CIP-dev Archive on lore.kernel.org
 help / color / Atom feed
* [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell
@ 2021-03-19  7:20 Michael Adler
  2021-03-19  7:20 ` [cip-dev] [PATCH 1/1] Secureboot: Disable " Michael Adler
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Adler @ 2021-03-19  7:20 UTC (permalink / raw)
  To: cip-dev; +Cc: Michael Adler


[-- Attachment #1: Type: text/plain, Size: 769 bytes --]

Hi everyone,

the following patch intends to close a loophole in the secureboot boot chain.

By default, Debian Buster's initramfs drops the user to an interactive debug
shell in case of a severe error (e.g. rootfs cannot be mounted). This is
essentially a root shell and can be abused to tamper with the system.

This feature can be disabled by appending panic=0 to the kernel cmdline.

Kind regards,
Michael


Michael Adler (1):
  Secureboot: Disable initramfs debug shell

 wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++
 wic/qemu-amd64-efibootguard.wks            | 2 ++
 wic/simatic-ipc227e-efibootguard.wks       | 2 ++
 wic/swupdate-partition.inc                 | 2 --
 4 files changed, 6 insertions(+), 2 deletions(-)

-- 
2.31.0


[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6298): https://lists.cip-project.org/g/cip-dev/message/6298
Mute This Topic: https://lists.cip-project.org/mt/81450089/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [cip-dev] [PATCH 1/1] Secureboot: Disable initramfs debug shell
  2021-03-19  7:20 [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell Michael Adler
@ 2021-03-19  7:20 ` Michael Adler
  2021-03-19  8:57   ` Jan Kiszka
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Adler @ 2021-03-19  7:20 UTC (permalink / raw)
  To: cip-dev; +Cc: Michael Adler


[-- Attachment #1: Type: text/plain, Size: 2954 bytes --]

This closes a loophole introduced by the initramfs debug shell which is
enabled by default:

"The initramfs-tools package includes a debug shell in the initrds it
generates. If for example the initrd is unable to mount your root file
system, you will be dropped into this debug shell which has basic
commands available to help trace the problem and possibly fix it." [1]

[1] https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#recovery-initrd

Signed-off-by: Michael Adler <michael.adler@siemens.com>
---
 wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++
 wic/qemu-amd64-efibootguard.wks            | 2 ++
 wic/simatic-ipc227e-efibootguard.wks       | 2 ++
 wic/swupdate-partition.inc                 | 2 --
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
index 9ccf501..ff351db 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks
@@ -7,3 +7,5 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
 part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
 
 include swupdate-partition.inc
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
index a9a8446..6653068 100644
--- a/wic/qemu-amd64-efibootguard.wks
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -2,3 +2,5 @@
 # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
 include ebg-sysparts.inc
 include swupdate-partition.inc
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
index 74446d3..f6191bc 100644
--- a/wic/simatic-ipc227e-efibootguard.wks
+++ b/wic/simatic-ipc227e-efibootguard.wks
@@ -3,3 +3,5 @@
 
 include ebg-sysparts.inc
 include swupdate-partition.inc
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
index 15fbe80..7bec9d7 100644
--- a/wic/swupdate-partition.inc
+++ b/wic/swupdate-partition.inc
@@ -1,4 +1,2 @@
 part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M   --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4
 part  --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M   --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
-- 
2.31.0


[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6299): https://lists.cip-project.org/g/cip-dev/message/6299
Mute This Topic: https://lists.cip-project.org/mt/81450090/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [cip-dev] [PATCH 1/1] Secureboot: Disable initramfs debug shell
  2021-03-19  7:20 ` [cip-dev] [PATCH 1/1] Secureboot: Disable " Michael Adler
@ 2021-03-19  8:57   ` Jan Kiszka
  0 siblings, 0 replies; 3+ messages in thread
From: Jan Kiszka @ 2021-03-19  8:57 UTC (permalink / raw)
  To: cip-dev, Michael Adler


[-- Attachment #1: Type: text/plain, Size: 3132 bytes --]

On 19.03.21 08:20, Michael Adler wrote:
> This closes a loophole introduced by the initramfs debug shell which is
> enabled by default:
> 
> "The initramfs-tools package includes a debug shell in the initrds it
> generates. If for example the initrd is unable to mount your root file
> system, you will be dropped into this debug shell which has basic
> commands available to help trace the problem and possibly fix it." [1]
> 
> [1] https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#recovery-initrd
> 
> Signed-off-by: Michael Adler <michael.adler@siemens.com>
> ---
>  wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++
>  wic/qemu-amd64-efibootguard.wks            | 2 ++
>  wic/simatic-ipc227e-efibootguard.wks       | 2 ++
>  wic/swupdate-partition.inc                 | 2 --
>  4 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
> index 9ccf501..ff351db 100644
> --- a/wic/qemu-amd64-efibootguard-secureboot.wks
> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks
> @@ -7,3 +7,5 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
>  part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>  
>  include swupdate-partition.inc
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
> diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
> index a9a8446..6653068 100644
> --- a/wic/qemu-amd64-efibootguard.wks
> +++ b/wic/qemu-amd64-efibootguard.wks
> @@ -2,3 +2,5 @@
>  # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
>  include ebg-sysparts.inc
>  include swupdate-partition.inc
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
> diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
> index 74446d3..f6191bc 100644
> --- a/wic/simatic-ipc227e-efibootguard.wks
> +++ b/wic/simatic-ipc227e-efibootguard.wks
> @@ -3,3 +3,5 @@
>  
>  include ebg-sysparts.inc
>  include swupdate-partition.inc
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
> diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
> index 15fbe80..7bec9d7 100644
> --- a/wic/swupdate-partition.inc
> +++ b/wic/swupdate-partition.inc
> @@ -1,4 +1,2 @@
>  part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M   --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4
>  part  --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M   --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4
> -
> -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
> 

Thanks, applied.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6302): https://lists.cip-project.org/g/cip-dev/message/6302
Mute This Topic: https://lists.cip-project.org/mt/81450090/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-19  7:20 [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell Michael Adler
2021-03-19  7:20 ` [cip-dev] [PATCH 1/1] Secureboot: Disable " Michael Adler
2021-03-19  8:57   ` Jan Kiszka

CIP-dev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/cip-dev/0 cip-dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 cip-dev cip-dev/ https://lore.kernel.org/cip-dev \
		cip-dev@lists.cip-project.org
	public-inbox-index cip-dev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.cip-project.lists.cip-dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git