* [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell @ 2021-03-19 7:20 Michael Adler 2021-03-19 7:20 ` [cip-dev] [PATCH 1/1] Secureboot: Disable " Michael Adler 0 siblings, 1 reply; 3+ messages in thread From: Michael Adler @ 2021-03-19 7:20 UTC (permalink / raw) To: cip-dev; +Cc: Michael Adler [-- Attachment #1: Type: text/plain, Size: 769 bytes --] Hi everyone, the following patch intends to close a loophole in the secureboot boot chain. By default, Debian Buster's initramfs drops the user to an interactive debug shell in case of a severe error (e.g. rootfs cannot be mounted). This is essentially a root shell and can be abused to tamper with the system. This feature can be disabled by appending panic=0 to the kernel cmdline. Kind regards, Michael Michael Adler (1): Secureboot: Disable initramfs debug shell wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++ wic/qemu-amd64-efibootguard.wks | 2 ++ wic/simatic-ipc227e-efibootguard.wks | 2 ++ wic/swupdate-partition.inc | 2 -- 4 files changed, 6 insertions(+), 2 deletions(-) -- 2.31.0 [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6298): https://lists.cip-project.org/g/cip-dev/message/6298 Mute This Topic: https://lists.cip-project.org/mt/81450089/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 3+ messages in thread
* [cip-dev] [PATCH 1/1] Secureboot: Disable initramfs debug shell 2021-03-19 7:20 [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell Michael Adler @ 2021-03-19 7:20 ` Michael Adler 2021-03-19 8:57 ` Jan Kiszka 0 siblings, 1 reply; 3+ messages in thread From: Michael Adler @ 2021-03-19 7:20 UTC (permalink / raw) To: cip-dev; +Cc: Michael Adler [-- Attachment #1: Type: text/plain, Size: 2954 bytes --] This closes a loophole introduced by the initramfs debug shell which is enabled by default: "The initramfs-tools package includes a debug shell in the initrds it generates. If for example the initrd is unable to mount your root file system, you will be dropped into this debug shell which has basic commands available to help trace the problem and possibly fix it." [1] [1] https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#recovery-initrd Signed-off-by: Michael Adler <michael.adler@siemens.com> --- wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++ wic/qemu-amd64-efibootguard.wks | 2 ++ wic/simatic-ipc227e-efibootguard.wks | 2 ++ wic/swupdate-partition.inc | 2 -- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks index 9ccf501..ff351db 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks +++ b/wic/qemu-amd64-efibootguard-secureboot.wks @@ -7,3 +7,5 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" include swupdate-partition.inc + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0" diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks index a9a8446..6653068 100644 --- a/wic/qemu-amd64-efibootguard.wks +++ b/wic/qemu-amd64-efibootguard.wks @@ -2,3 +2,5 @@ # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate include ebg-sysparts.inc include swupdate-partition.inc + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks index 74446d3..f6191bc 100644 --- a/wic/simatic-ipc227e-efibootguard.wks +++ b/wic/simatic-ipc227e-efibootguard.wks @@ -3,3 +3,5 @@ include ebg-sysparts.inc include swupdate-partition.inc + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc index 15fbe80..7bec9d7 100644 --- a/wic/swupdate-partition.inc +++ b/wic/swupdate-partition.inc @@ -1,4 +1,2 @@ part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4 part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4 - -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" -- 2.31.0 [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6299): https://lists.cip-project.org/g/cip-dev/message/6299 Mute This Topic: https://lists.cip-project.org/mt/81450090/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [cip-dev] [PATCH 1/1] Secureboot: Disable initramfs debug shell 2021-03-19 7:20 ` [cip-dev] [PATCH 1/1] Secureboot: Disable " Michael Adler @ 2021-03-19 8:57 ` Jan Kiszka 0 siblings, 0 replies; 3+ messages in thread From: Jan Kiszka @ 2021-03-19 8:57 UTC (permalink / raw) To: cip-dev, Michael Adler [-- Attachment #1: Type: text/plain, Size: 3132 bytes --] On 19.03.21 08:20, Michael Adler wrote: > This closes a loophole introduced by the initramfs debug shell which is > enabled by default: > > "The initramfs-tools package includes a debug shell in the initrds it > generates. If for example the initrd is unable to mount your root file > system, you will be dropped into this debug shell which has basic > commands available to help trace the problem and possibly fix it." [1] > > [1] https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#recovery-initrd > > Signed-off-by: Michael Adler <michael.adler@siemens.com> > --- > wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++ > wic/qemu-amd64-efibootguard.wks | 2 ++ > wic/simatic-ipc227e-efibootguard.wks | 2 ++ > wic/swupdate-partition.inc | 2 -- > 4 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks > index 9ccf501..ff351db 100644 > --- a/wic/qemu-amd64-efibootguard-secureboot.wks > +++ b/wic/qemu-amd64-efibootguard-secureboot.wks > @@ -7,3 +7,5 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe > part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" > > include swupdate-partition.inc > + > +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0" > diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks > index a9a8446..6653068 100644 > --- a/wic/qemu-amd64-efibootguard.wks > +++ b/wic/qemu-amd64-efibootguard.wks > @@ -2,3 +2,5 @@ > # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate > include ebg-sysparts.inc > include swupdate-partition.inc > + > +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" > diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks > index 74446d3..f6191bc 100644 > --- a/wic/simatic-ipc227e-efibootguard.wks > +++ b/wic/simatic-ipc227e-efibootguard.wks > @@ -3,3 +3,5 @@ > > include ebg-sysparts.inc > include swupdate-partition.inc > + > +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" > diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc > index 15fbe80..7bec9d7 100644 > --- a/wic/swupdate-partition.inc > +++ b/wic/swupdate-partition.inc > @@ -1,4 +1,2 @@ > part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4 > part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4 > - > -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" > Thanks, applied. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6302): https://lists.cip-project.org/g/cip-dev/message/6302 Mute This Topic: https://lists.cip-project.org/mt/81450090/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-19 9:07 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-03-19 7:20 [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell Michael Adler 2021-03-19 7:20 ` [cip-dev] [PATCH 1/1] Secureboot: Disable " Michael Adler 2021-03-19 8:57 ` Jan Kiszka
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).