Linux Developer Matthew Garrett Discusses Mechanism to Block Bootloader Vulnerabilities
Matthew Garrett, a well-known Linux nucleus developer, recently received recognition from the SPO Foundation for his work on the development of free software. He shared insights about the essence of the mechanism known as sbat (secret advanced targeting), which was created to block vulnerabilities in the bootloader without requiring a recall of the digital signature. Garrett also discussed the role of this mechanism in a recent incident involving a Windows update that caused Linux to fail to load on systems with UEFI Secure Boot.
Garrett explained, “When the UEFI Secure Boot specification was being developed, there was a level of naivety among the participants. The main security model of Secure Boot requires that all code running in a privileged environment at the nucleus level be verified before execution. This means the firmware checks the bootloader, the bootloader checks the nucleus, and so on, establishing a trusted environment for implementing any desired security policy.”
He further elaborated, “A method for revoking signed components that turned out to be unreliable was included in the specification. By adding a hash of flawed code to a variable, the system can then refuse to load anything with that hash, even if it is signed by a trusted key.”
However, Garrett highlighted a significant challenge in implementing this approach. He noted, “The issue arises when vulnerabilities are discovered in the source code of bootloaders used by various Linux distributions in the Secure Boot ecosystem. Each distribution generates its own set of binary files for the bootloader, each with its unique hash. This means that a large number of different binary files would need to be recalled in the event of a vulnerability, posing a memory storage limitation for the variable containing all these hashes.”
Garrett pointed out, “There is simply not enough space to add a new set of hashes every time a vulnerability is detected. This becomes particularly challenging when considering bootloaders like GRUB, which was originally created at a time when boot protection mechanisms were not as prevalent and contains multiple parsers for different file types.”