Language Selection

English French German Italian Portuguese Spanish

New Security Patches and New UEFI 'Secure' Boot Catastrophe

Filed under
Server
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg).

  • Grub2 updates for Red Hat systems are making some unbootable

    As reported in the comments on the Grub2 secure-boot vulnerabilities report, the updates for grub2 for RHEL 8 and CentOS 8 are making some systems unbootable. The boot problems are seemingly unrelated to whether the system has secure boot enabled. It may be worth waiting a bit for that to shake out.

  • Servers at risk from “BootHole” bug – what you need to know

    That’s our tongue-in-cheek name for a cybersecurity vulnerability that not only gets assigned an identifier like CVE-2020-10713, but also acquires an impressive name plus a jaunty logo (and even, in one intriguing case, a theme tune).

    This month’s bug with an impressive name (see what we did there?) is called BootHole, and its logo rather cheekily shows a boot with a worm sticking out of a hole in the toecap.

    The bad news is that this bug affects the integrity of bootup process itself, meaning that it provides a way for attackers to insert code that will run next time you restart your device, but during the insecure period after you turn on the power but before the operating system starts up.

    The good news for most of us is that it relies on a bug in a bootloader program known as GRUB, short for Grand Unified Boot Loader, which is rarely found on Windows or Mac computers.

  • Why the GRUB2 Secure Boot Flaw Doesn’t Affect Purism Computers

    To understand why this flaw does not affect Purism computers, it helps to understand why UEFI Secure Boot exists to begin with, and how it and the security exploit works. Attacks on the boot process are particularly nasty as they occur before the system’s kernel gets loaded. Attackers who have this ability can then compromise the kernel before it runs, allowing their attack to persist through reboots while also hiding from detection. UEFI Secure Boot is a technology that aims to protect against these kinds of attacks by signing boot loaders like GRUB2 with private keys controlled ultimately by Microsoft. UEFI Firmware on the computer contains the public certificate counterparts for those private keys. At boot time UEFI Secure Boot checks the signatures of the current GRUB2 executable and if they don’t match, it won’t allow the executable to run.

    If you’d like to understand the GRUB2 vulnerability in more detail, security journalist Dan Goodin has a great write-up at Ars Technica. In summary, an attacker can trigger a buffer overflow in GRUB2 as it parses the grub.cfg configuration file (this file contains settings for the GRUB2 menu including which kernels to load and what kernel options to use). This buffer overflow allows the attacker to modify GRUB2 code in memory and execute malicious code of their choice, bypassing the protection UEFI Secure Boot normally would have to prevent such an attack.

    Unfortunately, UEFI Secure Boot doesn’t extend its signature checks into configuration files like grub.cfg. This means you can change grub.cfg without triggering Secure Boot and the attack exploited that limitation to modify grub.cfg in a way that would then exploit the running GRUB2 binary after it had passed the signature check.

    Further complicating the response to this vulnerability is the fact that it’s not enough to patch GRUB2. Because the vulnerable GRUB2 binaries have already been signed by Microsoft’s certificate, an attacker could simply replace a patched GRUB2 with the previous, vulnerable version. Patching against this vulnerability means updating your UEFI firmware (typically using reflashing tools and firmware provided by your vendor) so that it can add the vulnerable GRUB2 binary signatures to its overall list of revoked signatures.

Red Hat Enterprise Linux runs into Boothole patch trouble

  • Red Hat Enterprise Linux runs into Boothole patch trouble

    Sometimes the cure really is worse than the disease. The recently revealed Boothole security problem with GRUB2 and Secure Boot can, theoretically, be used to attack Linux systems. In practice, the only vulnerable Linux systems are ones that have already been successfully breached by an attacker. Still, the potential for damage was there, so almost all enterprise Linux distributors have released patches. Unfortunately, for at least one -- Red Hat -- the fix has gone wrong.

    Many users are reporting that, after patching Red Hat Enterprise Linux (RHEL) 8.2, it has rendered their systems unbootable. The problem also appears to affect RHEL 7.x and 8.x computers as well. It seems, however, to be limited only to servers running on bare iron. RHEL virtual machines (VM)s, which don't deal with Secure Boot firmware, are working fine.

Debian explains

  • GRUB2 UEFI SecureBoot vulnerability - 'BootHole'

    UEFI Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process, before the operating system has been loaded.

    SB works using cryptographic checksums and signatures. Each program that is loaded by the firmware includes a signature and a checksum, and before allowing execution the firmware will verify that the program is trusted by validating the checksum and the signature. When SB is enabled on a system, any attempt to execute an untrusted program will not be allowed. This stops unexpected / unauthorised code from running in the UEFI environment.

    Most x86 hardware comes from the factory pre-loaded with Microsoft keys. This means the firmware on these systems will trust binaries that are signed by Microsoft. Most modern systems will ship with SB enabled - they will not run any unsigned code by default, but it is possible to change the firmware configuration to either disable SB or to enrol extra signing keys.

    Debian, like many other Linux-based operating systems, uses a program called shim to extend that trust from the firmware to the other programs that we need to be secured during early boot: the GRUB2 bootloader, the Linux kernel and firmware update tools (fwupd and fwupdate).

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Linux Foundation Broadens Relationship With Surveillance

  • Facebook joins The Linux Foundation as a platinum member

    Most web-based companies are built on Linux and open-source software. Two-billion member social network Facebook is no different. For years, Facebook has not only relied on open-source, it's been an active contributor to major open-source projects. These include the React JavaScript library; the Open Compute Project, which open sources data-center hardware; and Linux's cGroup2 container software. Now Facebook is joining The Linux Foundation membership at the Platinum level. [...] While Facebook has been criticized for how it deals with privacy and politics, it has impeccable open-source credentials. It was already the lead contributor of many Linux Foundation-hosted projects, such as Presto, GraphQL, Osquery, and ONNX. The company also employs many Linux kernel key developers and maintainers.

  • Amundsen Joins LF AI as New Incubation Project

    LF AI Foundation (LF AI), the organization building an ecosystem to sustain open source innovation in artificial intelligence (AI), machine learning (ML), and deep learning (DL), today is announcing Amundsen as its latest Incubation Project.

  • LF AI Accepts Amundsen as Incubation Project

    The Amundsen data discovery project has joined the LF AI as an incubation project. Amundsen is a data discovery and metadata engine aiming to improve the productivity of data analysts, data scientists and engineers by indexing data resources. “Think of it as Google search for data,” the LF AI announcement said.

Graphics: Mesa 20.2 RC2 and DXVK 1.7.1

  • mesa 20.2.0-rc2
    Hi list,
    
    Available today is mesa 20.2.0-rc2. This is the second release candidate for
    the 20.2 release. Currently our open to close ratio on blocking bugs is looking
    really good. This release is dominated by changes to radeonsi, radv, and aco,
    with a few additional changes sneaking in for freedreno, meson,  etnaviv,
    st/mesa, anv, and a few utility fixes.
    
    Dylan
    
    
  • Mesa 20.2-RC2 Released With Many Fixes For RadeonSI + RADV Drivers

    The second weekly release candidate of the forthcoming Mesa 20.2 is now available for testing. Mesa 20.2 is aiming for release around the end of August or early September depending upon how the bug situation plays out. This quarterly feature release to Mesa3D brings many new Vulkan extensions, the RADV driver using ACO by default, initial support for Navi 2 GPUs, initial support for Intel Rocket Lake and DG1, OpenGL 4.3 for LLVMpipe, and much more as outlined in last week's article.

  • DXVK 1.7.1 Released With Many Game Fixes For Direct3D Over Vulkan

    It's been nearly three months without a new DXVK release for mapping Direct3D 9/10/11 atop the Vulkan API while finally today there is a big feature release out. DXVK 1.7.1 was released a few minutes ago as the first update since May. While the version number isn't significant, this version does have many changes.

  • Direct3D to Vulkan translation layer DXVK 1.7.1 is out, lots of game fixes

    After a few months since 1.7 went out, DXVK 1.7.1 is now live to further improve Direct3D to Vulkan translation. This is the project that helps to power Proton, the compatibility layer for Steam Play. This release adds support for newer Vulkan extensions, fixes bugs and has new GPU driver requirements. On the driver side, the VK_EXT_transform_feedback extension is now required which has been supported in drivers on Linux since late 2018 / early 2019. Specifically you will need at least NVIDIA 415.22 and for AMD / Intel it looks like Mesa 19 covers both.

Devices/Embedded: Raspberry Pi and Android Devices

  • Indoor air quality HAT for Raspberry Pi boasts high-res TVOC sensor

    Avnet’s $49.95 “Renesas ZMOD4410 Indoor Air Quality HAT for Raspberry Pi” can be used to measure volatile organic compounds, humidity, and temperature, as well as estimate carbon dioxide levels. Avnet has launched a Renesas ZMOD4410 Indoor Air Quality HAT for Raspberry Pi (AES-RHSEN-ZM44-G) that joins other indoor air quality measurement add-ons for the Pi including Metriful’s $44.50 Sense module and Pimoroni’s $57 Enviro+ pHAT. The ZMOD4410 HAT lacks some of the extras of those boards, but appears to offer a higher quality total volatile organic compound (TVOC) sensor with its Renesas ZMOD4410, which offers resolution ranging from parts-per-billion to parts-per-million.

  • Tiny module and dev kit run RT Linux on STM32MP1

    Exor’s 25.4 x 25.4mm, extended temp “NanoSOM nS02” module runs real-time Linux and its XPlatform industrial IoT software on a soldered, 800MHz STM32MP157 with up to 1GB DDR3L and 32GB eMMC. An “OpenHMI nS02” dev kit with 5-inch touchscreen is optional. Italian embedded technology firm Exor Embedded has launched a NanoSOM nS02 module that runs real-time Linux on the new 800MHz version of ST’s dual-core, Cortex-A7 based STM32MP157. As with the recent, Apollo Lake based, FPGA-enabled GigaSOM GS01 module, Exor announced the product with Arrow, which will be distributing the module and an OpenHMI nS02 Development Kit (see farther below).

  • Zidoo Z10 Pro & Z9X Realtek RTD1619DR 4K Android Media Players Launched for $229 and up

    We previously wrote about some upcoming Realtek RTD1619 media players targeting the videophone and audiophile crowd, and expected them to launch very soon with models from Zidoo and Dune HD. Zidoo has now launched two models with the awaited Zidoo Z9X and a new, higher-end Zidoo Z10 Pro which can be purchased on Aliexpress for respectively $229 and $349 with free shipping.

  • Snapdragon 626 Powered Rugged Tablet Comes with NFC, RFID and Barcode Readers

    Estone Technology has launched another rugged tablet with UA-80 IP-67 waterproof rated, and MIL-STD-810G compliant rugged Android tablet powered by a Qualcomm Snapdragon 626 mobile platform driving an 8″ capacitive touchscreen display.

Python Programming

  • Announcing the new Jupyter Book

    Jupyter Book is an open source project for building beautiful, publication-quality books, websites, and documents from source material that contains computational content. With this post, we’re happy to announce that Jupyter Book has been re-written from the ground up, making it easier to install, faster to use, and able to create more complex publishing content in your books. It is now supported by the Executable Book Project, an open community that builds open source tools for interactive and executable documents in the Jupyter ecosystem and beyond.

  • Holdgraf: Announcing the new Jupyter Book

    On the Jupyter blog, Chris Holdgraf announces a rewrite of the Jupyter Book project. LWN looked at Jupyter and its interactive notebooks for Python and other languages back in 2018; Jupyter Book extends the notebook idea.

  • EuroPython 2020: Live Stream Recordings available

    We’re happy to announce the public availability of the live stream recordings from EuroPython 2020. They were already available to all conference attendees since the sprint days.

  • Learn Any Programming Language with This Learning Plan

    All it takes to master any programming language is the right learning plan. If you know anything about programming you should be aware that often you can’t tell whether what you are doing is wrong until it’s too late. That’s what makes programming a frustrating skill to master — long hours doing the wrong things. But hey, whether you want to make programming your full-time job or just a hobby, you can always make the learning curve less steep. The secret to getting it right with coding is this: have a learning plan! While the plan will not do the hard lifting for you, it will definitely provide the much-needed elbow grease to keep you grounded and focused as you learn programming.

  • Deploying Django to AWS ECS with Terraform

    In this tutorial, we'll look at how to deploy a Django app to AWS ECS with Terraform.

  • Matt Layman: Rendering Calendars - Building SaaS #68

    In this episode, I worked on rendering a calendar of important events in a school year. We built out the appropriate data structures, and I wrote some new model methods and added tests. On the last stream, I created a new model to track breaks in the school year. The app now shows the calendar for the school year, and I want to display the breaks on the calendar. Before digging too far into the code, I provided my thoughts about using Docker for development from a question that came from the chat.