Securing Secure Boot on Xen Ross Lagerwall Software Engineer, - - PowerPoint PPT Presentation

▶

Sep 27, 2023 147 likes •310 views

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

SLIDE 1

1 / 15

Securing Secure Boot on Xen

Ross Lagerwall Software Engineer, Citrix Systems

Presentation licensed CC-By-SA-4.0

SLIDE 2

Why Secure Boot?

How can we prevent running malware at

boot?

With Secure Boot!
What if the machine is a VM in the cloud?
Xen doesn‘t support Secure Boot yet – let΄s

see how it can be done.

SLIDE 3

Background

UEFI is a replacement for the BIOS
It defines how operating systems interact with

firmware including how the OS is started

Secure Boot is part of the UEFI specification

from 2.3.1 Errata C

Using Secure Boot on Xen requires booting the

guest as a UEFI guest

Support for this exists using OVMF

Operating system Firmware Hardware Extensible Firmware Interface

Images: Tiancocore (https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Logo/Logo.bmp) UEFI (https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface)

SLIDE 4

Background

Starting an OS under UEFI works differently

compared with BIOS

The firmware knows how to load a specified file
n a FAT-formatted filesystem – could be a

bootloader or an OS kernel.

With Secure Boot, there is an extra step:

Before executing the file its signature is verified

SLIDE 5

Background

How is it verified?
Hardware has NVRAM which stores UEFI

variables and these include certificates databases (called PK, KEK, db)

The kernel to be booted needs to be signed by one
f the trusted certificates
If malware patches or replaces the kernel the

firmware will refuse to start it because it fails the signature check

SLIDE 6

Background

How are the certificate databases populated?
Prepopulated at the factory
They are UEFI authenticated variables which

require updates to be signed by the certificates already stored there

Alternatively a platform-specific reset method

can be used to clear the databases

SLIDE 7

Implementation on real hardware

The code which implements SetVariable() (i.e. variable

services) needs to be protected from malware otherwise Secure Boot is compromised

But malware could be running at the highest privilege level!
An extra level of privilege is needed
System Management Mode!
Put the code in SMRAM so that it cannot be accessed outside
f SMM
Configure the NVRAM so that it can only be written from SMM
Setting variables requires trapping into SMM

SLIDE 8

Implementation on KVM

KVM virtualizes what real hardware does
QEMU emulates a block of flash memory for

the NVRAM

KVM emulates SMM for guests
Reuses existing code for the security-critical

parts of variables services

See Securing secure boot with System Management Mode, Paolo Bonzini, KVM Forum 2015 for more details.

SLIDE 9

Implementation on Xen

There are numerous vulnerabilities and attacks

against SMM

Xen has no support for emulating SMM
Using emulated flash limits flexibility of variable

storage

How can we do better?

SLIDE 10

Implementation on Xen

With virtualization, there are already two distinct

privilege levels (guest and hypervisor) so SMM is not needed

Run a daemon that implements variable

services outside of the guest execution context

Add a new module to OVMF that implements

variables services by proxying to the daemon running outside the guest

SLIDE 11

Implementation on Xen

The guest has no direct access to the code that

executes the variables services

Nor does it have direct access to the variable

storage

Variable storage is abstracted so that different

backends can be used: Berkeley DB, SQLite, MySQL, XAPI database, flat files, etc.

SLIDE 12

store

Implementation on Xen

Guest (n) OS OVMF

SetVariable() return Memory

Hypervisor (dom0) varstored (n)

map SetVariable() handler_set_variable() return ioport write(port, pagenr) XenVariable module dispatch

XAPI DB

SLIDE 13

Implementation on Xen

varstored: A daemon that implements all the required

variable services using the XAPI database for storage

XenVariable: An OVMF module that proxies variable

service calls to varstored

It works with Xen to securely implement Secure Boot

and boots Linux and Windows guests

Could be used with KVM without much difficulty
It is not a platform specific implementation unlike the
ther approaches

SLIDE 14

Demo

Video at https://rossl.org/fosdem2019.mkv

SLIDE 15

When can I use it?

Not yet publicly available – will be released

Securing Secure Boot on Xen

Ross Lagerwall Software Engineer, Citrix Systems

Why Secure Boot?

boot?

see how it can be done.

Background

firmware including how the OS is started

from 2.3.1 Errata C

guest as a UEFI guest

Background

compared with BIOS

bootloader or an OS kernel.

Before executing the file its signature is verified

Background

variables and these include certificates databases (called PK, KEK, db)

firmware will refuse to start it because it fails the signature check

Background

require updates to be signed by the certificates already stored there

can be used to clear the databases

Implementation on real hardware

services) needs to be protected from malware otherwise Secure Boot is compromised

Implementation on KVM

the NVRAM

parts of variables services

Implementation on Xen

against SMM

storage

Implementation on Xen

privilege levels (guest and hypervisor) so SMM is not needed

services outside of the guest execution context

variables services by proxying to the daemon running outside the guest

Implementation on Xen

executes the variables services

storage

backends can be used: Berkeley DB, SQLite, MySQL, XAPI database, flat files, etc.

Implementation on Xen

Implementation on Xen

variable services using the XAPI database for storage

service calls to varstored

and boots Linux and Windows guests

Demo

When can I use it?

shortly and announced on the Xen mailing list