21 votes

What is an SBAT and why does everyone suddenly care?

3 comments

  1. skybrian
    Link
    From the article: … … …

    From the article:

    Short version: Secure Boot Advanced Targeting and if that's enough for you you can skip the rest you're welcome.

    Every Linux distribution that works in the Secure Boot ecosystem generates their own bootloader binaries, and each of them has a different hash. If there's a vulnerability identified in the source code for said bootloader, there's a large number of different binaries that need to be revoked. And, well, the storage available to store the variable containing all these hashes is limited. There's simply not enough space to add a new set of hashes every time it turns out that grub (a bootloader initially written for a simpler time when there was no boot security and which has several separate image parsers and also a font parser and look you know where this is going) has another mechanism for a hostile actor to cause it to execute arbitrary code, so another solution was needed.

    And that solution is SBAT. The general concept behind SBAT is pretty straightforward. Every important component in the boot chain declares a security generation that's incorporated into the signed binary. When a vulnerability is identified and fixed, that generation is incremented. An update can then be pushed that defines a minimum generation - boot components will look at the next item in the chain, compare its name and generation number to the ones stored in a firmware variable, and decide whether or not to execute it based on that. Instead of having to revoke a large number of individual hashes, it becomes possible to push one update that simply says "Any version of grub with a security generation below this number is considered untrustworthy".

    So why is this suddenly relevant? SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we've seen real world examples of malware wanting to do that (Black Lotus did so using a vulnerability in the Windows bootloader, but a vulnerability in grub would be just as viable for this). Viewed purely from a security perspective, this was a legitimate thing to want to do.

    The problem we've ended up in is that several Linux distributions had not shipped versions of grub with a newer security generation, and so those versions of grub are assumed to be insecure (it's worth noting that grub is signed by individual distributions, not Microsoft, so there's no externally introduced lag here). Microsoft's stated intention was that Windows Update would only apply the SBAT update to systems that were Windows-only, and any dual-boot setups would instead be left vulnerable to attack until the installed distro updated its grub and shipped an SBAT update itself. Unfortunately, as is now obvious, that didn't work as intended and at least some dual-boot setups applied the update and that distribution's Shim refused to boot that distribution's grub.

    8 votes
  2. DefinitelyNotAFae
    Link
    Not sure if this is helpful to anyone else that isn't a tech person, or if this was just me, but this is not "cbat" the song by Hudson Hawke that everyone knew for a while because of that one...

    Not sure if this is helpful to anyone else that isn't a tech person, or if this was just me, but this is not "cbat" the song by Hudson Hawke that everyone knew for a while because of that one guy's reddit post about how he used the questionable beat of this song for sex.

    I was quite surprised when I came into this thread, very confident.

    6 votes
  3. Jaeger
    Link
    I can tell you why I care. I completed a PowerPoint that was due for a class the next day. Save the file to my dual boot laptop, not in the cloud as I usually do, shut down my computer. Go to boot...

    I can tell you why I care. I completed a PowerPoint that was due for a class the next day. Save the file to my dual boot laptop, not in the cloud as I usually do, shut down my computer. Go to boot up Windows later all of a sudden get a "something went seriously wrong," error on boot up.

    After prowling around on the internet, see a 5-hour old article saying how it was the last Windows up date that broke my grub boot. Luckily it was a quick, but not permanent fix, to get my PowerPoint turned in on time.

    3 votes