PfSense 2.3 UEFI boot support?
-
Secure Boot.
KNOWING that unapproved code can't boot your firewall is a good thing.
It's a pity that FreeBSD is badly dragging feet on the idea.UEFI Secure Boot is not the only way to do it.
In FreeBSD you can use BIOS, Trousers and TrustedGRUB2 with a TPM equipped board to sign not just the OS kernel but any file, file system or drive. In my opinion it's a far better way to achieve the same goal and you can do it now without having to rely on anyone else for signing.
-
Secure Boot.
KNOWING that unapproved code can't boot your firewall is a good thing.
It's a pity that FreeBSD is badly dragging feet on the idea.UEFI Secure Boot is not the only way to do it.
In FreeBSD you can use BIOS, Trousers and TrustedGRUB2 with a TPM equipped board to sign not just the OS kernel but any file, file system or drive. In my opinion it's a far better way to achieve the same goal and you can do it now without having to rely on anyone else for signing.
How can you verify any digital signatures on the first stage bootloader if you're booting using BIOS? Of course you can verify the signature at later stage in boot but that's not a complete chain of trust anymore.
-
@kpa:
How can you verify any digital signatures on the first stage bootloader if you're booting using BIOS? Of course you can verify the signature at later stage in boot but that's not a complete chain of trust anymore.
I don't think that there is a complete chain of trust with UEFI secure boot either. UEFI just delegates the responsibility for the chain of trust to one or more third parties that are not forced to prove that they are actually trustworthy all of the time.
I believe that a well founded chain of trust can only begin with a publicly scrutinised non reprogrammable ROM containing executable code that is the first code to execute upon reset and checks itself with the TPM before executing BIOS/UEFI. The only way this could ever be done with any certainty of trustworthyness is if there is:
-
International standardisation for a trusted boot process.
-
Boot code to be free and open source globally with published versioning
-
Code maintained by the United Nations Security Council only.
-
New code releases require a United Nations Security Council resolution.
-
Tampering with the code or subversion of the code is considered an act of war ( This needs a very special FOSS license ).
-
Published In byte code for the CPU architecture that can be translated to assembler by a FOSS companion tool.
This might sound over the top, but it is probably the only way to deter state funded intrusions.
An interesting paper that covers in reasonable detail the problem with x86 chain of trust today.
http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf -
-
UEFI exists and works in 2.4. Snapshots available soon.
-
@cmb:
UEFI exists and works in 2.4. Snapshots available soon.
CMB that is fantastic news! I am just now setting up a new esxi server and i wanted to use UEFI instead of bios for a fresh pfsense install and i was wondering when the snapshot will be available as currently today (21st July) snapshots.pfsense.org shows only version 2.3.2. Could you tell me how long it will be before there is a snapshot version that supports UEFI to download or could you provide a x64 download link so i can get it now?
Thank you for all your efforts in getting uefi support included! -
I worry that much of the network stack is now accessible to the EFI console. How do you trust the firmware is not siphoning off packets?
I think from a security standpoint it is not good.
Secure Boot Hardy har har.
Beware of trojans bearing gifts. -
I think when ADI-Netgate chose to use SeaBIOS on thier products it was a great pick. When I first got my SG2220 Ii was disappointed by the minimal BIOS but really what do you need a bios to do? Pick a boot drive. That is it. And that is what SeaBIOS does. Works well.
I realize PXE already has interaction with the BIOS but a network stack in the BIOS. Think about that.
-
At least with Coreboot-SeaBIOS it is all open souce. You can see exactly what the BIOS is doing.
I would call that Secure Boot. -
Here is a good comparison. SeaBIOS is not missing much I need.
https://en.wikipedia.org/wiki/BIOS#COMPARISON -
I'm slightly off topic with this, but UEFI boot usually implies a GPT format. Some modern larger hard disks have a 4K block size and my web research suggests that they should be formatted with partitions based on a 4K boundary and not the 63 sector / track formatting. Failure to do this can result in read-modify-write when writing to disk. With PFSense this can be achieved by formatting before install, also keeping the "old" partition table, but I found the PFSense installer is unhappy unless the partition starts on a multiple of 63 sectors. As a result I've formatted with the partition start as a multiple of 63 sectors AND a multiple of 4K block size - requiring a few minuites with a calculator. ( When doing the install do not then accept the option to format the disk, and select the pre-formatted partition / slice. ) More information with " Advanced format drives" in a search engine.
I hope nobody tells me I'm way off beam with the above.
What I'm leading to is, can an update also fix the installer so that it uses a more recent format routine than cylinder / head / sectors and either the inbuilt auto-install can be used - or - a pre-formatted (sliced) disk can be used with the first partition starting at 4096 or a number not divisible by 63? And a GPT partition table.
-
PFSense 2.4 alpha UEFI boots out of the box. I run it on a Qotom Q190G4 with ultra fast boot enabled and the pfsense bootloader timeout set to 1 second and it's unbelievable how quickly it's back up when it reboots!