[0/1,isar-cip-core] Secureboot: disable initramfs debug shell

Message ID	20210319072036.16091-1-michael.adler@siemens.com (mailing list archive)
Headers	show Return-Path: <SRS0=o79J=IR=lists.cip-project.org=bounce+64572+6298+4520388+8129055@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B11B164F04 From: "Michael Adler" <michael.adler@siemens.com> To: cip-dev@lists.cip-project.org CC: Michael Adler <michael.adler@siemens.com> Subject: [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell Date: Fri, 19 Mar 2021 08:20:35 +0100 Message-ID: <20210319072036.16091-1-michael.adler@siemens.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Precedence: Bulk Sender: cip-dev@lists.cip-project.org Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org Content-Type: multipart/mixed; boundary="GrLsd89PQLKDtk0rO3BA"
Series	Secureboot: disable initramfs debug shell \| expand [0/1,isar-cip-core] Secureboot: disable initramfs debug shell [1/1] Secureboot: Disable initramfs debug shell

Message ID

20210319072036.16091-1-michael.adler@siemens.com (mailing list archive)

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B11B164F04
From: "Michael Adler" <michael.adler@siemens.com>
To: cip-dev@lists.cip-project.org
CC: Michael Adler <michael.adler@siemens.com>
Subject: [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs
 debug shell
Date: Fri, 19 Mar 2021 08:20:35 +0100
Message-ID: <20210319072036.16091-1-michael.adler@siemens.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-Received: from localhost (93.104.75.247) by
 AM4PR05CA0026.eurprd05.prod.outlook.com (2603:10a6:205::39) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend
 Transport; Fri, 19 Mar 2021 07:22:17 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 8caced56-563b-4286-4c37-08d8eaa7ba38
X-MS-TrafficTypeDiagnostic: AM9PR10MB4183:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
	<AM9PR10MB418321317653F54F3155A047E8689@AM9PR10MB4183.EURPRD10.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:2582;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 
	eDPSaHJpdoV+kByUr+VClnN+fSHHpxcblPqTw/8xAId9t97RD+ZNT6dMHTg6vN//dMhdEyRPUfDdNFUsqCUwk5L3Bg+25aOPTw6E48yYfoCbojLyF5HASW5Mg38CcIltZo07/4OwGW7Af2H95nhzLLgeTXR2HZIRGqFIO6ceavIjbwETE7zeesuLl1jd5tbe8IP9osc5zKDWTk/jpMaJysh3TLR3+fylFrOI/3LHXc9EjrM1JAx1cobVr4FhN7CT19/h5UTFF9gIt22GAqP4J5YRiYsJcJErgJNsIdfiNYrvEJG4lhv6OkdaiWkS2Ry3qpc8bk+WEuWSdfDKHJNeXgSjFgAZIe4bUe+8rZBQViSjl9p8SYIDyBh6hGQJrjOikuOcDKvwnx4Bq0+29XwXJkKYhFuWWjK9EY1P7SutEKkRQXLOscgp2frnCZNQQtG1wQoPxGKjJncjFhBh6XY8Re7jew27RuowM24cEHc/nxhAGR4rO+yIH5e32GsqDSWRiJEXfWfouJDAevsc4zq6U1RICTSSbln8mHvZ9V8+r7ikTpSjT9ECfhtHS2K2xYgoAoknpENJepRtFsL6UO4/EHVHSMcPG10sXWaTj/rkiCbVjpcnk/JaFfse/kCcWzAalgRjg81C/ZbMMmURzwKkPJCqCvEe/Wp7Jbyi4+cz54o=
X-MS-Exchange-AntiSpam-MessageData: 
 ocSZ9TyypSmZXucJt2yxN7rniXvknDbFAqT8OJ3b0LyfEqgEcAZJ8RD6GNVdXyNEKcxyCjvwf1XUiug/nshsVpmNSCWaGcqlUraLZdyxlTnZIU+j4uiavISo0jGOeSDT1ffpjj9QZWFWMd0Sca0+HLm07UmgDCP85sTswX7hghuQERCKHP9Bz+DW0+hQ/ELw3t4krgfvkXu/a+p+n1bxWR44f/kPhX/TWmKUVhieT0rRLN/B20CZ7nj3w1g70ovbI1Aw9p+GnqAKTeJ0nOSIcenhN41eWfST1BlNdGS2+YCHujOjBJ6oq8YJhHwXiwnzGv4cXhhzpPC/zvV+E/PQxH5gh04Kz8LHeeyWbh73niYmea0FPp+oy9d1ET0obRJ1TuDQNqo5N5/VNya+5YAn+I0LOWJU1kdXzNhl0UTGhwcsL7XYxjOiterCReZy2WvB5ZZHGNs8gPNd8T/judFeXyHShsBdcVDiXUWeQam1X7b1WMWRYExacaayOer7XOLpALfZZ/rRdwkM/zCAt6KZjJpVcoSQeWp+18siTciMSIPu2gh/pllqkJ6w4n51sUi3YqFib4oXTY55c5O1un0pqgVOiQ6Ft0HFdhOB1IVzXOQx00cLW2vumXeHoDMYuVEPjq61zuKfNfnKojgoNJKHDQ1x0F9dwghlozRdm1ZdfUw0P632Px5UPGNt1kQIJSnuUlTXMiOdBjz2/Lw7VCbFaVZpuDvLCdBc5F9HnQhlMA0m/m/WKLoRPZQnTTmcZp0a9FwSNLZbX2eZkZ+sk01rwOYW31gXNuixXxBgOCbJrKNE5ROpwTr3AKGFr2LYay/yfPY0MlCS0xn0unPg/HFLIq3ca8E8HnHhKMq6slhFJPdEK6tqfb9pbE4IbM9vxEwUc6YUKPPgW2F8xd8ANCSaIlZ6eRETOB8FRNNIKqqJRDqDn2AP6xjmI3VKrrN8biV2k3kJdStZ0FhAAv8xM9Pln9wr9t8y8/z2R/4icxLwS6Q0XJ4RmpRVvGTGfgWQ6X0Xb1hDFQBhdc6DZX8skbU3g1NGgh//cI950EF+85V2mgzBf//P9zXTZaMPsFTUU27ohzrYzW1egDBmX4cmLDYLrKmLBW+8aDwQPVhu1JCoQM+LRFJWj23b3pcKVY3LU1KZ9MLZGm63Jw7JLvbumQgaQ62j2HnyuipouM9sZ74ayLXC+GtUVnwI6kPwAflgkty0LuMdDS8x3ntA/QdkiDPIiKD0GX1pS4UIgE+mTu38lfEpnfKPF1UvO/4ZlkcxqM1BTQCh17u6jUe4qc1X1NsP33bPoxMl2+PKMuwLiFYGrtpQYvWKJKWXq/GY+RTslqSC
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 8caced56-563b-4286-4c37-08d8eaa7ba38
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2322.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Mar 2021 07:22:18.3531
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 F0TTtRzw61m39vyFbVsoN8Jri3O5LhmM/snDao47ksabh4dZgny/ir0F7aMvo0Jn6VBN/mZTLPBpDHEYumlXqiP68RaHSI9D4DTIOraki1s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4183
Precedence: Bulk
List-Unsubscribe: <https://lists.cip-project.org/g/cip-dev/unsub>
Sender: cip-dev@lists.cip-project.org
List-Id: <cip-dev.lists.cip-project.org>
Mailing-List: list cip-dev@lists.cip-project.org;
 contact cip-dev+owner@lists.cip-project.org
Reply-To: cip-dev@lists.cip-project.org
X-Gm-Message-State: 4JYhfzBqnAx1CK2awaKPdaY8x4520388AA=
Content-Type: multipart/mixed; boundary="GrLsd89PQLKDtk0rO3BA"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=lists.cip-project.org; q=dns/txt; s=20140610; t=1616138542;
 bh=knE5peuBPgjtrZDQr5vqMg6CUpraUIJPQy7eXKZqwag=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=XEGPBgTdz9ldieiE2askcDyIcpooAD6nO74zRmFU0Cm7lLgdVFzjU3E9h4/fDAeUhsl
 jUH3i94RCYEjL7GaAWtMV5ZVzj8PjNPVZHFb3vjrMpNzM9ShWKprFvYrNEkBrYL4fczwr
 09+pBfCmcyxsl2NbK7zujFyDdrDSxkhrXd4=

Series

Secureboot: disable initramfs debug shell | expand

Message

Michael Adler March 19, 2021, 7:20 a.m. UTC

Hi everyone,

the following patch intends to close a loophole in the secureboot boot chain.

By default, Debian Buster's initramfs drops the user to an interactive debug
shell in case of a severe error (e.g. rootfs cannot be mounted). This is
essentially a root shell and can be abused to tamper with the system.

This feature can be disabled by appending panic=0 to the kernel cmdline.

Kind regards,
Michael


Michael Adler (1):
  Secureboot: Disable initramfs debug shell

 wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++
 wic/qemu-amd64-efibootguard.wks            | 2 ++
 wic/simatic-ipc227e-efibootguard.wks       | 2 ++
 wic/swupdate-partition.inc                 | 2 --
 4 files changed, 6 insertions(+), 2 deletions(-)