If someone enters our trusted location with the intent of compromising our desktop’s pre-OS boot they must disassemble the enclosure and tamper our R/W SPI flash contents or a similar component. Assume this desktop sits in a reasonably trusted location, for example an apartment. The OS bring-up of our desktop should be deterministic and authenticated. Important! If you want a turn-key, and more complete solution to implement now, please use v. This article will call out specifically what we are verifying. For example, we are most likely not verifying any EC firmware, voltage regulator firmware, etc. #USE YUBIKEY WITH GPG SUITE VERIFICATION#Caveat, that we are going to implement verification to the extent possible, we are not going to guarantee everything executed is verified. We want to harden our boot such that anything in the boot chain executed before Linux requires signature verification. For example, distributions such as Ubuntu and Fedora intentionally do not verify signature checking of your initrd nor GRUB modules, fonts, themes, or graphics. This means they support Secure Boot for the to the extent needed to get you up and running without getting in your way, not to provide any in-depth security features. Most popular Linux distributions support UEFI Secure Boot to facilitate hardware enablement. This is accomplished by replacing signature checking keys with your own, keeping a portion of that key chain in an HSM/PIV device, and enabling GRUB signature checking. The goal of this article is to walk through hardening your UEFI-supported Linux desktop’s boot.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |