Currently, HEADS will prompt a recovery shell under any fault conditions, it may not be a concern in a perspective of security. However, unlike other bootloaders, such as GRUB which only has read-only access to the disk with minimum risks of data destruction, HEADS is a fully-functional Linux-based operating system with full R/W access to the hard drive and hardware.
It enables extremely easy vandalism for script kiddies with physical access to the machine via the recovery shell, i.e. a keyboard-only denial-of-service attack. With keyboard-only access to an unguarded machine (such as a public machine in a lab), the script kiddie is able to...
- Removing any data from the hard drive.
- Changing the system time and invalidate TOTP.
- Resetting the TPM.
- Destroying the boot firmware.
within a minute or two.
It may be a serious issue depending on one's threat model. For example, public computers are especially vulnerable. Major bootloaders, such an GRUB, allows programming a hashes password to the configuration script for access restrictions to the boot entry and the shell prompt. With access control, vandalism is only possible by physically disassembling the machine, which can be much harder.
In order to implement access control, two types of changes are needed.
-
First, the recovery shell is provided unconditionally under a fault condition, for example, in initrd/init.
# We should never reach here, but just in case...
recovery 'Boot script failure? Entering recovery shell'
# belts and suspenders, just in case...
tpm extend -ix 4 -ic recovery
exec /bin/ash
In an unexpected fault conditions, exec /bin/ash should be replaced with exit to trigger a kernel panic immediately.
-
For expected fault conditions and system maintenance, such as a TOTP mismatch, initrd/bin/generic-init should include an authentication scheme, for example a hashed password checkpoint, or a digital signature verification routine, to ensure the recovery shell access is obtained only under proper authentication.
Currently, HEADS will prompt a recovery shell under any fault conditions, it may not be a concern in a perspective of security. However, unlike other bootloaders, such as GRUB which only has read-only access to the disk with minimum risks of data destruction, HEADS is a fully-functional Linux-based operating system with full R/W access to the hard drive and hardware.
It enables extremely easy vandalism for script kiddies with physical access to the machine via the recovery shell, i.e. a keyboard-only denial-of-service attack. With keyboard-only access to an unguarded machine (such as a public machine in a lab), the script kiddie is able to...
within a minute or two.
It may be a serious issue depending on one's threat model. For example, public computers are especially vulnerable. Major bootloaders, such an GRUB, allows programming a hashes password to the configuration script for access restrictions to the boot entry and the shell prompt. With access control, vandalism is only possible by physically disassembling the machine, which can be much harder.
In order to implement access control, two types of changes are needed.
First, the recovery shell is provided unconditionally under a fault condition, for example, in
initrd/init.In an unexpected fault conditions,
exec /bin/ashshould be replaced withexitto trigger a kernel panic immediately.For expected fault conditions and system maintenance, such as a TOTP mismatch,
initrd/bin/generic-initshould include an authentication scheme, for example a hashed password checkpoint, or a digital signature verification routine, to ensure the recovery shell access is obtained only under proper authentication.