Ubuntu 21.04 is the latest release of Ubuntu and comes at the mid-point between the most recent Long Term Supported (LTS) release of Ubuntu 20.04 LTS and the forthcoming 22.04 LTS release due in April 2022. This provides a good opportunity to take stock of some of the latest security features delivered in this release, on the road to 22.04 LTS. Ubuntu 21.04 brings with it a vast amount of improvements and features across a wide variety of packages. In this blog post, we will take a look at those features and improvements that add to the overall security of a Ubuntu system.
One GRUB for Ubuntu
Starting from the bottom-up, one of the most fundamental components in Ubuntu is the GRUB2 boot-loader. In light of the recent additional GRUB2 secure-boot bypass vulnerabilities, the Ubuntu Foundations team considered options to make Ubuntu more secure by enabling easier grub updates. The outcome was to change the way GRUB2 is shipped in Ubuntu. In general Ubuntu releases would ship with a fixed version of GRUB2 (and many other packages) at release time and so when it came time to fix security issues, patches would have to be backported to an aging codebase. This brings numerous technical challenges, so to alleviate these, a single GRUB2 package will now be shipped across all supported Ubuntu releases, with 21.04 being the initial release to support this feature.
Firmware updates and fwupd
Since the advent of the Linux Vendor Firmware Service (LVFS) and the associated fwupd daemon, Ubuntu has supported easy installation of firmware updates, including both BIOS and peripheral devices. These firmware updates often contain crucial fixes for security flaws and so ensuring devices have the latest firmware updates is an integral step for good security. Ubuntu 21.04 ships with the latest fwupd release 1.5.8 which includes support for SBAT metadata required for the latest UEFI Secure Boot improvements, as well as support for enabling firmware updates for many more classes of devices including the Pinebook Pro and System76 keyboards just to name a few.
The 5.11 Linux kernel security changes
The Linux kernel is at the heart of all running Ubuntu systems. The kernel in Ubuntu 21.04 is based off the upstream 5.11 kernel, which brings with it a number of improvements since the 5.8 kernel which is used in Ubuntu 20.10. These include:
CAP_CHECKPOINT_RESTORE
In modern datacenters, the ability to migrate workloads across machines is becoming increasingly important to enable optimal performance and availability. One mechanism used to support this is called checkpoint/restore – this allows the ability to snapshot one or more processes on a system and capture their entire state, then move this across to another system and seamlessly restart those processes. In the past, this has required a supervisor process to have complete system administrator privileges (CAP_SYS_ADMIN) on a machine just to perform this one function, granting excessive permissions when not required. To allow a more fine-grained approach, a new capability CAP_CHECKPOINT_RESTORE has been introduced – this allows a supervisor process to perform the required checkpoint/restore operations with just the subset of permissions required, and so aids in the implementation of a principle-of-least-privilege system.
RISC-V stack protector
RISC-V is an open standard instruction set architecture designed around the reduced instruction set principles, and has been supported as a technology preview since Ubuntu 20.04 LTS. Since the 5.9 release of the Linux kernel, the RISC-V architecture has gained support for implementing stack protection, which is a hardening feature to detect and prevent kernel stack buffer overflows which can be used to compromise the security of a system. This brings this relatively young architecture to closer feature parity with the more mature architectures like amd64 which have supported kernel stack protection since Ubuntu 9.04, over 11 years ago.
Static calls for improved Spectre mitigation
The Spectre vulnerabilities were the first of many recently discovered speculative-execution vulnerabilities, which exploited various microarchitectural features of the underlying processor hardware to leak information across security boundaries. The discovery of these vulnerabilities led to the implementation of many novel mitigation techniques, however these came with various performance impacts which would lead to users potentially making a poor choice between security and performance. Over time, the performance impact from these mitigations have been improved – in particular the implementation of static calls within the 5.10 kernel has seen a noticeable improvement in the perf subsystem and others.
ARM64 Memory Tagging
Memory corruption remains one of the chief sources of vulnerabilities within the Linux kernel. Whilst various software-based mechanisms (such as the aforementioned stack protector) have been developed to try and mitigate against these, a number of hardware based approaches have also been in the works. One such approach is memory tagging, as supported by the Armv8.5 Memory Tagging Extension. This aims to prevent memory safety issues by tagging memory addresses with a key that cannot easily be forged and so preventing common memory safety attacks such as buffer overflows. The ARM64 architecture in Ubuntu 21.04 now provides support for userspace processes to enable the use of memory tagging for certain memory regions, and so provides a path to enabling this protection more holistically in the future.
Intel SGX
Trusted computing relies on performing computations that cannot be tampered with or altered. Intel Software Guard eXtensions (SGX) provide the ability to create a separate enclave which can be used to perform trusted operations – where neither the code nor data can be accessed from untrusted components. Support for the use of SGX is present in Ubuntu 21.04 whilst hardware support for this feature has been present in various Intel processors on the desktop in recent years and the upcoming Xeon “Ice Lake” processors will provide SGX for server platforms as well.
Userspace Security Improvements
With each new Ubuntu release, there is the opportunity to refresh the range of software packages provided within the Ubuntu archive to the latest release. Some notable security relevant software packages updated for Ubuntu 21.04 include OpenSSH and Libseccomp. OpenSSH has been updated to the 8.4 release, which provides improved support for FIDO/U2F hardware tokens. This includes supporting tokens that require a PIN for each use, plus better support when using multiple tokens at the same time. This allows users to enable remote access with increased assurance that it cannot be abused by unauthorised attackers. Libseccomp on the other hand is a more low-level component, but has been crucial in the implementation of sandboxing technologies which allows applications to limit their own impact in the event of compromise. Upgrading to the 2.5.1 release of Libseccomp brings support for userspace notifications (used by container managers like LXD) and improved performance when adding new rules.
Finally, another important and long-awaited change is the introduction of private home directories by default in Ubuntu 21.04. This ensures that new users files will only be accessible to that user and not other local users on the same system, recognising the shift away from shared desktop computing to the more hostile use-cases of cloud or IoT.
In all, the range of security improvements in Ubuntu 21.04 create a solid foundation on the road to Ubuntu 22.04 LTS and stands as the most secure Ubuntu release to date by leveraging these and building upon the various other hardening and security features which have long been a core part of Ubuntu releases in the past.