Anti-Evil Maid with UEFI and Xen
Brendan Kerrigan
Assured Information Security
According to the UEFI specification, measurements of boot components and applications are required if the system has a TPM present. These measurements are referred to as Static Root-of-Trust Measurements (SRTMs). The SRTMs only extend to the firmware and the EFI applications it launches. However, modern operating systems have many moving components that are critical to the security and integrity of the system as a whole. In the case of Linux for example, hijacking the initramfs or even just being able to manipulate the boot parameters can prove to be disastrous.
The problem is also present for systems such as Xen, which is the cornerstone of both QubesOS and OpenXT. While Xen can be included in the SRTM measurements, if it is booted directly by the UEFI firmware (ie. without GRUB), none of its critical components —such as the XSM policy, dom0 kernel or the command line arguments — would be measured.
We have extended the shim EFI loader and Xen to allow measurement to be made of these critical components during boot. Using these measurements, it is possible to implement Anti-Evil Maid solutions without the use of Intel TXT, enabling a practical solution for non-Intel hardware. That said, the solution is compatible with TXT, allowing for deployments where the end of the SRTM chain is the start of the DRTM, thus eliminating the traditional “gap” present in DRTM solutions.
⏭ | |
🔎 | Boot Integrity · OpenXT · Xen |
⬇ | Slides |
Source Code
- Xen: Add EFI_LOAD_OPTION support: patch (Jan 2018) · merged (Jul 2018)
- Shim PR: Add Measure function to the shim lock protocol (Mar 2018)
- Shim PR: Expose ALLOW_32BIT_KERNEL_ON_X64 via Make.defaults (Mar 2018)
- Xen and dom0 with UEFI SecureBoot and Intel TXT, Tamas Lengyel