Dreamstime
Promo Worm Dreamstime L 123421369 Web 5f2425ffd71b1

Dealing with a Hole in Secure Boot

Aug. 7, 2020
What happens when UEFI secure boot isn’t secure? A vulnerability in GRUB2 code has the open-source community hard at work.

These days, any discussion about security starts with the root of trust. For most secure systems, this will be a secure boot based on keys stored within a system that are used to verify the code involved in booting the system. This prevents an attacker from replacing the boot code with malicious code.

The Unified Extensible Firmware Interface (UEFI) is employed on most systems these days, but one of the secure boot platforms has a hole in it. Actually, it has more than one and it’s not alone. I’m referring to CVE-2020-10713, also known as BootHole. It’s a typical buffer overrun error in GRUB2, the latest GRand Unified Boot Loader (GRUB) for Linux. The exploit is done by simply modifying a text string in a configuration file. The hack is actually a little more difficult to compute; however, once installed, the system is compromised on the next reboot.

The bug was found by researchers at Eclypsium, a security company. Their paper, “There’s a Hole in the Boot,” explains the GRUB2 vulnerability.

Getting a Grasp on GRUB2

Essentially GRUB2 is just part of the UEFI secure-boot chain that starts with firmware that uses the secure keys to verify the code at each step in the process hasn’t been compromised. The chain is needed to provide flexibility in the boot process. It allows modules to be included to handle additional hardware as well as provide more system functionality.

In a nutshell, the GRUB2 code has a bug that can be exploited whereby a malicious bootloader can be run instead of the desired boot code. The problem is that once this occurs, the operating system and any applications are essentially compromised. GRUB2 normally boots Linux, but it can provide multiple boot support that starts other operating systems like Windows.

The open-source community, including the likes of Microsoft, Red Hat, and Canonical, have worked on modifications to GRUB2 to address this particular bug. Additional bugs were found and addressed in the process of examining the security aspects of GRUB2. Updating GRUB2 on a system will fix these holes. Canonical’s GRUB2SecureBootBypass page enumerates additional GRUBS2 CVEs as well as Ubuntu versions that have the fixes.

The problem isn’t too critical as an attacker needs access to the system to modify the configuration file. This isn’t necessarily an easy remote task on a secure system. Still, it highlights the problem with a secure-boot system in that the process needs to be bug-free. Likewise, updating a system is critical when problems are detected and fixed, but this assumes that updates are made available and installed.

Too many IoT devices are utilizing connectivity strictly for the application aspect of the device with little thought given to remote updates. Secure boot in an IoT device helps to secure the device—assuming the secure boot can’t be compromised. Devices from internet gateways to smart speakers are being deployed without the benefit of upgrades, and the secure-boot aspect prevents a user from updating the system.

Developers and system administrators who deal with system installations and updates can handle these changes with relative ease. However, these things are beyond end users who aren’t even aware of the intricacies of how their device actually goes from power on to recognizing their voice commands.

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form. 

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below. 

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.  

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence. 

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!