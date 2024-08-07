It seems to be bootloader season, because we’ve got another one – this time, a research project with very limited application for most people.
SentinelBoot is a cryptographically secure bootloader aimed at enhancing boot flow safety of RISC-V through memory-safe principles, predominantly leveraging the Rust programming language with its ownership, borrowing, and lifetime constraints. Additionally, SentinelBoot employs public-key cryptography to verify the integrity of a booted kernel (digital signature), by the use of the RISC-V Vector Cryptography extension, establishing secure boot functionality. SentinelBoot achieves these objectives with a 20.1% hashing overhead (approximately 0.27s additional runtime) when compared to an example U-Boot binary (mainline at time of development), and produces a resulting binary one-tenth the size of an example U-Boot binary with half the memory footprint.↫ Lawrence Hunter
SentinelBoot is a project undertaken at the University of Manchester, and its goal is probably clear from the description: to develop a more secure bootloader for RISC V devices. An additional element is that they looked specifically at devices that receive updates over-the-air, like smartphones. In addition, scenarios where an attacker has physical access to the device in question were not considered, for obvious reasons – in such cases, the attacker can just replace the bootloader altogether anyway, and no amount of fancy Rust code is going to save you there.
The details of the implementation as described in the article are definitely a little bit over my head, but the gist seems to be that the project’s been able to achieve a much more secure boot process without giving up much in performance. This being a research project with an intentionally limited scope does mean it’s most just something that’ll immediately benefit all of us, but it’s these kinds of projects that can really push the state of the art and try out the viability of new ideas.
For now i will stick with Grub with enabled os-prober and such, RISC-V included. From time to time a new project emerges, claiming security and being modern and … I have nothing against that but somehow such solutions either don’t support things like multi-boot environments or do rely on buggy and closed source solutions … meanwhile i can install Grub on an USB drive or boot ISO from hard drive directly … Or pretty much every thought i had in the past Grub supported it without further ado. On top of that i don’t trust solutions like TPM or UEFI enough, to consider them safe. So in that regard i don’t have to give up Grub, as by ditching Grub and loading UKI directly i wouldn’t believe i am more secure then running Grub + FOSS. When you start to add binaries then it’s down to blind trust anyway. Maybe you go that extra mile “as pro” in for example server environment. To get some false sense of security. Relaying on solutions builds on top of gazillion vulnerable and closed source solutions in forms of some firmwares or software solutions baked in some chip. Claiming that is so much better then using Grub + FOSS from a trusted repository.
Geck,
Use whatever works for you, no problem. But as someone who believes in the “keep it simple, stupid” rule, grub is too overengineered for my tastes and I don’t find it better than simpler alternatives. Grub configurations files are needlessly complex. None of that’s warranted and I’d be hard pressed to find a more complex bootloader.
It is important to understand the type of exploits that cryptographically signed & verified boot loaders protect against. Consider what’s known as an “evil maid” attack and how a vanilla grub install is trivially vulnerable. I understand you might not be at high risk and might not care, but it can be a serious risk for targeted attacks. Claiming that secure bootloaders offers no securirty is false.
It depends. That is when we start talking about boot loaders 10 people will list 10 different solutions. Now, true, all get the job done in described fashion, still most of them are severely limited from general purpose operating system point of view. That is they simply don’t work in a lot of use cases. That is not KISS principle to me, lacking software. Or saying Grub is complex but systemd isn’t. Or UKI from the point of view to ditch Grub, not being complex solution. Anyway, as such they are not suitable for this task. As for signing and verifying software point of view. If it’s a FOSS solution then it’s rather OK by me, if it doesn’t get in my way, otherwise thanks but no thanks. It’s like with sandboxing. I don’t believe it works and it ever will, hence running FOSS without sandboxing is preferred choice by me. I trust it more that running sandboxed blobs. Supposedly secure in reality far from it.
Geck,
Huh? You’re going to need to be more specific than that. what use case specifically?
To be perfectly honest most (and maybe even all) of my boot problems have been under grub. Luckily most grub distros use UUIDs now, but remember how bad things were when grub made you specify disks by an arbitrary index in a fixed hard disk map? It was very common for grub to fail to locate the OS. Why they did that is beyond me since it was extremely fragile to disk changes. Just plugging in or removing disk often broke grub.
https://superuser.com/questions/629999/grub-hd-wrong-detection-mapping
https://askubuntu.com/questions/321862/grub2-points-to-the-wrong-harddisk-after-installing-one-more-harddisk
Ironically simpler bootloaders that didn’t overthink it just used the disk passed by the BIOS. This was far more robust since there was no any ambiguity which disk is being booted from when additional drives got installed.
The problem with alternate bootloaders comes from the fact that most distros only support grub now, but as an admin I prefer tools that embrace the KISS rule: simplicity is zen. Alas this message gets lost with a lot of modern software, it’s one of my gripes with systemd. Anyway that’s just me, I’m not preaching what anybody else should use for themselves.
I place a lot of value open source as well, but the way you are talking about security and foss makes them sound like opposites when they’re really two different dimensions. To the extent that you don’t trust the security in proprietary firmware, fair enough. However don’t you have to concede that whether you enable your motherboard’s security features or not you’re still dependent on the very proprietary firmware that you are criticizing?