Restricted Boot...bypassed

About a year ago, Kyle Rankin wrote an article about PureBoot’s recovery console.

This was a very interesting article which started me exploring the payload’s runtime environment, filesystem and tools. It really is much fun: you can see all sort of interesting things like scripts, coreboot stages logs and TPM measurements, config files, and much more.

I can’t exactly remember where (could be reading some osresearch documentation) I got the notion that I could invoke the console by holding the ‘r’ key right after power on. But then I got into the habit of doing so every time I wanted a console.

Recent versions of PureBoot have introduced this much awaited “Restricted Boot” feature, which - among other things - restricts and even forbids invoking a recovery console; a good thing for added security.

Just the other day, I flashed the latest PureBoot version 27 and after this I wanted to reboot into the console to check which coreboot modules had changed from the previous version. Out of habit, I rebooted holding the ‘r’ key. Then I thought to myself: this is not gonna work, I re-enabled restricted boot…but to my surprise, I dropped into the console right then!

I thought maybe this was a new bug or regression with version 27, so I rolled back to v25 and checked again: same behavior. And then v24 as well!

So we have a problem. What could it be? A race condition between an early console catching the ‘r’ key and acting before the script checking the state of restricted boot is run? Could it be a feature used only for debugging and that was inadvertently left enabled?

Anyway, getting a recovery console so easily at startup…sort of defeats the whole purpose of restricted boot.

1 Like

Or simply an oversight in terms of all the different ways of getting into the recovery console?

@jonathon.hall ?

For reference of anyone else: https://puri.sm/posts/introducing-pureboot-restricted-boot/

Thank you for reporting this @TiX0, I can reproduce this and will prepare a hotfix release.

@irvinewade, you are spot on, it’s a method of entering the recovery console that was overlooked.

/init checks for the r key held to enter an early recovery shell (this might be where you saw this note @TiX0 - https://source.puri.sm/firmware/pureboot/-/blob/main/initrd/init#L76). The recovery function tests for restricted boot, but this occurrence in /init is before config.user is loaded (line 101-102).

1 Like

PureBoot 27.1 was just released including this fix.

Loading config.user was moved earlier before any method of entering recovery shell, holding r will now generate the same message that Restricted Boot is enabled and reboot. Thanks again for reporting this issue.

5 Likes

Restricted Boot now working as intended. Speediest hotfix + firmware update I have yet to see!
We appreciate Purism’s commitment to security and unmatched response.

2 Likes

Yeah, suck on that, Microsoft! :slight_smile:

Right! And that is why we are all here, I guess…

2 Likes