Lintlha li senotsoe ka bofokoli ba 8 ho bootloader ea GRUB2, e u lumellang ho feta mochini oa UEFI Secure Boot le ho tsamaisa khoutu e sa netefatsoang, mohlala, kenya ts'ebetso ea malware e sebetsang boemong ba bootloader kapa kernel.
A re hopoleng hore liphatlalatsong tse ngata tsa Linux, bakeng sa booting e netefalitsoeng ka UEFI Secure Boot mode, ho sebelisoa lesela le lenyenyane la shim, le saennoeng ka dijithale ke Microsoft. Lera lena le netefatsa GRUB2 ka setifikeiti sa eona, se lumellang baetsi ba kabo ho se be le kernel e 'ngoe le e' ngoe le ntlafatso ea GRUB e netefalitsoeng ke Microsoft. Bofokoli ho GRUB2 bo u lumella ho fihlela ts'ebetso ea khoutu ea hau sethaleng kamora netefatso e atlehileng ea shim, empa pele o kenya sistimi ea ts'ebetso, o kenella ka har'a ketane ea ts'epo ha Sireletsehile Boot mode e sebetsa mme o fumana taolo e felletseng mabapi le ts'ebetso e tsoelang pele ea boot, ho kenyeletsoa. ho kenya OS e 'ngoe, ho fetola likarolo tsa sistimi ea ts'ebetso le ho feta ts'ireletso ea Lockdown.
Joalo ka ts'oaetso ea BootHole ea selemo se fetileng, ho ntlafatsa bootloader ha hoa lekana ho thibela bothata, kaha mohlaseli, ho sa tsotellehe mokhoa oa ho sebetsa o sebelisitsoeng, a ka sebelisa mecha ea phatlalatso ea bootable ka phetolelo ea khale, e saenneng ka digitally, e kotsing ea GRUB2 ho sekisetsa UEFI Secure Boot. Bothata bo ka rarolloa feela ka ho ntlafatsa lenane la ho hlakoloa ha setifikeiti (dbx, UEFI Revocation List), empa boemong bona bokhoni ba ho sebelisa mecha ea phatlalatso ea khale ea ho kenya Linux bo tla lahleha.
Lits'ebetsong tse nang le firmware e nang le lenane le ntlafalitsoeng la ho hlakoloa ha setifikeiti, ke meaho e ntlafalitsoeng feela ea liphaello tsa Linux e ka jaroang ka UEFI Secure Boot mode. Liphatlalatso li tla hloka ho ntlafatsa li-installers, li-bootloader, liphutheloana tsa kernel, fwupd firmware le shim layer, ho hlahisa li-signature tse ncha tsa digital bakeng sa bona. Basebedisi ba tla hlokeha ho ntlafatsa litšoantšo tsa ho kenya le lisebelisoa tse ling tsa bootable, hammoho le ho kenya lenane la ho hlakoloa ha setifikeiti (dbx) ho firmware ea UEFI. Pele o ntlafatsa dbx ho UEFI, sistimi e lula e le kotsing ho sa tsotelehe ho kenya liapdeite ho OS. Boemo ba bofokoli bo ka hlahlojoa maqepheng ana: Ubuntu, SUSE, RHEL, Debian.
Ho rarolla mathata a hlahang ha ho ajoa litifikeiti tse hlakotsoeng, nakong e tlang ho reriloe ho sebelisa mochini oa SBAT (UEFI Secure Boot Advanced Targeting), ts'ehetso e kentsoeng ts'ebetsong bakeng sa GRUB2, shim le fwupd, 'me ho qala ho tloha ho lintlafatso tse latelang li tla ba teng. e sebelisitsoeng sebakeng sa ts'ebetso e fanoeng ke sephutheloana sa dbxtool. SBAT e entsoe ka kopanelo le Microsoft mme e kenyelletsa ho kenya metadata e ncha lifaeleng tse ka sebetsoang tsa likarolo tsa UEFI, tse kenyelletsang tlhahisoleseling mabapi le moetsi, sehlahisoa, karolo le mofuta. Metadata e boletsoeng e netefalitsoe ka signature ea dijithale 'me e ka kenyelletsoa lethathamong la likarolo tse lumelletsoeng kapa tse thibetsoeng bakeng sa UEFI Secure Boot. Kahoo, SBAT e tla u lumella ho laola linomoro tsa phetolelo ea likarolo nakong ea ho tlosoa ntle le tlhokahalo ea ho tsosolosa linotlolo bakeng sa Secure Boot le ntle le ho hlahisa li-signature tse ncha bakeng sa kernel, shim, grub2 le fwupd.
Bofokoli bo bonts'itsoeng:
- CVE-2020-14372 - U sebelisa taelo ea acpi ho GRUB2, mosebelisi ea nang le tokelo tsamaisong ea lehae a ka kenya litafole tse fetotsoeng tsa ACPI ka ho beha SSDT (Secondary System Description Table) bukeng ea /boot/efi le ho fetola litlhophiso ho grub.cfg. Leha Sireletsehile Boot mode e sebetsa, SSDT e reriloeng e tla sebelisoa ke kernel mme e ka sebelisoa ho tima ts'ireletso ea LockDown e thibelang UEFI Secure Boot bypass litsela. Ka lebaka leo, mohlaseli a ka finyella ho kenya mochine oa hae oa kernel kapa ho sebelisa khoutu ka mochine oa kexec, ntle le ho hlahloba signature ea digital.
- CVE-2020-25632 ke phihlello ea memori ea ts'ebeliso ea morao-rao ts'ebetsong ea taelo ea rmmod, e etsahalang ha ho etsoa boiteko ba ho laolla mojule ofe kapa ofe ntle le ho ela hloko ho its'etleha ho amanang le eona. Ho ba kotsing ha ho qhelele ka thoko tlhahiso ea tšebeliso e mpe e ka lebisang ts'ebetsong ea khoutu ka ho qoba netefatso ea Secure Boot.
- CVE-2020-25647 Ngola ka ntle ho meeli ho grub_usb_device_initialize() ts'ebetso e bitsoang ha o qala lisebelisoa tsa USB. Bothata bo ka sebelisoa hampe ka ho hokahanya sesebelisoa sa USB se lokiselitsoeng ka ho khetheha se hlahisang liparamente tseo boholo ba tsona bo sa tsamaellaneng le boholo ba buffer e abetsoeng meaho ea USB. Motho ea hlaselang a ka fihlela ts'ebetsong ea khoutu e sa netefatsoang ho Secure Boot ka ho qhekella lisebelisoa tsa USB.
- CVE-2020-27749 ke buffer overflow ho grub_parser_split_cmdline() function, e ka bakoang ke ho hlalosa mefuta e meholo ho feta 2 KB molaong oa taelo oa GRUB1. Ho ba kotsing ho lumella ts'ebetso ea khoutu ho feta Secure Boot.
- CVE-2020-27779 - Taelo ea cutmem e lumella motho ea hlaselang ho tlosa liaterese tse ngata mohopolong hore a fete Secure Boot.
- CVE-2021-3418 - Liphetoho ho shim_lock li thehile vector e eketsehileng ho sebelisa tlokotsi ea selemo se fetileng CVE-2020-15705. Ka ho kenya setifikeiti se sebelisetsoang ho saena GRUB2 ho dbx, GRUB2 e lumelletse kernel efe kapa efe hore e laoloe ka kotloloho ntle le ho netefatsa tekeno.
- CVE-2021-20225 - Monyetla oa ho ngola lintlha tse kantle ho meeli ha o tsamaisa litaelo ka likhetho tse ngata haholo.
- CVE-2021-20233 - Monyetla oa ho ngola data ntle le meeli ka lebaka la lipalo tse fosahetseng tsa buffer ha u sebelisa mantsoe a qotsitsoeng. Ha ho baloa boholo, ho ne ho nahanoa hore ho ne ho hlokahala litlhaku tse tharo ho baleha qotso e le ’ngoe, athe ha e le hantle ho ne ho hlokahala tse ’nè.
Source: opennet.ru