[personal profile] mjg59
In measured boot, each component of the boot process is "measured" (ie, hashed and that hash recorded) in a register in the Trusted Platform Module (TPM) build into the system. The TPM has several different registers (Platform Configuration Registers, or PCRs) which are typically used for different purposes - for instance, PCR0 contains measurements of various system firmware components, PCR2 contains any option ROMs, PCR4 contains information about the partition table and the bootloader. The allocation of these is defined by the PC Client working group of the Trusted Computing Group. However, once the boot loader takes over, we're outside the spec[1].

One important thing to note here is that the TPM doesn't actually have any ability to directly interfere with the boot process. If you try to boot modified code on a system, the TPM will contain different measurements but boot will still succeed. What the TPM can do is refuse to hand over secrets unless the measurements are correct. This allows for configurations where your disk encryption key can be stored in the TPM and then handed over automatically if the measurements are unaltered. If anybody interferes with your boot process then the measurements will be different, the TPM will refuse to hand over the key, your disk will remain encrypted and whoever's trying to compromise your machine will be sad.

The problem here is that a lot of things can affect the measurements. Upgrading your bootloader or kernel will do so. At that point if you reboot your disk fails to unlock and you become unhappy. To get around this your update system needs to notice that a new component is about to be installed, generate the new expected hashes and re-seal the secret to the TPM using the new hashes. If there are several different points in the update where this can happen, this can quite easily go wrong. And if it goes wrong, you're back to being unhappy.

Is there a way to improve this? Surprisingly, the answer is "yes" and the people to thank are Microsoft. Appendix A of a basically entirely unrelated spec defines a mechanism for storing the UEFI Secure Boot policy and used keys in PCR 7 of the TPM. The idea here is that you trust your OS vendor (since otherwise they could just backdoor your system anyway), so anything signed by your OS vendor is acceptable. If someone tries to boot something signed by a different vendor then PCR 7 will be different. If someone disables secure boot, PCR 7 will be different. If you upgrade your bootloader or kernel, PCR 7 will be the same. This simplifies things significantly.

I've put together a (not well-tested) patchset for Shim that adds support for including Shim's measurements in PCR 7. In conjunction with appropriate firmware, it should then be straightforward to seal secrets to PCR 7 and not worry about things breaking over system updates. This makes tying things like disk encryption keys to the TPM much more reasonable.

However, there's still one pretty major problem, which is that the initramfs (ie, the component responsible for setting up the disk encryption in the first place) isn't signed and isn't included in PCR 7[2]. An attacker can simply modify it to stash any TPM-backed secrets or mount the encrypted filesystem and then drop to a root prompt. This, uh, reduces the utility of the entire exercise.

The simplest solution to this that I've come up with depends on how Linux implements initramfs files. In its simplest form, an initramfs is just a cpio archive. In its slightly more complicated form, it's a compressed cpio archive. And in its peak form of evolution, it's a series of compressed cpio archives concatenated together. As the kernel reads each one in turn, it extracts it over the previous ones. That means that any files in the final archive will overwrite files of the same name in previous archives.

My proposal is to generate a small initramfs whose sole job is to get secrets from the TPM and stash them in the kernel keyring, and then measure an additional value into PCR 7 in order to ensure that the secrets can't be obtained again. Later disk encryption setup will then be able to set up dm-crypt using the secret already stored within the kernel. This small initramfs will be built into the signed kernel image, and the bootloader will be responsible for appending it to the end of any user-provided initramfs. This means that the TPM will only grant access to the secrets while trustworthy code is running - once the secret is in the kernel it will only be available for in-kernel use, and once PCR 7 has been modified the TPM won't give it to anyone else. A similar approach for some kernel command-line arguments (the kernel, module-init-tools and systemd all interpret the kernel command line left-to-right, with later arguments overriding earlier ones) would make it possible to ensure that certain kernel configuration options (such as the iommu) weren't overridable by an attacker.

There's obviously a few things that have to be done here (standardise how to embed such an initramfs in the kernel image, ensure that luks knows how to use the kernel keyring, teach all relevant bootloaders how to handle these images), but overall this should make it practical to use PCR 7 as a mechanism for supporting TPM-backed disk encryption secrets on Linux without introducing a hug support burden in the process.

[1] The patchset I've posted to add measured boot support to Grub use PCRs 8 and 9 to measure various components during the boot process, but other bootloaders may have different policies.

[2] This is because most Linux systems generate the initramfs locally rather than shipping it pre-built. It may also get rebuilt on various userspace updates, even if the kernel hasn't changed. Including it in PCR 7 would entirely break the fragility guarantees and defeat the point of all of this.

New Release – Waters of the Deep

Jul. 17th, 2017 10:10 am
alex_beecroft: A blue octopus in an armchair, reading a book (Default)
[personal profile] alex_beecroft
Like busses, no matter how much I try to schedule releases so they’re regular, it always ends up with a long time of nothing and then a glut, so coming soon we have: Foxglove Copse and Heart of Cygnus Five, followed at a distance by Pride of Cygnus Five and Contraband Hearts.

However, today is the release day for Waters of the Deep

 
Charles and Jasper are brought in to investigate a fatal stabbing in (the cotton-mill town of) Paradise. But this time the only troublesome ghost in the case is their own adopted child Lily. So what’s leaving the glistening trail in the woods? Why did the vicar’s daughter suddenly kill herself? And what is happening to the extra cow?

This is the second novella length story in my Unquiet Spirits series:

  • Buried With Him – short story,
  • The Wages of Sin – novella
  • Communion – short story
  • Waters of the Deep – novella

Charles and Jasper have been living together for a while, having moved in to Jasper’s house and adopted the ghost girl, Lily. They’ve made a name for themselves as the people you call in to investigate when disasters happen that seem to have supernatural elements. But domesticity has been wearing on Charles, especially when he is ridiculed in the public papers for it, and it may take a murder or two to save their relationship.

~

If you haven’t read the previous stories in the series and you would like to get them for free, sign up for my newsletter

You’ll receive links for Buried With Him, The Wages of Sin (including Communion) and two other novels for free:

 

My Newsletter

Mirrored from Alex Beecroft - Author of Gay Historical and Fantasy Fiction.

5 Reasons to love the 18th Century

Jul. 16th, 2017 06:20 pm
alex_beecroft: A blue octopus in an armchair, reading a book (Default)
[personal profile] alex_beecroft

My new novella, ‘Waters of the Deep‘ is coming out tomorrow.

It’s a gay historical supernatural murder mystery set in the 18th Century, and I’ve noticed that when I say this to people they generally reply “oh, right; the Regency period.”

While I would certainly like to read Pride and Prejudice, the GBLT version – where Darcy and Bingley end up together – the Regency is very different in terms of dress and social mores from the 18th Century proper.  The French revolution 1789-1799 may have lasted only 10 years, but it made a huge impact on the culture of the time.  In Britain, at least, society became much more anxious, much more inclined to self-discipline and morality, self restraint and prudishness – as if by being conventionally virtuous they could stop the same thing from happening there.

Before the French Revolution, British society had been noisy, bumptious, rude and confident.  You see a glimpse of it in Jane Austen with all those crass, vulgar, big-hearted old people who embarrass their more refined children and grandchildren.  In Patrick O’Brien’s series of sea-faring novels set in the Napoleonic era, Jack Aubrey’s father, who damages Jack’s prospects of promotion by being loud and annoying in parliament, and damages Jack’s prospects of inheritance by marrying his chambermaid, is also a nod to the livelier, cruder days of the 18th Century proper.

Five reasons to Love the 18th Century.

 

  1. Start shallow and work up 😉 The clothes! This was probably the last period in history when men were allowed to be as gorgeous as women.

http://www.antoinettescloset.com/realmenscloths.htm

This is the era of the poet-shirt with the big baggy sleeves and the neckline down to the navel, with or without ruffles or lace, as you prefer.  Rich men wore multi-coloured silk outfits with wonderful embroidery, contrasting waistcoats and knee breeches with fine silk stockings underneath.  Poor men wore the classic highwayman/pirate outfits complete with tricornered hats.  Did you know that a good calf on a man’s leg was considered such a desirable form of beauty that some men stuffed calf-enhancers made of cork down there?

  1. Pretty deadly gentlemen. The nice thing about all this male peacock display is that it could not be taken for a sign of weakness. All these gorgeously plumed lads had been training to fence and fight and ride and shoot since they were old enough to stand up.  Ever seen ‘Rob Roy’ where Archie Cunningham slices and dices Liam Neeson as Rob Roy, while wearing an immaculate ice-blue waistcoat and extravagant Belgian lace?

There’s something very attractive about a class of men with Archie Cunningham’s ruthless intelligence, masterly swordfighting skills and love of expensive tailoring, but with the ‘evil bastard’ gene turned down a little.  One of my heroes in the Unquiet Spirits series – Charles Latham – teeters on the edge of that refined man of honour/dangerous sociopath divide.  He is less murderous than simply spoiled, privileged and entitled, but at times it’s a struggle not to want to box his ears. Bless him.

  1. Science!

For the first time in history ships and the provisioning of ships had advanced to the point where navigation was relatively reliable.  Enough food and water could be stored aboard so that voyages could continue for months or even years at a time.  From the perspective of the West, this was an age of exploration and discovery, when the old superstitions of the past were for the first time being investigated to see how much was true about them. In Jasper and Charles’s world they are rather more true than in our own.

  1. Filth, pamphlets and pornography.

Unlike Jane Austen’s time, when a well brought up young woman could be horrified by the idea of acting in a play, or writing to a young man who was not her fiancé, the 18th Century was much more… robust.  Filthy, in fact.  Literally filthy – streets full of horse manure and dead dogs, through which live cattle were lead to slaughter at the markets every morning (sometimes escaping to break into banks and terrorise the bankers).  But also redolent with filthy language; swearing, f’ing and blinding, referring to a spade as a spade, and various bodily functions by their Anglo-Saxon names.  The 18th Century style of vocabulary in a gentleman’s coffee house would be too crude for me to subject refined persons of the 21st Century to.  But because of this overabundance of filth you do also get a great sense of vitality and humour, of people who are unashamed and determined to squeeze the last particle of enjoyment out of the world.  People who cannot be cowed.  Their pornography reflects this; bumptious but strangely innocent (or perhaps just plain strange.)  Very much not safe for work link: http://joyful-molly.livejournal.com/57556.html#cutid1

5. The Gay Subculture.

By the early 18th Century urbanization had reached a point in London that there were enough gay people in one place to begin to recognise each other and form a subculture of their own.  There were well known cruising spots such as the Inns of Court, Sodomite’s Walk in Moorfields or Birdcage Walk in St. James’ Park.  The technical term for homosexual people at the time was ‘sodomites’ but they called themselves ‘mollies’, and there were molly houses where they could go to meet up and ‘marry’.  Famous mollies like ‘Princess Seraphina’ – a London butcher – spent a great deal of time in drag.  He seems to have been accepted into his community without a lot of fuss, as there are records of him dropping round to his female neighbours’ houses to have a cup of tea and borrow their clothes.

I really recommend Rictor Norton’s ‘Mother Clap’s Molly House’ http://www.rictornorton.co.uk/ as a great guide to that culture; scholarly but easy to read, generous and fascinating.  So fascinating I had to set at least one of my stories around a fictional molly house in Bermuda.  That’s Desire and Disguise, in the ‘I Do’ anthology, in which an unwary straight guy stumbles into the house by accident and gets a little more than he bargained for.  You might also be interested in this ‘choose your own adventure’ site:

http://www.umich.edu/~ece/student_projects/forbidden/index.html

Mother Clap’s molly house, you’ll be relieved to know, was so called because it was run by a gay friendly lady called Margaret Clap, not because that was something you were likely to get there!

In short, the 18th Century in which the Unquiet Spirits series was set could not be more different than the prim and refined era of the Regency novel.  I can’t offer a comedy of manners, only a fair degree of lust and violence, badly behaved ghosts, bad language, and dangerous men in gorgeous clothes. But if you enjoyed The Wages of Sin, this is both more of the same and something a little bit different. I hope you enjoy it!

 

Mirrored from Alex Beecroft - Author of Gay Historical and Fantasy Fiction.

Profile

photo_elf

July 2017

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 25th, 2017 02:28 am
Powered by Dreamwidth Studios