Linux Foundation' Linux workstation security checklist
Blibbet
blibbet at gmail.com
Mon Aug 31 13:22:58 PDT 2015
On 08/31/2015 04:13 AM, Georgi Guninski wrote:
> The document appears to be:
> https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
> Linux workstation security checklist
Since the Linux Foundation advise is recommending UEFI and Secure Boot
and TPMs,
I think they should also recommend running Intel CHIPSEC -- directly or
via LUV-live -- for firmware vulnerability analysis, at least on the
Intel systems (AMD has no CHIPSEC port). If system was designed
vulnerable by vendor, there's little point in bothering with Secure Boot
or any OS-level hardening....
https://01.org/linux-uefi-validation/downloads/luv-live-image
https://github.com/chipsec/chipsec
Guidance should probably enable Verified Boot when running Chrome,
perhaps the Verified U-Boot and other secure coreboot/U-Boot
implementations.
The advise should also mention something about each distro's Secure Boot
varies in strength, some allow unsigned kernel drivers to be loaded even
if Secure Boot is enabled.
http://firmwaresecurity.com/2015/07/17/secure-boot-strength-varies-by-linux-implementation/
It should mention virtual firmware security (inside VirtualBox, QEMU,
etc), especially after last BlackHat talk:
http://firmwaresecurity.com/2015/08/08/689/
There's more to do, taking snapshots of rom, scanning for changes,
tracking vendor firmware updates, ensuring system has fresh firmware
bits, etc. But it's a nice start.
> Troll-friendly appears this claim:
> UEFI boot mode is used (not legacy BIOS) (CRITICAL)
> UEFI and SecureBoot
>
> (ask RMS ;-) )
AFAIK, RMS uses an IBM Thinkpad retrofitted with LibreBoot (presumably
using SeaBIOS BIOS clone).
https://stallman.org/stallman-computing.html
I don't think RMS is responsible for LF's IT security policies. :-)
If someone has one of these old Thinkpads boxes (sold by "Ministry of
Freedom" (formerly trading as Gluglug), please try to run CHIPSEC on it;
if it runs, run chipsec_main.py to see if it passes the security tess. I
don't expect CHIPSEC will recognize the ancient Intel chipset used by
the old IBM Thinkpad. It'd probably take someone to update CHIPSEC to
add system data for this old chipsec, in order to make it work. Perhaps
Ministry of Freedom has a vested interest? :-)
Potential insecurely-built IBM system firmware security aside, I don't
think Libreboot nor SeaBIOS offers much in terms of security to stop
attackers, as well. U-Boot and coreboot both have PKI-enabled boot
flavors that're vaguely like UEFI's Secure Boot, which Ministry of
Freedom could be using, to help secure their modern customers.
More information about the cypherpunks
mailing list