When booting a system, different programs are run. As a very rough and simplified overview, for a system supporting UEFI we can say that:
- First UEFI is in control.
- Then it calls an EFI application (.efi), generally a bootloader (e.g. GRUB).
- The bootloader in turn calls the OS.
- To find the user's root file system, a Linux Kernel may use an already prepared temporary file system called initramfs.
- In our case, the Linux Kernel is directly embedded in the efi application and it uses a custom initramfs.
UEFI provides a feature called Secure Boot (SB) which can verify the efi applications' signature with keys stored by UEFI, so that an attacker cannot modify the boot sequence and tamper with what is run on the machine early during the boot process. Such an attack would make the threat undetectable with the classic forensic tools, i.e. from the already booted OS.
Nexedi developped for Rapid.Space a system going further, which scans the user's root file system to be mounted by initramfs during the initramfs stage, i.e. before the Linux Kernel has taken over, and send the scan to Wendelin for further analysis. To do so, we create a customed initramfs embedding the scanner and sender and we sign it with our own keys. Then, if our keys are enrolled by UEFI, it can verify the integrity of our customed initramfs, loaded by UEFI as an efi application. With this process, we get a complete scan of the to-be-loaded file system each time a server boots. We can detect abnormal file signatures and permissions while being sure than an attacker could not modify the tools we used to create and send the scan.
Note: The scanning tool is called Metadata Collect Agent (MCA), see the project at
https://lab.nexedi.com/nexedi/metadata-collect-agent
So the main components for a user to install this project on a machine are:
- A set of keys
- Key enrollment in UEFI.
- Initramfs image creation and signature.
With the hardest part to master being the second one, documented in uefi-keys/README.md
. (But don't worry, it's not THAT hard if you read carefully!)