@@ -5,12 +5,14 @@ Note: Every command requires to be performed while logged as root unless explici
...
@@ -5,12 +5,14 @@ Note: Every command requires to be performed while logged as root unless explici
## Some context
## Some context
When booting a system, different programs are run. As a very rough and simplified overview, for a system supporting UEFI we can say that:
When booting a system, different programs are run. As a very rough and simplified overview, for a system supporting UEFI we can say that:
* First UEFI is in control.
* First UEFI is in control.
* Then it calls an efi application, generally a bootloader (e.g. GRUB) and in our case a customed initramfs.
* Then it calls an EFI application (.efi), generally a bootloader (e.g. GRUB).
* The initramfs (or bootloader) then switches to the OS (in our case, the Linux Kernel).
* The bootloader in turn calls the OS.
* To find the user's root file system, a Linux Kernel may use an already prepared temporary file system called initramfs.
* In our case, the Linux Kernel is directly embedded in the efi application and it uses a custom initramfs.
UEFI provides a feature called Secure Boot (SB) which can verify the efi applications' signature with keys stored by UEFI, so that an attacker cannot modify the boot sequence and tamper with what is run on the machine early during the boot process. Such an attack would make the threat undetectable with the classic forensic tools, i.e. from the already booted OS.
UEFI provides a feature called Secure Boot (SB) which can verify the efi applications' signature with keys stored by UEFI, so that an attacker cannot modify the boot sequence and tamper with what is run on the machine early during the boot process. Such an attack would make the threat undetectable with the classic forensic tools, i.e. from the already booted OS.
Nexedi developped for Rapid.Space a system going further, which scans the filesystem to be mounted by initramfs **during** the initramfs stage, i.e. before the Linux Kernel has taken over, and send the scan to Wendelin for further analysis. To do so, we create a customed initramfs embedding the scanner and sender and we sign it with our own keys. Then, if our keys are enrolled by UEFI, it can verify the integrity of our customed initramfs, loaded by UEFI as an efi application. With this process, we get a complete scan of the to-be-loaded file system each time a server boots. We can detect abnormal file signatures and permissions while being sure than an attacker could not modify the tools we used to create and send the scan.
Nexedi developped for Rapid.Space a system going further, which scans the user's root file system to be mounted by initramfs **during** the initramfs stage, i.e. before the final root file system has taken over, and send the scan to Wendelin for further analysis. To do so, we create a custom initramfs embedding the scanner and sender and we sign it with our own keys. Then, if our keys are enrolled by UEFI, it can verify the integrity of our customed initramfs, loaded by UEFI as an efi application. With this process, we get a complete scan of the actual root file system each time a server boots. We can detect abnormal file signatures and permissions while being sure than an attacker could not modify the tools we used to create and send the scan.
Note: The scanning tool is called Metadata Collect Agent (MCA), see the project at
Note: The scanning tool is called Metadata Collect Agent (MCA), see the project at