This project is a virtual machine created to demonstrate the various attacks detailed in Anvil's Defeating Secure Boot with Symlink and Hard Link Attacks white paper.
A typical Linux embedded system with secure boot cryptographically verifies the boot loader, kernel, and root file system. This can have the effect of making the root file system read only. This presents the embedded developer with a problem. Where then can an embedded developer store device-specific data such as configurations and logs between reboots? A common solution is to create an unprotected storage partition for non-volatile data (data that can be retrieved after power cycling) and mount it in a location such as /storage. Ideally, the non-volatile storage partition should be protected with cryptographic integrity checks, but from our experience, this is rarely done.
This virtual machine demonstrates how to attack systems configured with a split file system, a protected root file system, and a non-protected /storage partition.
-
Download the latest release.
-
Install QEMU and ensure
qemu-system-x86_64
is in your path. -
Start the virtual machine
> cd symlink-secure-boot-vm > ./start-qemu.sh serial-only
The virtual machine utilizes QEMU's user networking and forwards two ports, 8888 and 2121. The 8888 port runs a web server hosting services demonstrating the issues and can be reached at http://localhost:8888. The 2121 port is forwarded to an FTP service. Due to using QEMU's user networking to access the FTP service you need to use your interface's IP address and FTP active mode. Or modify the script to use Tap networking.
Browse to http://localhost:8888 to get started!
We used Buildroot's br2_external feature to construct the virtual machine.
- Download Buildroot (we used buildroot-2020.02.3)
- Download/clone source.
- Build using Buildroot's external
> cd buildroot
> make BR2_EXTERNAL=../symlink-secure-boot-vm anvil_symlink-qemu_defconfig
> make
> ./output/images/start-qemu.sh serial-only
All rights reserved. Copyright (C) 2020 by Anvil Ventures Inc. For licensing information see LICENSE. For more information contact Michael Milvich [email protected]
To find updated source code or to contribute patches go to the following URL: https://github.com/anvilventures/symlink-secure-boot-vm