectivity
ELCE 2012 - Dive into Android Networking: Adding Ethernet ConnectivityBenjamin Zores
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examplesabclearnn
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Edureka!
 
Basic Unix
Basic UnixBasic Unix
Basic UnixRajesh Kumar
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started Emertxe Information Technologies Pvt Ltd
 
Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Scriptsbmguys
 
100+ run commands for windows
100+ run commands for windows 100+ run commands for windows
100+ run commands for windows Anand Garg
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 

Weitere ähnliche Inhalte

Was ist angesagt?

Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep DiveDocker, Inc.
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編OESF Education
 
【学習メモ#1st】12ステップで作る組込みOS自作入門
【学習メモ#1st】12ステップで作る組込みOS自作入門【学習メモ#1st】12ステップで作る組込みOS自作入門
【学習メモ#1st】12ステップで作る組込みOS自作入門sandai
 
Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Wave Digitech
 
Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1Lilesh Pathe
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
ELCE 2012 - Dive into Android Networking: Adding Ethernet Connectivity
ELCE 2012 - Dive into Android Networking: Adding Ethernet ConnectivityELCE 2012 - Dive into Android Networking: Adding Ethernet Connectivity
ELCE 2012 - Dive into Android Networking: Adding Ethernet ConnectivityBenjamin Zores
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examplesabclearnn
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Edureka!
 
Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Scriptsbmguys
 
100+ run commands for windows
100+ run commands for windows 100+ run commands for windows
100+ run commands for windows Anand Garg
 

Was ist angesagt? (20)

Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep Dive
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
【学習メモ#1st】12ステップで作る組込みOS自作入門
【学習メモ#1st】12ステップで作る組込みOS自作入門【学習メモ#1st】12ステップで作る組込みOS自作入門
【学習メモ#1st】12ステップで作る組込みOS自作入門
 
Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
 
Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1
 
step by step to install the ubuntu
step by step to install the ubuntustep by step to install the ubuntu
step by step to install the ubuntu
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!
 
Ubuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUbuntu – Linux Useful Commands
Ubuntu – Linux Useful Commands
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)
 
ELCE 2012 - Dive into Android Networking: Adding Ethernet Connectivity
ELCE 2012 - Dive into Android Networking: Adding Ethernet ConnectivityELCE 2012 - Dive into Android Networking: Adding Ethernet Connectivity
ELCE 2012 - Dive into Android Networking: Adding Ethernet Connectivity
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examples
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
 
Basic Unix
Basic UnixBasic Unix
Basic Unix
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started
 
Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Script
 
100+ run commands for windows
100+ run commands for windows 100+ run commands for windows
100+ run commands for windows
 

Ähnlich wie Upgrade Ubuntu 18.04 Security with Secureboot

XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Nicolas Collery
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to itSUSE Labs Taipei
 
Automated Linux Management Infrastructure
Automated Linux Management InfrastructureAutomated Linux Management Infrastructure
Automated Linux Management Infrastructureelliando dias
 
Sling Applications - A DevOps perspective
Sling Applications - A DevOps perspectiveSling Applications - A DevOps perspective
Sling Applications - A DevOps perspectiveRobert Munteanu
 
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库maclean liu
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist LibbySchulze
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsNicolas Collery
 
Scripting for infosecs
Scripting for infosecsScripting for infosecs
Scripting for infosecsnancysuemartin
 
An Overview of the IHK/McKernel Multi-kernel Operating System
An Overview of the IHK/McKernel Multi-kernel Operating SystemAn Overview of the IHK/McKernel Multi-kernel Operating System
An Overview of the IHK/McKernel Multi-kernel Operating SystemLinaro
 
101 2.2 install boot manager
101 2.2 install boot manager101 2.2 install boot manager
101 2.2 install boot managerAcácio Oliveira
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Pierre-jean Texier
 
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019Daniel Maslowski
 

Ähnlich wie Upgrade Ubuntu 18.04 Security with Secureboot (20)

XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
 
101 1.2 boot the system
101 1.2 boot the system101 1.2 boot the system
101 1.2 boot the system
 
Automated Linux Management Infrastructure
Automated Linux Management InfrastructureAutomated Linux Management Infrastructure
Automated Linux Management Infrastructure
 
Sling Applications - A DevOps perspective
Sling Applications - A DevOps perspectiveSling Applications - A DevOps perspective
Sling Applications - A DevOps perspective
 
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
 
1.2 boot the system v2
1.2 boot the system v21.2 boot the system v2
1.2 boot the system v2
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
 
Scripting for infosecs
Scripting for infosecsScripting for infosecs
Scripting for infosecs
 
An Overview of the IHK/McKernel Multi-kernel Operating System
An Overview of the IHK/McKernel Multi-kernel Operating SystemAn Overview of the IHK/McKernel Multi-kernel Operating System
An Overview of the IHK/McKernel Multi-kernel Operating System
 
Building Embedded Linux UDOONEO
Building Embedded Linux UDOONEOBuilding Embedded Linux UDOONEO
Building Embedded Linux UDOONEO
 
2.2 install boot manager
2.2 install boot manager2.2 install boot manager
2.2 install boot manager
 
101 2.2 install boot manager
101 2.2 install boot manager101 2.2 install boot manager
101 2.2 install boot manager
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
 
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019
 

Kürzlich hochgeladen

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 

Kürzlich hochgeladen (20)

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 

Upgrade Ubuntu 18.04 Security with Secureboot

  • 1. 1 HashNet Upgrade Linux Security with SecureBoot Event: ESGI, Security Day 2019 Speaker: J. Michel-Villaz Date: 02/04/2019
  • 2. 22 The following presentation contains instructions that can damage software and firmware assets if executed with misuse. Hashnet disclaims any liability in case of damage you may encounter. By using this support, puts you at risk of loosing your data and you are agreeing to undertake any and all risks associated with the resulting consequences. It remains a work in progress. Remarks to improve this draft are welcomed. Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Disclaimer
  • 3. 33 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Agenda
  • 4. 44Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Safety backup prerequisite Cases for restoration Upgrading your master (here with SecureBoot) within 15 minutes Incident : Software / Hardware failure Incident : OS Compromised
  • 5. 55Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Fancy Bear Equation Group Safety backup prerequisite Example of material kit 15/03/2019 REX 1 : MAY NEED LARGER BACKUP DISK REX 3 : LATEST LAPTOPS USE TORX T4 SCREWS REX 2: MUST FILE YOUR DISK REX 4 : ALTERNATIVE TO (MULTIBOOT) DISK FOR CLONEZILLA SHELL
  • 6. 66Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Safety backup prerequisite USB transfer feedbacks Connectors USB 1.0 1996 USB 2.0 2001 USB 2.0 Revised USB 3.0 2011 USB 3.1 2014 USB 3.2 2017 USB4 2019 Theorical Data rate 1.5 Mbit/s Low Speed 480 Mbit/s High Speed 5 Gbit/s SuperSpeed 10 Gbit/s SuperSpeed + 20 Gbit/s SuperSpeed + 40 Gbit/s SuperSpeed +12 Mbit/s Full Speed Source: https://en.wikipedia.org/wiki/USB REX 5 : IVOLER ADAPTATERS DECREASE SPEED WITH AVERAGE RATE OVER 38 Mo/s REX 6 : IMPACT ON SPEED TRANSFER W/ VS WITHOUT SECUREBOOT ?
  • 7. 77Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Safety backup prerequisite Baremetal copies w/ Partclone 1/ Making a CloneZilla live shell & booting on it linux '(loop)/live/vmlinuz' boot='live' union='overlay' username='user' config components noswap edd='on' nomodeset nodmraid noeject locales='' keyboard-layouts='fr' ocs_live_run='ocs-live-general' ocs_debug ocs_live_extra_param='' ocs_live_batch='yes' ip='' acpi='off' irqpoll noapic noapm nodma nomce nolapic nosmp nomodeset nosplash findiso="${isofile_abspath}" * /boot/grub/grub.cfg Source: https://clonezilla.org/show-live-doc-content.php?topic=clonezilla-live/doc/99_Misc Kernel boot parameters
  • 8. 88Upgrade Linux Security with SecureBoot ESGI Security Day 2019 2/ Backuping logical volumes ‘/boot’ and ‘/’ (rootfs) Safety backup prerequisite Baremetal copies w/ Partclone /dev/sdc # cryptsetup luksOpen /dev/sda5 latroot # mount /dev/sdc1 /mnt # partclone.ext4 -d -c -s /dev/sda1 -o /mnt/`date +%Y%m%d-%H%M%S`-latboot.img # partclone.ext4 -d -c -s /dev/xubuntu-vg/root -o /mnt/`date +%Y%m%d-%H%M%S`-latroot.img
  • 9. 99Upgrade Linux Security with SecureBoot ESGI Security Day 2019 3/ Restoring logical volumes ‘/boot’ and ‘/’ (rootfs) Safety backup prerequisite Baremetal copies w/ Partclone /dev/sdc # cryptsetup luksOpen /dev/sda5 latroot # mount /dev/sdc1 /mnt # partclone.ext4 -d -r –s /mnt/YYYYMMDD-HHMMSS-latboot.img -o /dev/sda1 # partclone.ext4 -d –r -s /mnt/YYYYMMDD-HHMMSS-latroot.img -o /dev/xubuntu-vg/root
  • 10. 1010 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sommaire
  • 11. 1111Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Ubuntu 18.04 LTS SecureBoot Prerequisites 1/ Protect your disk filesystem w/ LUKS encryption 2/ Protect your BIOS w/ an Admin password + UPDATES 3/ Backup your disk boot & rootfs partitions (or LVs)
  • 12. 1212Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sources [1] https://odm.ubuntu.com/docs/ubuntu-bios-uefi-requirements.pdf [2] https://blogs.technet.microsoft.com/dubaisec/2016/03/14/diving-into-secure-boot/ Ubuntu 18.04 LTS SecureBoot Ubuntu Boot Process PK – Platform Key represents the root of trust and is used to protect the KEK (Key Exchange Key) database. The platform vendor puts public portion of the Platform Key (PK) into UEFI Firmware during manufacturing. Its private portion stays with the vendor. When updating the PK, the new PK certificate must be signed with the old one. KEK - The KEK (Key Exchange Key) database contains trusted certificates that are allowed to modify the Allowed Signature database (db), Disallowed Signature database (dbx) or Timestamp signature database (dbt) described below. KEK database usually contains certificates of Operating System Vendor (OSV) and is secured by the Platform Key (PK).
  • 13. 1313Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sources [1] https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot [2] https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html [3] https://lektiondestages.blogspot.com/2018/04/signing-your-kernel-modules-on-ubuntu.html [4] https://askubuntu.com/questions/342365/what-is-the-difference-between-grubx64-and-shimx64#342382 [5] cf BIOS Ubuntu 18.04 LTS SecureBoot Protocol keypoints • Many ‘out of the box’ distributions are secureboot-ready [1] • Ubuntu binaries (shim & bootloader) are compiled respectively with Microsoft's WinQual and Canonical pubkeys [2] • UEFI firmware allows key reconfiguration (enrolling a self-sign PK or the Ubuntu key) [2] • Ubuntu will not require signed kernel images or kernel modules [2] • Ubuntu provides updates for the revoked signature database, to be protected against known-compromised UEFI binaries [2] • Ubuntu can (in theory) auto-update (DKMS post-build script) the kernel drivers signatures [3] • There are specificities with the naming of the bootloader when not using GRUB [4] • When enabled, SecureBoot can (1) enforce the signatures checks and block the boot process in case of violation (2) audit the violations without blocking the boot process [5]
  • 14. 1414Upgrade Linux Security with SecureBoot ESGI Security Day 2019 # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv) Sign-file is a Perl script. It requires that you provide both the files that contain your private and the public key as well as the kernel module file that you want to sign. Your kernel module is in ELF image format and this script computes and appends the signature directly to the ELF image in your my_module.ko file. Note that this appended signature is not contained in an ELF image section and is not a formal part of the ELF image. Therefore, tools such as readelf will not be able to display the signature on your kernel module. Your kernel module is now ready for loading. Note that your signed kernel module is also loadable on systems where UEFI Secure Boot is disabled or on a non-UEFI system. That means you do not need to provide both a signed and unsigned version of your kernel module. Sources [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html Ubuntu 18.04 LTS SecureBoot Signing third-party kernel drivers “sign-file” perl script
  • 15. 1515Upgrade Linux Security with SecureBoot ESGI Security Day 2019 cd /boot sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/" ls $(dirname $(modinfo -n vboxdrv))/vbox*.ko sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv) sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetadp) sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetflt) sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxpci) tail $(modinfo -n vboxdrv) |grep "Module signature appended" sudo mokutil --import MOK.der reboot sudo mokutil --sb-state sudo mokutil --password reboot sudo modprobe vboxdrv sudo mokutil --test-key MOK.der cd /boot; shred –u MOK.priv Sources [1] https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur Ubuntu 18.04 LTS SecureBoot Signing third-party kernel drivers Signing the VirtualBox kernel drivers ➜ virtualbox l total 12K drwxr-xr-x 3 root root 4,0K avril 11 10:39 . drwxr-xr-x 4 root root 4,0K mars 31 13:37 .. drwxr-xr-x 6 root root 4,0K avril 11 10:39 5.2.18 lrwxrwxrwx 1 root root 29 avril 3 11:49 kernel-4.15.0-1035-oem-x86_64 -> 5.2.18/4.15.0-1035-oem/x86_64 lrwxrwxrwx 1 root root 29 avril 10 11:45 kernel-4.15.0-1036-oem-x86_64 -> 5.2.18/4.15.0-1036-oem/x86_64 lrwxrwxrwx 1 root root 31 avril 4 21:20 kernel-4.15.0-48-generic-x86_64 -> 5.2.18/4.15.0-48-generic/x86_64 ➜ virtualbox pwd /var/lib/dkms/virtualbox => A NEW KERNEL VERSION REQUIRES NEW KERNEL DRIVERS THUS SIGNING THOSE NEW KERNEL DRIVERS
  • 16. 1616 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sommaire
  • 17. 1717Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Fancy Bear Equation Group Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS Checklist :  What is the SecureBoot status ? How to enable/disable it ?  How to list the SB keys stored in the MOK ?  How to verify the signature of the boot binaries (shim, grub, kernel) ?  How to self-sign and test kernel binaries ?  How to install Canonical-signed kernel binaries ?
  • 18. 1818Upgrade Linux Security with SecureBoot ESGI Security Day 2019 LIVE DEMO
  • 19. 1919Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS What is the SecureBoot status ? How to enable/disable it ? Check the binaries called within the boot process: ➜ r8168 efibootmgr -v BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0000,0001,0003,0004 Boot0000* ubuntu HD(1,GPT,869b1c66-5611-4f81-a8b3-d085cf9c9251,0x800,0x177000)/File(EFIubuntushimx64.efi) Boot0001* UEFI: PC401 NVMe SK hynix 512GB, Partition 1 HD(1,GPT,869b1c66-5611-4f81-a8b3-d085cf9c9251,0x800,0x177000)/File(EFIbootbootx64.efi)..BO Boot0003* USB NIC(IPV4) PciRoot(0x0)/Pci(0x14,0x0)/USB(12,0)/MAC(00e0970033e7,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO Boot0004* USB NIC(IPV6) PciRoot(0x0)/Pci(0x14,0x0)/USB(12,0)/MAC(00e0970033e7,0)/IPv6([::]:<->[::]:,0,0)..BO Check the SecureBoot status with the following command: $ mokutil --sb-state SecureBoot enabled Enable / disable SecureBoot status with the following commands: $ mokutil –-disable-validation $ mokutil –-enable-validation Check the keys knowned by the kernel: $ sudo cat /proc/keys |grep asymm Check the blacklisted binaries: $ sudo cat /proc/keys |grep blacklist Sources http://manpages.ubuntu.com/manpages/xenial/man1/mokutil.1.html Checking the UEFI parameters $ grep -v ^# /boot/config-$(uname -r) |grep _SIG CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT $ grep -v ^# /boot/config-$(uname -r) |grep MODULE_SIG CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_SHA512=y
  • 20. 2020Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to list the SB keys stored in the MOK ? $ /boot mokutil --pk |grep Issuer Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key $ /boot mokutil --kek |grep Issuer Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt $ /boot mokutil --db |grep Issuer Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Key Exchange Key Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt $ /boot mokutil --dbx |grep Issuer Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt Sources https://go.microsoft.com/fwlink/?LinkId=321185
  • 21. 2121Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to list the SB keys stored in the kernel ? SB keys loaded during the boot process ➜ ~ dmesg |grep UEFI [ 0.000000] ACPI: UEFI 0x000000003F0B4A98 000042 (v01 DELLx CBX3 00000002 01000013) [ 1.045927] Loaded UEFI:db cert 'Dell Inc. UEFI DB: 5ddb772dc880660055ba0bc131886bb630a639e7' linked to secondary sys keyring [ 1.045944] Loaded UEFI:db cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to secondary sys keyring [ 1.045957] Loaded UEFI:db cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to secondary sys keyring [ 1.048247] Loaded UEFI:MokListRT cert 'Descriptive common name: cd813275407f4bda0a9438e8fffc7f70125a2fd8' linked to secondary sys keyring [ 1.048392] Loaded UEFI:MokListRT cert 'PPA canonical-kernel-team ppa: 55c04961f1043a73e150d05bceea207320d885fe' linked to secondary sys keyring [ 1.048538] Loaded UEFI:MokListRT cert 'ubuntu Secure Boot Module Signature key: e914584544ef4c7731cd2a4f3ad15f0072eb13ee' linked to secondary sys keyring [ 1.048687] Loaded UEFI:MokListRT cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' linked to secondary sys keyring SB keys loaded in the kernel key ring ➜ ~ sudo cat /proc/keys |grep asymm [sudo] Mot de passe de jomivz : 03c82c0a I------ 1 perm 1f030000 0 0 asymmetri sforshee: 00b28ddf47aef9cea7: X509.rsa [] 05da5292 I------ 2 perm 1f010000 0 0 asymmetri Dell Inc. UEFI DB: 5ddb772dc880660055ba0bc131886bb630a639e7: X509.rsa 30a639e7 [] 0888675b I------ 1 perm 1f030000 0 0 asymmetri Build time autogenerated kernel key: d1f53b42ca7020dcdd24c66b9ed7819b4575644b: X509.rsa 4575644b [] 0a6bbf9b I------ 2 perm 1f010000 0 0 asymmetri PPA canonical-kernel-team ppa: 55c04961f1043a73e150d05bceea207320d885fe: X509.rsa 20d885fe [] 0bb5924c I------ 2 perm 1f010000 0 0 asymmetri Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63: X509.rsa 8e345a63 [] 104d7550 I------ 2 perm 1f010000 0 0 asymmetri Descriptive common name: cd813275407f4bda0a9438e8fffc7f70125a2fd8: X509.rsa 125a2fd8 [] 1757cdfa I------ 2 perm 1f010000 0 0 asymmetri ubuntu Secure Boot Module Signature key: e914584544ef4c7731cd2a4f3ad15f0072eb13ee: X509.rsa 72eb13ee [] 27fb5eff I------ 2 perm 1f010000 0 0 asymmetri Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4: X509.rsa 988a1bd4 [] 2d977696 I------ 2 perm 1f010000 0 0 asymmetri Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53: X509.rsa 7c55af53 [] Sources http://manpages.ubuntu.com/manpages/xenial/man1/keyctl.1.html
  • 22. 2222Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to verify the signature of the boot binaries (shim, grub, kernel) ? Export and identify the keys in the MOK : $ cd /tmp; mokutil export $ openssl x509 -inform der -in MOK-000X.der -noout –text The Microsoft certificate signing the shim bootloader is available online. Caution to extension, the certificate is in DER format. Verify the signature as per below: $ wget http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt $ openssl x509 -in MicCorThiParMarRoo_2010-10-05.crt -inform DER -out MicCorThiParMarRoo_2010-10-05.pem -outform PEM $ sbverify --cert ./microsoft-uefica-public.pem /boot/efi/EFI/ubuntu/shimx64.efi Password: Signature verification OK The grub bootloader is signed by Canonical. []. To verify the signature use the following commands: $ openssl x509 -inform DER -in ./MOK-0002.der -outform PEM -out ./canonical-master-public.pem $ sudo sbverify --cert ./canonical-master-public.pem /boot/efi/EFI/ubuntu/grubx64.efi Password: Signature verification OK The ‘out-of-box’ Ubuntu kernel is signed by Ubuntu. Extract the signature from the kernel image, then use sbverify to verify the image with the detached signature: $ openssl x509 -pubkey -in ./canonical-master-public.pem -noout > ./canonical-signing-public.pem $ cat /tmp/canonical-master-public.pem /tmp/canonical-signing-public.pem > /tmp/canonical-master-signing-public-chain.pem $ sbattach --detach /tmp/vmlinuz-4.15.0-1027-oem.efi.signature /boot/vmlinuz-4.15.0-1027-oem.efi.signed $ sudo sbverify --cert /tmp/canonical-master-signing-public-chain.pem --detached /tmp/vmlinuz-4.15.0-1027-oem.efi.signature /boot/vmlinuz-4.15.0-1027-oem.efi.signed Password: Signature verification OK Testing failed
  • 23. 2323Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS How to self-sign and test kernel binaries ? Sources https://wiki.ubuntu.com/UEFI/SecureBoot/Testing?action=show&redirect=SecurityTeam%2FSecureBoot#Verifying_the_signature_on_a_signed_PE.2FCOFF_or_signed_kernel_image Work in progress
  • 24. 2424Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS APT Process dead Sources https://wiki.ubuntu.com/UEFI/SecureBoot/Testing?action=show&redirect=SecurityTeam%2FSecureBoot#Verifying_the_signature_on_a_signed_PE.2FCOFF_or_signed_kernel_image Identifying the third party repository for Canonical kernels: $ cd /boot; strings vmlinuz-4.15.0-1027-oem.efi.signed |grep -i Canonical PPA canonical-kernel-team ppa0 PPA canonical-kernel-team ppa0 PPA canonical-kernel-team ppa PPA canonical-kernel-team ppa Adding to the package manager the third party repository for Canonical kernels : $ sudo add-apt-repository ppa:canonical-kernel-team/ppa $ sudo apt-get update $ sudo apt upgrade How to install Canonical-signed kernel binaries ?
  • 25. 2525Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Live Demo Checking SecureBoot settings on Ubuntu 18.04 LTS Sources https://paste.ubuntu.com/p/3d6nw4PJ43/ $ sbattach --detach ~/canonical-kernel-team.p7s vmlinuz-4.15.0-1027-oem.efi.signed $ openssl pkcs7 -inform der -in ~/canonical-kernel-team.p7s -print_certs | openssl x509 -out ~/canonical-kernel-team.der -outform der $ mokutil --import ~/canonical-kernel-team.der How to extract /install the public key from Canonical-signed kernel ? ➜ mok pwd /var/lib/shim-signed/mok ➜ mok l total 20K drwxr-xr-x 2 root root 4,0K mars 6 03:41 . drwxr-xr-x 3 root root 4,0K avril 10 11:46 .. -rw-r--r-- 1 root root 910 mars 6 03:41 MOK.der -rw------- 1 root root 1,7K mars 6 03:41 MOK.priv -rw------- 1 root root 1,0K mars 6 03:41 .rnd
  • 26. 2626 Live demo Q & A Safety backup prerequisite Ubuntu 18.04 LTS SecureBoot Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Sommaire
  • 27. 2727Upgrade Linux Security with SecureBoot ESGI Security Day 2019 Fancy Bear Equation Group • https://www.slideshare.net/CanSecWest/csw2017-bazhaniuk-exploringyoursystemdeeperupdated • https://www.youtube.com/watch?v=QDSlWa9xQuA • https://github.com/chipsec/chipsec • https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ • https://osintbrasil.blogspot.com/2017/01/building-reliable-smm-backdoor-for-uefi.html SECURITY SecureBoot Weaknesses & Audit 1/ Weaknesses references : 2/ Auditing Weaknesses : 3/ Bootkits references : # apt install python-pip # pip install setuptools # pip install nasm # python setup.py install

Hinweis der Redaktion

  1. Cofondateur et directeur technique de Hashnet Consulting Startup en cybersécurité avec des idées et nous cherchons et recrutons de bons éléments ayant une expérience valorisante en CTF et/ou bug bounty ayant donc un savoir faire mais aussi un savoir etre La présentation du jour s'intitule SAFETY BEFORE SECURITY (...avec un peu de sarcassme) / contenu == security 101 Débuter petit quizz pour en savoir plus sur vous ... Analyse des stats / Parallèle ingénieurs seniors VS bases du disaster recovery
  2. Economie: tps livraison vs gain aliexpress, dealabs Perf: RPM, SATA, SSD, connectique usb-C, LVM, cleaning (VM) REX1: Limage M2, Torx T4 (téléphone, PC ng) REX2: Cold spare de disque dur
  3. !w : Schéma svg des connecteurs std, mini, micro
  4. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  5. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  6. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  7. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  8. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  9. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  10. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  11. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  12. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  13. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  14. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration
  15. Baremetal: dd, cat, pv, dc3dd, cp sur /dev Rsync: Incremental: dump/restore, xfsdump/xfsrestore (scheduling cron) Cloud, Versionning: DevOps, AWS, Orchestration