@@ -6,22 +6,23 @@ Note: Every command requires to be performed while logged as root unless explici
...
@@ -6,22 +6,23 @@ Note: Every command requires to be performed while logged as root unless explici
When booting a system, different programs are run. As a very rough and simplified overview, for a system supporting UEFI we can say that:
When booting a system, different programs are run. As a very rough and simplified overview, for a system supporting UEFI we can say that:
* First UEFI is in control.
* First UEFI is in control.
* Then it calls an efi application, generally a bootloader (e.g. GRUB) and in our case a customed initramfs.
* Then it calls an efi application, generally a bootloader (e.g. GRUB) and in our case a customed initramfs.
* The initramfs (or bootloader) then runs the OS (in our case, the Linux Kernel).
* The initramfs (or bootloader) then switches to the OS (in our case, the Linux Kernel).
UEFI provides a feature called Secure Boot (SB) which signs the efi application with keys stored by UEFI, so that an attacker cannot modify the boot sequence and tamper with what is run on the machine early during the boot process. Such an attack would make the threat undetectable with the classic forensic tools, i.e. from the already booted OS.
UEFI provides a feature called Secure Boot (SB) which can verify the efi applications' signature with keys stored by UEFI, so that an attacker cannot modify the boot sequence and tamper with what is run on the machine early during the boot process. Such an attack would make the threat undetectable with the classic forensic tools, i.e. from the already booted OS.
Nexedi developped for Rapid.Space a system going further, which scans the filesystem to be mounted by initramfs **during** the initramfs stage, i.e. before the Linux Kernel has taken over, and send the scan to Wendolin for further analysis. To do so, we create a customed initramfs embedding the scanner and sender and we sign it with our own keys. Then, if our keys are enrolled by UEFI, it can verify the integrity of our customed initramfs, loaded by UEFI as an efi application. With this process, we get a complete scan of the to-be-loaded file system each time a server boots. We can detect abnormal file signatures and permissions while being sure than an attacker could not modify the tools we used to create and send the scan.
Nexedi developped for Rapid.Space a system going further, which scans the filesystem to be mounted by initramfs **during** the initramfs stage, i.e. before the Linux Kernel has taken over, and send the scan to Wendelin for further analysis. To do so, we create a customed initramfs embedding the scanner and sender and we sign it with our own keys. Then, if our keys are enrolled by UEFI, it can verify the integrity of our customed initramfs, loaded by UEFI as an efi application. With this process, we get a complete scan of the to-be-loaded file system each time a server boots. We can detect abnormal file signatures and permissions while being sure than an attacker could not modify the tools we used to create and send the scan.
Note: The scanning tool is called Metadata Collect Agent (MCA), see the project at
Note: The scanning tool is called Metadata Collect Agent (MCA), see the project at
So the main components for a user to install it on a machine are:
So the main components for a user to install this project on a machine are:
* A set of keys.
* A set of keys
* Key enrollment in UEFI.
* Key enrollment in UEFI.
* Initramfs image creation and signature.
* Initramfs image creation and signature.
With the hardest part to master being the second, documented in `uefi-keys/README.md`.
With the hardest part to master being the second one, documented in `uefi-keys/README.md`. (But don't worry, it's not THAT hard if you read carefully!)
## UEFI Keys
## UEFI Keys
This stage is about enrolling Rapid.Space's keys in the UEFI firmware of the machine. It all happens in the `uefi-keys/` directory.
This stage is about enrolling Rapid.Space's keys in the UEFI firmware of the machine. It all happens in the `uefi-keys/` directory.
