Are there any plans on publishing an installer, live image / any release of Fedora with support for a Verified Boot mechanism?
What I mean by this is either providing an image with a UKI, OR verifying the initramfs before booting from it. Current Fedora installer images are susceptible to initramfs tampering even with Secure Boot enabled. This makes it difficult to verify the Fedora install is untampered with.
It would be great for users to have the option to bootstrap trust from an untrusted source just by trusting Fedora’s signing keys. I’m not fully aware of Secure Boot guidelines and I’m not saying this needs to be signed with Microsoft trusted keys / be fully compatible with stock Secure Boot. But I’m definitely advocating for Fedora to release something that is signed like this, so optionally users could go the no trust route and be absolutely sure nobody tampers with their installation medium, as long as they add a valid Fedora key to their Secure Boot settings.
Do note that I’m not talking about setting up UKIs post-install, but rather being able to create trust even from a worst case scenario. (having an infected computer that is actively targetting Fedora ISOs and still being able to burn an ISO and install it on a PC with guarantees it wasn’t tampered with).
It doesn’t have to be an installer. Even just a minimal environment with a shell built-in would go a long way. Users could then download a Fedora ISO, verify it and flash it on that trusted environment. I acknowledge this is something that 99% of users don’t have to worry about, but the security gap still exists, and it certainly is ambiguous enough for it be exploited without targeted attacks.
P.S. I have seen a few forum posts claiming that Cloud images have UKI support out of the box AND that Silverblue does achieve this level of verification, yet I haven’t been able to locate any image that actually does. Does anyone have any information on this?
I’m not sure what threat model you’re looking for with our live images. The initramfs is on a read-only filesystem (erofs) that can be verified with the embedded checksum when you boot. Any tampering would cause the media check to fail. That’s also why the media check is the selected option by default.
There are UKI-flavored versions of the cloud images. They are built but I guess nobody wired them up to be published anywhere. You can find them in our build system.
I’m not entirely sure if this answers the question, but the still unofficial Fedora Atomic Desktops Bootable Container images are signed with cosign (sigstore).
It is possible I am mistaken here, but my assumption is that the program doing the verification is loaded from the initramfs itself, which is not yet signed. This does technically break the root of trust instantly. If instead the verification is handled via something signed such as GRUB, then forget everything I said, you’re right
I think that keeping the initramfs unsigned / tamperable totally nullifies the impact of having a signed shim and kernel, as is currently done. Any attack that is prevented by those signatures can instead be moved to target the initramfs.
Extending this to sign the initramfs as well (via providing a signed UKI or by other means) would actually make Secure Boot, well, fully be able to secure the boot. I assume this is what Fedora developers would want to eventually do, but it’s possible that this is just prevented due to Microsoft deciding it’s outside the responsibility of Secure Boot.
Anyhow, having this option would make the Fedora images much more secure, give users the able to bootstrap trust from Fedora, and give Secure Boot the potential to verify the entire boot chain, even if it needs custom keys (which are super easy to add and verify on practically all UEFI firmware)
If the initramfs is properly verified like you pointed it to be, please ignore my ranting, this turned out to be a non-existent problem
Thank you a lot for linking these! No wonder I totally missed them
It is currently from a dracut module, but the checksum is embedded in the actual filesystem image itself that holds the erofs. You’re right that as-is, it doesn’t prevent malicious tampering, but teaching GRUB to do the check is probably possible.
The jury is out on UKIs. There are some serious pitfalls with UKIs:
If installed on the ESP, then it massively increases space contention since UKIs are typically “generic” images which are 200~300 MiB apiece with all the modules and firmware bundled into the image (because it’s basically a massive initramfs prepended with an EFI executable stub). They are too big to fit on the ISO ESP (which is only 30 MiB).
UKIs with secure boot also eliminate the ability to pass command line options for one-time boot overrides. This can be a problem for handling different failure modes (e.g. nomodeset for basic graphics mode).
Bootloader-less UKI setup (which is admittedly not required) means that you need to be configuring the EFI firmware menu, which is not exactly the most reliable thing on hardware. And of course, you lose option configuration this way too, and every kernel update is a write to NVRAM, so you can wear it out a lot faster.
I personally would prefer some other means if we want some kind of tamper detection/prevention, perhaps with fsverity or bootloader bootstrapped checksum checking.
Keep in mind that the UKI flavored cloud images have limited hardware support (due to the UKIs being made for virtualized environments).
I must ask. While the UKI does provide an early verified initramfs, it does load another initramfs from disk. Is the latter initramfs somehow cryptographically verified?
I don’t think kernel-uki-virt provides two images, there’s just two copies of the same image, since one has to live on the ESP and the other is on the regular OS volume.
Unfortunately, the UKI boots with console=ttyS0, so it cannot be used on most machines to do much of anything (no serial). Certainly understandable as it’s meant for virtualized environments, but is there really no other way to accomplish this?
Are there no plans to release any sort of fully verified image that provides a minimal shell environment so users could do this sort of bootstrapping?
Not currently. I laid out the constraints we have in doing so with the existing stuff. But if something that could be done using GRUB to check were made, we could easily incorporate it into the images. Heck, if the media check was done at the GRUB level instead of the initramfs level, that would be an improvement.
I’ve also thought about authenticated Btrfs filesystem trees as a way to do this, but you still need something to do the initial fsverity check for the vmlinux and initramfs image files.
!
