The Unified Extensible Firmware Interface (UEFI) specification includes a boot manager, which starts the OS boot loader or kernel.
The Unified Extensible Firmware Interface (UEFI)is a publicly available specification that defines a software interface between an operating system and platform firmware.
UEFI replaces the legacy Basic Input/Output System (BIOS) firmware interface. UEFI can support remote diagnostics and repair of computers, even with no operating system installed.
Intel developed the original Extensible Firmware Interface (EFI) specifications. The Unified EFI Forum is the industry body that manages the UEFI specifications throughout.
The Linux kernel has been able to use EFI at boot time since early 2000s, using the elilo EFI boot loader or, more recently, EFI versions of GRUB.
UEFI defines a boot manager as part of the UEFI specification (it does not rely on boot sectors). When a computer is powered on, the boot manager checks the boot configuration and based on its settings, then executes the specified OS boot loader or operating system kernel.
The boot configuration is defined by variables stored in NVRAM, including variables that indicate the file system paths to OS loaders or OS kernels.
UEFI provides a shell environment, which can be used to execute other UEFI applications, including UEFI boot loaders.
DebbyBuster has the InsydeH2O BIOS (the Insyde Software (Taiwan) implementation of the Intel Platform Innovation Framework for UEFI/EFI).
GRUB (GRand Unified Bootloader) can be used to boot most operating system on the intel platforms. There are two versions: Grub Legacy (Grub 1) and Grub 2.
What do I have?
- If I enter 'sudo grub-mkconfig --version'
- I get 'grub-mkconfig (GRUB) 2.02+dfsg1-20+deb10u4'
UEFI Secure Boot and Shim
The UEFI 2.3.1 Errata C specification (or higher) defines a protocol known as Secure Boot, which can secure the boot process by preventing the loading of UEFI drivers or OS boot loaders that are not signed with an acceptable digital signature. Supported by Debian since Debian 10.
Shim is a boot loader to chain-load signed boot loaders under Secure Boot. Shim becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust - the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.
Windows 10 allows OEMs to decide whether or not Secure Boot can be managed by users of their x86 systems.
The Machine Owner Key (MOK) allows you to add signed files.
Finding out your status:
Installed shim files:
- 'sudo mokutil --sb-state'
- >SecureBoot disabled
- >Platform is in Setup Mode
- shim-helpers-amd64-signed/stable,now 1+15.4+5~deb10u1 amd64 [installed,automatic]
- shim-signed-common/stable-updates,now 1.36~1+deb10u2+15.4-5~deb10u1 all [installed,automatic]
- shim-signed/stable-updates,now 1.36~1+deb10u2+15.4-5~deb10u1 amd64 [installed]
- shim-unsigned/stable,now 15.4-5~deb10u1 amd64 [installed,automatic]
Debian and TPM
Debian TPM tools:
Do a 'dpkg -L tpm2-tools' to see the files.
Debian's tpm2-tools are based on TrouSerS, a Trusted Computing Software Stack (TSS).
- tpm2-abrmd/stable,now 2.1.0-1 amd64 [installed,automatic]
- tpm2-tools/stable,now 3.1.3-2 amd64 [installed,automatic]
- libtss2-esys0/stable,now 2.1.0-4 amd64 [installed,automatic]
- libtss2-udev/stable,now 2.1.0-4 all [installed,automatic]
Linux distinguishes between:
- Linux kernel
- Linux kernel documentation
- Linux kernel Wikipedia
- Linux is a monolithic kernel with a modular design (e.g., it can insert and remove loadable kernel modules at runtime)
- Kernel versions:
- March 1994, Linux 1.0.0, 176,250 lines of code.
- June 1996, Linux 2.0.0
- July 2011, Linux 3.0
- April 2015, Linux 4.0.
- October 2020, Linux 5
- User mode (user applications, system components (daemons, window managers, graphics, ...), standard C libraries)
- Kernel mode (System Call Interface (SCI, around 380 system calls (open, close, exit, ...), subsystems (process scheduling, IPC, memory management, virtual files, network), other components (ALSA, LVM, netfilter, ...) and Linux Security Modules (access control, SELinux, Apparmor, ...))
- In-kernel API
- In-kernel ABI
- Kernel-to-userspace API
- Kernel-to-userspace ABI
- systemd.io - project homepage
- systemd - Wikipedia
- Debian systemd
- a software suite that provides to unify service configuration and behavior across distributions
- systemd's primary component is a "system and service manager" — an init system used to bootstrap user space and manage user processes
- also provides replacements for various daemons and utilities, including device management, login management, network connection management, and event logging
- systemd is the first daemon to start during booting and the last daemon to terminate during shutdown. The systemd daemon serves as the root of the user space's process tree
- systemd is a system and service manager
- systemctl is a command to introspect and control the state of the systemd system and service manager. Not to be confused with sysctl
- '>systemctl' without arguments displays a list of all loaded systemd units (units: any resource that the system knows how to operate on and manage, configured in unit files)
- '>systemctl status' displays the overall status (states: )
- '>systemctl list-units --type=service' displays a list of all loaded services (services: ...)
- '>systemctl list-units --type=service --state=active' displays a list of all loaded and active services, this includes running and exited services
- '>systemctl list-units --type=service --state=running' displays a list of all services that are loaded, active and running
- Using systemctl to enable/disable a service when the server boots (enabling does NOT start the service):
- systemctl enable sshd
- systemctl disable sshd
- Using systemctl to start or stop a service:
- systemctl status sshd
- systemctl restart sshd
- systemctl start sshd
- systemctl stop sshd
- systemctl kill sshd
- systemd-analyze determines system boot-up performance statistics and retrieves other state and tracing information
- plus a wide range of ancillary components such as journald, logind, resolved, networkd, ...
Linux kernel security
Kernel security/subsystem level
- Netfilter.org project subsystem, packet filtering framework inside the Linux 2.4.x and later kernel series
- Enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling
- Software commonly associated with netfilter.org is iptables, successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems
- netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
- iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
- netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.
- Linux Security Modules (LSM)
- is narrowly scoped to solve the problem of access control
- is a framework allowing the kernel to support without bias a variety of computer security models
- is a standard part of the kernel since Linux 2.6.
- AppArmor, SELinux, Smack, and TOMOYO Linux are approved security modules in the official kernel
- US - NSA's Security Enhanced Linux
- SELinux is a Mandatory Access Control (MAC) mechanism built into a number of Linux distributions. It started as the Flux Advanced Security Kernel (FLASK) development by the Utah university Flux team and the US Department of Defence. The development was enhanced by the NSA and released as open source software.
Linux kernel crypto API
The kernel crypto API serves the following entity types:
- consumers requesting cryptographic services
- data transformation implementations (typically ciphers) that can be called by consumers using the kernel crypto API
Device-mapper is infrastructure in the Linux kernel that provides a generic way to create virtual layers of block devices.
Device-mapper crypt target provides transparent encryption of block devices using the kernel crypto API.
The user can basically specify a symmetric ciphers, an encryption mode, a key, an iv generation mode and then the user can create a new block device in /dev.
Writes to this device will be encrypted and reads decrypted.
One can mount the filesystem on it as usual or stack dm-crypt device with another device like RAID or LVM volume.
- Cryptsetup is a utility to set up disk encryption based on the DMCrypt kernel module
- DMCrypt wiki
- Linux Unified Key Setup (LUKS) - project
- Linux Unified Key Setup (LUKS) - Wikipedia
- LUKS is a disk encryption specification
- These include plain dm-crypt volumes, LUKS volumes, loop-AES, TrueCrypt (including VeraCrypt extension) and BitLocker formats.
- LUKS does not encrypt the MasterSecretKey with a password but with a key, generated with a PBKDF.
- LUKS uses eight key slots that are eight different encryptions of the same MasterSecretKey under eight different passwords.
Policy-Based Decryption (PBD) is a collection of technologies that enable unlocking encrypted root and secondary volumes of hard drives on physical and virtual machines. PBD uses a variety of unlocking methods, such as user passwords, a Trusted Platform Module (TPM) device, a PKCS #11 device connected to a system, for example, a smart card, or a special network server.
Network Bound Disc Encryption (NBDE) is a subcategory of PBD that allows binding encrypted volumes to a special network server.
D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed.
D-Bus supplies both a system daemon (for events such as "new hardware device added" or "printer queue changed") and a per-user-login-session daemon (for general IPC needs among user applications). Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon). Currently the communicating applications are on one computer, or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.