Running Linux in a Shielded VM

Total Page:16

File Type:pdf, Size:1020Kb

Running Linux in a Shielded VM Additional Scenarios Provisioning Process Boot Linux in shielded mode Host Guardian Service Guarded Hyper-V hosts Users who request to start specific shielded VMs on the host Host Guardian Service components: VM03 Shielded Attestation requests Attestation Service: virtual VM02 and responses contains information about the machines expected configuration of guarded VM01 hosts. Authorizes only legitimate guarded hosts to run the shielded VMs. Key requests and responses Key Protection Service: contains keys needed for starting shielded VMs. Ensures that a given key is released only if the host is authorized Host Guardian Guarded host and is in a Guarded Fabric specified by Service (HGS) the VM owner. running on a cluster Encrypted with well-known passphrase EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program Linux kernel Boot scripts lsvmload Initial ramdisk Rest of Linux SHIM grub EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program PA* Linux kernel Boot scripts lsvmload Initial ramdisk Rest of Linux VSC SHIM grub *Active boot loader Shielding ‘root’ password Guarded Cert used to Fabric #1 Data File timezone sign VSC IP address Guarded ssh private key Fabric #2 Other per-VM files . Owner Key Guarded Encrypted Fabric #N Each encrypted with a passphrase in ‘sealedkeys’ EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program Encrypted with lsvmload* Linux kernel Boot scripts key sealed in the vTPM sealedkeys Initial ramdisk Rest of Linux Encrypted with specialization.aes SHIM LUKS/dm-crypt masterkey for grub boot partition *Active boot loader • initramfs updated to get dm-crypt • Linux shim passphrase from a file • grub • lsvmload used as a precursor to the • Linux kernel normal Linux boot shim • lsvmload inject disk passphrases as a file into virtualized copy of initramfs • I/O to encrypted boot partition is mediated by custom UEFI file I/O protocols • initramfs gets dm-crypt *First boot only passphrases from injected file Each encrypted with a passphrase in ‘sealedkeys’ EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program Encrypted with lsvmload* Linux kernel Boot scripts key sealed in the vTPM sealedkeys Initial ramdisk Rest of Linux SHIM grub *Active boot loader Wrap-Up .
Recommended publications
  • Operating System Boot from Fully Encrypted Device
    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
    [Show full text]
  • White Paper: Indestructible Firewall in a Box V1.0 Nick Mccubbins
    White Paper: Indestructible Firewall In A Box v1.0 Nick McCubbins 1.1 Credits • Nathan Yawn ([email protected]) 1.2 Acknowledgements • Firewall-HOWTO • Linux Router Project • LEM 1.3 Revision History • Version 1.0 First public release 1.4 Feedback • Send all information and/or criticisms to [email protected] 1.5 Distribution Policy 2 Abstract In this document, the procedure for creating an embedded firewall whose root filesystem is loaded from a flash disk and then executed from a RAMdisk will be illustrated. A machine such as this has uses in many environments, from corporate internet access to sharing of a cable modem or xDSL connection among many computers. It has the advantages of being very light and fast, being impervious to filesystem corruption due to power loss, and being largely impervious to malicious crackers. The type of firewall illustrated herein is a simple packet-filtering, masquerading setup. Facilities for this already exist in the Linux kernel, keeping the system's memory footprint small. As such the device lends itself to embedding very well. For a more detailed description of firewall particulars, see the Linux Firewall-HOWTO. 3 Equipment This project has minimal hardware requirements. An excellent configuration consists of: For a 100-baseT network: • SBC-554 Pentium SBC with PISA bus and on-board PCI NIC (http://www.emacinc.com/pc.htm#pentiumsbc), approx. $373 • PISA backplane, chassis, power supply (http://www.emacinc.com/sbcpc_addons/mbpc641.htm), approx. $305 • Second PCI NIC • 32 MB RAM • 4 MB M-Systems Flash Disk (minimum), approx. $45 For a 10-baseT network: • EMAC's Standard Server-in-a-Box product (http://www.emacinc.com/server_in_a_box.htm), approx.
    [Show full text]
  • Chapter 3. Booting Operating Systems
    Chapter 3. Booting Operating Systems Abstract: Chapter 3 provides a complete coverage on operating systems booting. It explains the booting principle and the booting sequence of various kinds of bootable devices. These include booting from floppy disk, hard disk, CDROM and USB drives. Instead of writing a customized booter to boot up only MTX, it shows how to develop booter programs to boot up real operating systems, such as Linux, from a variety of bootable devices. In particular, it shows how to boot up generic Linux bzImage kernels with initial ramdisk support. It is shown that the hard disk and CDROM booters developed in this book are comparable to GRUB and isolinux in performance. In addition, it demonstrates the booter programs by sample systems. 3.1. Booting Booting, which is short for bootstrap, refers to the process of loading an operating system image into computer memory and starting up the operating system. As such, it is the first step to run an operating system. Despite its importance and widespread interests among computer users, the subject of booting is rarely discussed in operating system books. Information on booting are usually scattered and, in most cases, incomplete. A systematic treatment of the booting process has been lacking. The purpose of this chapter is to try to fill this void. In this chapter, we shall discuss the booting principle and show how to write booter programs to boot up real operating systems. As one might expect, the booting process is highly machine dependent. To be more specific, we shall only consider the booting process of Intel x86 based PCs.
    [Show full text]
  • Network Boot and Exotic Root HOWTO
    Network Boot and Exotic Root HOWTO Brieuc Jeunhomme frtest [email protected] Logilab S.A. Revision History Revision 0.3 2002−04−28 Revised by: bej Many feedback inclusions, added links to several projects Revision 0.2.2 2001−12−08 Revised by: dcm Licensed GFDL Revision 0.2.1 2001−05−21 Revised by: logilab Fixed bibliography and artheader Revision 0.2 2001−05−19 Revised by: bej Many improvements and included Ken Yap's feedback. Revision 0.1.1 2001−04−09 Revised by: logilab First public draft. Revision 0.1 2000−12−09 Revised by: bej Initial draft. This document explains how to quickly setup a linux server to provide what diskless linux clients require to get up and running, using an IP network. It includes data and partly rewritten text from the Diskless−HOWTO, the Diskless−root−NFS−HOWTO, the linux kernel documentation, the etherboot project's documentation, the linux terminal server project's homepage, and the author's personal experience, acquired when working for Logilab. Eventually this document may end up deprecating the Diskless−HOWTO and Diskless−root−NFS−HOWTO. Please note that you'll also find useful information in the From−PowerUp−to−bash−prompt−HOWTO and the Thin−Client−HOWTO, and the Claus−Justus Heine's page about NFS swapping. Network Boot and Exotic Root HOWTO Table of Contents 1. Introduction.....................................................................................................................................................1 1.1. What is this all about?.......................................................................................................................1 1.2. Thanks...............................................................................................................................................1 1.3. Diskless booting advocacy................................................................................................................1 1.3.1. Buying is cheaper than building.......................................................................................1 1.3.2.
    [Show full text]
  • Sbadmin for Linux System Recovery Guide Is a Supplement to the Sbadmin User Guide, Providing Details on Reinstalling a Linux System from a Sbadmin System Backup
    Linux System Recovery Guide Version 8.2 Trademarks and Copyrights © Copyright Storix, Inc. 1999-2021 SBAdmin is a registered trademark of Storix, Inc. SBAdmin is a trademark of Storix, Inc in the USA and other countries Intel is a registered trademark of Intel, Inc. Linux is a registered trademark of Linus Torvalds. Intel, Pentium, IA32, Itanium, Celeron and IA64 are registered trademarks of Intel Corporation. AMD, Opteron, and Athlon are registered trademarks of Advanced Micro Devices. HP Integrity servers are registered trademarks of Hewlett-Packard Development Company. Publicly Available Software This product either includes or is developed using source code that is publicly available: AESCrypt* Rijndael and Cipher Block Feedback Copyright 1999, 2000 Enhanced Software Technologies Inc. mode (CFB-128) encryption/decryption http://aescrypt.sourceforge.net/ algorithms BusyBox Single executable containing tiny Copyright 1989, 1991 Free Software Foundation, Inc. versions of common UNIX utilities http://busybox.net/cgi-bin/cvsweb/busybox/ LILO LInux boot Loader Copyright 1999-2003 John Coffman. Copyright 1992-1998 Werner Almesberger. http://freshmeat.net/projects/lilo/ Tcl Open source scripting language Copyright Regents of the University of California, Sun Microsystems, Inc. http://tcl.sourceforge.net Tk Tk graphics toolkit Copyright Regents of the University of California, Sun Microsystems, Inc. http://tcl.sourceforge.net DropBear A Smallish SSH 2 Server and Client Copyright 2002, 2003 Matt Johnston http://www.matt.ucc.asn.au/dropbear/dropbear.html GRUB Grand Unified Bootloader (GNU GRUB) Copyright 1989, 1991 Free Software Foundation, Inc. http://www.gnu.org/software/grub/grub.html Lighttpd Secure, fast, compliant and flexible Copyright 2004 Jan Kneschkle, incremental web-server http://www.lighttpd.net OpenSSL Toolkit implementing Secure Socket Copyright 1998-2008 The OpenSSL Project Layer Copyright 1995-1998 Eric A.
    [Show full text]
  • Linux-Cookbook.Pdf
    LINUX COOKBOOK ™ Other Linux resources from O’Reilly Related titles Linux Device Drivers Exploring the JDS Linux Linux in a Nutshell Desktop Running Linux Learning Red Hat Enterprise Building Embedded Linux Linux and Fedora Systems Linux Pocket Guide Linux Security Cookbook Understanding the Linux Kernel Linux Books linux.oreilly.com is a complete catalog of O’Reilly’s books on Resource Center Linux and Unix and related technologies, including sample chapters and code examples. ONLamp.com is the premier site for the open source web plat- form: Linux, Apache, MySQL, and either Perl, Python, or PHP. Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries. We specialize in document- ing the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit conferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today with a free trial. LINUX COOKBOOK ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Cookbook™ by Carla Schroder Copyright © 2005 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use.
    [Show full text]
  • Bull System Backup / Restore N O V a SC a LE
    Bull System Backup / Restore NOVASCALE User's Guide for NovaScale Universal & Intensive REFERENCE 86 A2 73EV 04 NOVASCALE Bull System Backup / Restore User's Guide for NovaScale Universal & Intensive Software November 2008 BULL CEDOC 357 AVENUE PATTON B.P.20845 49008 ANGERS CEDEX 01 FRANCE REFERENCE 86 A2 73EV 04 The following copyright notice protects this book under Copyright laws which prohibit such actions as, but not limited to, copying, distributing, modifying, and making derivative works. Copyright Bull SAS 2008 Printed in France Suggestions and criticisms concerning the form, content, and presentation of this book are invited. A form is provided at the end of this book for this purpose. To order additional copies of this book or other Bull Technical Publications, you are invited to use the Ordering Form also provided at the end of this book. Trademarks and Acknowledgements We acknowledge the right of proprietors of trademarks mentioned in this book. Intel ® and Itanium ® are registered trademarks of Intel Corporation. Windows ® and Microsoft ® software are registered trademarks of Microsoft Corporation. UNIX ® is a registered trademark in the United States of America and other countries licensed exclusively through the Open Group. Linux ® is a registered trademark of Linus Torvalds. NovaScale ® is a registered trademark of Bull The information in this document is subject to change without notice. Bull will not be liable for errors contained herein, or for incidental or consequential damages in connection with the use of this material.
    [Show full text]
  • Linux Exam Q&A (7Th Sem)
    Readme: The formatting of this document is bad because I have already passed the subject and I don’t want to spend time on the subject which I have already passed. This also means no new answer will be added or solved. Disclaimer: I DO NOT claim or guarantee whether the answer written here is 100% accurate. If you feel something is not accurate or out-of-order, it will be a great help, if you let me know. You know how to find me. Note: Those question which are crossed (i.e. strike-through) refer to the repeated question which has been solved/answered already. Tips: Don’t try to read this pdf using mobile Its pointless and time wasting activity. Use your laptop. Read it in 16:9 full-screen format. Author: Pranav Bhattarai Fall 2019 1 a) Explain the Linux with its architecture. What are the different types of Linux distribution? Explain any two. 1 b) Define term ‘culture of free software’? How Linux and UNIX is related? Explain. 2 a) Define and explain Shell? Difference between TCSH and KSH? 2 b) What are the different Linux supporting files? Explain. 3 a) What is general partitioning scheme while installing Linux Operating System and what do you prefer or recommended? 3 b) How can you monitor system performance in Linux? Explain with example. 4 a) What are difference run levels in Linux? Explain method to change these run levels. 4 b) Write the function of following command with example: rpm -i fdisk -1 at Iptables alias chgrp chmod man pstree nslookup 5 a) Write a program to check whether a given number is prime or not using shell scripts.
    [Show full text]
  • Build Your Own Distro Tired of the Run-Of-The-Mill Stuff on Distrowatch? Why Not Heed Mayank Sharma and Create the Perfect Operating System for You?
    Build your own distro Tired of the run-of-the-mill stuff on Distrowatch? Why not heed Mayank Sharma and create the perfect operating system for you? few issues ago, [LXF171, 50 making it your own – by removing apps and Now traditional wisdom says that creating Distros Tested], we looked at drivers that you don’t need and adding the your own Linux system is a rather difficult the best Linux distributions for ones you do. You’ll also probably change the thing to do and shouldn’t be attempted by A all kinds of users. There were factory-fitted artwork that says more about anyone other than Linux veterans. distros that were designed with ease of use the distro vendor than you. We begin the feature with graphical point- in mind, some focused on productivity, Sure that’s one way to go about it. and-click tools. Yes, you read that right. All it while others catered to specialised use You tweak and customise the distro to suit takes is a couple of clicks to craft your very cases, such as security and privacy your requirements. But wouldn’t it be really own flavour of Linux that you can pass to conscious users. But we can guarantee great if you just create your very own, custom friends and family. We’ve got tools that’ll help that there wasn’t a distro designed Linux distribution? you create and distribute customised spins specifically and entirely for you! based on Ubuntu, Fedora and While most Linux users make do OpenSUSE – the three mainstream with one of the mainstream distros out “We’ve got tools that’ll Linux distributions that house there, there’s always something or the help you create and thousands of open source software in other that’s missing.
    [Show full text]
  • UNIVERSITY of PIRAEUS DEPARTMENT of DIGITAL SYSTEMS POSTGRADUATE PROGRAMME Economic Management and Digital Systems Security
    UNIVERSITY OF PIRAEUS DEPARTMENT OF DIGITAL SYSTEMS POSTGRADUATE PROGRAMME Economic Management and Digital Systems Security Smartphone Forensics & Data Acquisition DISSERTATION Pachigiannis Panagiotis MTE1219 2015 Contents Contents……… ....................................................................................................................................... 2 Acknowledgement ................................................................................................................................... 7 Abstract……. ........................................................................................................................................... 8 1) Introduction........................................................................................................................................... 9 1.1) Context ........................................................................................................................................... 9 1.2) Aim & Objective .......................................................................................................................... 10 1.3) Background .................................................................................................................................. 11 1.4) Structure of Thesis ....................................................................................................................... 11 2) Mobile Devices ..................................................................................................................................
    [Show full text]
  • Guía De Instalación De Debian GNU/Linux
    Guía de instalación de Debian GNU/Linux 12 de enero de 2020 Guía de instalación de Debian GNU/Linux Copyright © 2004 – 2019 el equipo del instalador de Debian Este manual es software libre, puede redistribuirlo y/o modificarlo bajo los términos de la licencia general pública GNU. Por favor, consulte la licencia en el Apéndice F para más información. Índice general 1. Bienvenido a Debian 1 1.1. ¿Qué es Debian? . 1 1.2. ¿Qué es GNU/Linux? . 1 1.3. ¿Qué es Debian GNU/Linux? . 2 1.4. What is the Debian Installer? . 3 1.5. Obtener Debian . 3 1.6. Obtener la última versión de este documento . 3 1.7. Estructura de este documento . 3 1.8. Sobre copyrights y licencias de software . 4 2. Requisitos del sistema 6 2.1. Hardware compatible . 6 2.1.1. Arquitecturas compatibles . 6 2.1.2. Three different ARM ports . 7 2.1.3. Variations in ARM CPU designs and support complexity . 7 2.1.4. Platforms supported by Debian/armhf . 7 2.1.5. Platforms no longer supported by Debian/armhf . 9 2.1.6. Múltiples procesadores . 9 2.1.7. Graphics Hardware Support . 9 2.1.8. Hardware de conectividad de red . 9 2.1.9. Periféricos y otro hardware . 9 2.2. Dispositivos que requieren Firmware . 9 2.3. Adquisición de hardware específico para GNU/Linux . 10 2.3.1. Evite hardware cerrado o privativo . 10 2.4. Medios de instalación . 10 2.4.1. CD-ROM/DVD-ROM/BD-ROM . 11 2.4.2. Red . 11 2.4.3.
    [Show full text]
  • Embedded Linux Device Driver Development Sébastien Bilavarn
    Embedded Linux Device driver development Sébastien Bilavarn Polytech’Nice Sophia - Département Electronique - Université de Nice Sophia Antipolis - S. Bilavarn - 1 - Outline Ch1 – Introduction to Linux Ch2 – Linux kernel overview Ch3 – Linux for Embedded Systems Ch4 – Embedded Linux distributions Ch5 – Case study: Xilinx PowerPC Linux Ch5 bis – Case study: Xilinx Zynq-7000 Linux Ch6 – Device driver development Polytech’Nice Sophia - Département Electronique - Université de Nice Sophia Antipolis - S. Bilavarn - 2 - Case study: Xilinx Zynq-7000 Linux Introduction Target platform: Xilinx Zynq-7000 Platform configuration Kernel configuration and compilation Kernel startup and execution Polytech’Nice Sophia - Département Electronique - Université de Nice Sophia Antipolis - S. Bilavarn - 3 - Introduction Target platform: Xilinx Zynq-7000 Processing System Hard IP processor : implemented on the silicon layout (where a soft IP would be implemented using FPGA logic). Programmable logic FPGA Provides the ability to add custom logic Polytech’Nice Sophia - Département Electronique - Université de Nice Sophia Antipolis - S. Bilavarn - 4 - Introduction Development of a Linux kernel on a reconfigurable platform: Hardware platform configuration Peripherals use on demand (UART, Timer, Ethernet, etc.) Processor architecture itself can be configured according to the needs (frequency, on-chip/off-chip memory, coprocessors, etc.) Compared to a standard kernel development (i.e. for a fixed platform architecture), information on the platform (BSP), in particular on the processor, must be known in order to configure properly the kernel. This process is more complex than on standard platforms where the architecture is fixed (memory size, enabling cache, etc.). Kernel development steps Configuration of the hardware platform Kernel configuration and compilation Kernel startup and test Polytech’Nice Sophia - Département Electronique - Université de Nice Sophia Antipolis - S.
    [Show full text]