Skip to content

Impose Access Restriction to the Recovery Shell #356

Description

@biergaizi

Currently, HEADS will prompt a recovery shell under any fault conditions, it may not be a concern in a perspective of security. However, unlike other bootloaders, such as GRUB which only has read-only access to the disk with minimum risks of data destruction, HEADS is a fully-functional Linux-based operating system with full R/W access to the hard drive and hardware.

It enables extremely easy vandalism for script kiddies with physical access to the machine via the recovery shell, i.e. a keyboard-only denial-of-service attack. With keyboard-only access to an unguarded machine (such as a public machine in a lab), the script kiddie is able to...

  • Removing any data from the hard drive.
  • Changing the system time and invalidate TOTP.
  • Resetting the TPM.
  • Destroying the boot firmware.

within a minute or two.

It may be a serious issue depending on one's threat model. For example, public computers are especially vulnerable. Major bootloaders, such an GRUB, allows programming a hashes password to the configuration script for access restrictions to the boot entry and the shell prompt. With access control, vandalism is only possible by physically disassembling the machine, which can be much harder.

In order to implement access control, two types of changes are needed.

  1. First, the recovery shell is provided unconditionally under a fault condition, for example, in initrd/init.

    # We should never reach here, but just in case...
    recovery 'Boot script failure?  Entering recovery shell'
    # belts and suspenders, just in case...
    tpm extend -ix 4 -ic recovery
    exec /bin/ash
    

    In an unexpected fault conditions, exec /bin/ash should be replaced with exit to trigger a kernel panic immediately.

  2. For expected fault conditions and system maintenance, such as a TOTP mismatch, initrd/bin/generic-init should include an authentication scheme, for example a hashed password checkpoint, or a digital signature verification routine, to ensure the recovery shell access is obtained only under proper authentication.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions