Submit Search
Upload
Measured boot for embedded devices
•
0 likes
•
77 views
D
Dmitry Baryshkov
Follow
A presentation on using Measured Boot, TPM and IMA/EVM on Linux
Read less
Read more
Presentations & Public Speaking
Report
Share
Report
Share
1 of 15
Download now
Download to read offline
Recommended
Public Key Distribution
Public Key Distribution
Mostafijur Rahman
Block replication on HDFS
Block replication on HDFS
Koos van Strien
SWGDE Best Practices for Computer Forensics
SWGDE Best Practices for Computer Forensics
David Sweigert
Pgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
Leveling Up My Linux Kernel Contributions : Troubleshooting the kernel panic
Leveling Up My Linux Kernel Contributions : Troubleshooting the kernel panic
Juhee Kang
Motherboard
Motherboard
Ben Attia Fodha Hajer
Steganography(Presentation)
Steganography(Presentation)
Firdous Ahmad Khan
Steve Litras [Cribl] | The Power of Infinite Choice | InfluxDays Virtual Expe...
Steve Litras [Cribl] | The Power of Infinite Choice | InfluxDays Virtual Expe...
InfluxData
Recommended
Public Key Distribution
Public Key Distribution
Mostafijur Rahman
Block replication on HDFS
Block replication on HDFS
Koos van Strien
SWGDE Best Practices for Computer Forensics
SWGDE Best Practices for Computer Forensics
David Sweigert
Pgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
Leveling Up My Linux Kernel Contributions : Troubleshooting the kernel panic
Leveling Up My Linux Kernel Contributions : Troubleshooting the kernel panic
Juhee Kang
Motherboard
Motherboard
Ben Attia Fodha Hajer
Steganography(Presentation)
Steganography(Presentation)
Firdous Ahmad Khan
Steve Litras [Cribl] | The Power of Infinite Choice | InfluxDays Virtual Expe...
Steve Litras [Cribl] | The Power of Infinite Choice | InfluxDays Virtual Expe...
InfluxData
Cryptanalysis 101
Cryptanalysis 101
rahat ali
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Security
vishnukp34
Udev for Device Management in Linux
Udev for Device Management in Linux
Deepak Soundararajan
Set Secure Electronic Transaction(SET)
Set Secure Electronic Transaction(SET)
Suraj Dhalwar
Access control matrix
Access control matrix
Aravindharamanan S
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
Pgp
Pgp
Reham Maher El-Safarini
Cs8792 cns - unit i
Cs8792 cns - unit i
ArthyR3
Memory safety in rust
Memory safety in rust
Jawahar
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
Different types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
subhradeep mitra
symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Venkatesh Jambulingam
Grundlagen Virtualisierung
Grundlagen Virtualisierung
inovex GmbH
Steganography and watermarking
Steganography and watermarking
sudip nandi
S/MIME
S/MIME
maria azam
Email security
Email security
Ahmed EL-KOSAIRY
Message Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Security
vishnukp34
Cryptography Basics Pki
Cryptography Basics Pki
Sylvain Maret
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-release
Eric Koeppen
Chapter 9 Client and application Security
Chapter 9 Client and application Security
Dr. Ahmed Al Zaidy
More Related Content
What's hot
Cryptanalysis 101
Cryptanalysis 101
rahat ali
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Security
vishnukp34
Udev for Device Management in Linux
Udev for Device Management in Linux
Deepak Soundararajan
Set Secure Electronic Transaction(SET)
Set Secure Electronic Transaction(SET)
Suraj Dhalwar
Access control matrix
Access control matrix
Aravindharamanan S
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
Pgp
Pgp
Reham Maher El-Safarini
Cs8792 cns - unit i
Cs8792 cns - unit i
ArthyR3
Memory safety in rust
Memory safety in rust
Jawahar
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
Different types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
subhradeep mitra
symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Venkatesh Jambulingam
Grundlagen Virtualisierung
Grundlagen Virtualisierung
inovex GmbH
Steganography and watermarking
Steganography and watermarking
sudip nandi
S/MIME
S/MIME
maria azam
Email security
Email security
Ahmed EL-KOSAIRY
Message Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Security
vishnukp34
Cryptography Basics Pki
Cryptography Basics Pki
Sylvain Maret
What's hot
(20)
Cryptanalysis 101
Cryptanalysis 101
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Security
Udev for Device Management in Linux
Udev for Device Management in Linux
Set Secure Electronic Transaction(SET)
Set Secure Electronic Transaction(SET)
Access control matrix
Access control matrix
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Pgp
Pgp
Cs8792 cns - unit i
Cs8792 cns - unit i
Memory safety in rust
Memory safety in rust
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Different types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
symmetric key encryption algorithms
symmetric key encryption algorithms
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Grundlagen Virtualisierung
Grundlagen Virtualisierung
Steganography and watermarking
Steganography and watermarking
S/MIME
S/MIME
Email security
Email security
Message Authentication Code & HMAC
Message Authentication Code & HMAC
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Security
Cryptography Basics Pki
Cryptography Basics Pki
Similar to Measured boot for embedded devices
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-release
Eric Koeppen
Chapter 9 Client and application Security
Chapter 9 Client and application Security
Dr. Ahmed Al Zaidy
IPLOOK MME PRODUCT INFORMATION
IPLOOK MME PRODUCT INFORMATION
IPLOOK Networks
Android Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOX
Samsung Biz Mobile
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
RISC-V International
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: Introduction
Linaro
IPLOOK SMS product information
IPLOOK SMS product information
IPLOOK Networks
Comguard expanding-portfolio
Comguard expanding-portfolio
xband
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET Journal
Ivanti uem security_webinar_cybersecurity_month_oct2020
Ivanti uem security_webinar_cybersecurity_month_oct2020
Ivanti
ChipGlobe - Dieter Rudolf - Secure IoT communication - for Infineon IoT Secur...
ChipGlobe - Dieter Rudolf - Secure IoT communication - for Infineon IoT Secur...
Dieter Rudolf
Trusted computing introduction and technical overview
Trusted computing introduction and technical overview
Sajid Marwat
Introduction to Trusted Computing
Introduction to Trusted Computing
Maksim Djackov
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
Chapter 4
Chapter 4
Amy McMullin
DYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGES
ijsptm
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
bora.gungoren
Managing securityforautomotivesoc
Managing securityforautomotivesoc
Pankaj Singh
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
ITExamAnswers.net
Similar to Measured boot for embedded devices
(20)
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-release
Chapter 9 Client and application Security
Chapter 9 Client and application Security
IPLOOK MME PRODUCT INFORMATION
IPLOOK MME PRODUCT INFORMATION
Android Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOX
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: Introduction
IPLOOK SMS product information
IPLOOK SMS product information
Comguard expanding-portfolio
Comguard expanding-portfolio
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
Ivanti uem security_webinar_cybersecurity_month_oct2020
Ivanti uem security_webinar_cybersecurity_month_oct2020
ChipGlobe - Dieter Rudolf - Secure IoT communication - for Infineon IoT Secur...
ChipGlobe - Dieter Rudolf - Secure IoT communication - for Infineon IoT Secur...
Trusted computing introduction and technical overview
Trusted computing introduction and technical overview
Introduction to Trusted Computing
Introduction to Trusted Computing
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Chapter 4
Chapter 4
DYNAMIC ROOT OF TRUST AND CHALLENGES
DYNAMIC ROOT OF TRUST AND CHALLENGES
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
Managing securityforautomotivesoc
Managing securityforautomotivesoc
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
Recently uploaded
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
soniya singh
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
eCommerce Institute
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
NETWAYS
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
ssuser319dad
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
mavinoikein
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
vikas rana
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Salam Al-Karadaghi
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
Sebastiano Panichella
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
Tatiana Gurgel
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
NETWAYS
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
henrik385807
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Kayode Fayemi
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
henrik385807
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
henrik385807
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
FamilyWorshipCenterD
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
Pooja Nehwal
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
NETWAYS
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
Sebastiano Panichella
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
Basil Achie
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
akankshagupta7348026
Recently uploaded
(20)
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
Measured boot for embedded devices
1.
Dmitry Eremin-Solenikov Ivan Nikolaenko Measured
Boot for embedded devices Open Source Software Engineer DI SW December, 2019
2.
Restricted © 2019
Mentor Graphics Corporation Approaching authentic execution environment Usually device manufacturer would like to be sure that deployed device executes authentic code: — Because it might be a medical device, — Or a safety-critcal device — Or just to insure generic platform integrity We need to authenticate image contents! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,2
3.
Restricted © 2019
Mentor Graphics Corporation Traditional approaches No authentication at all. – Oops Verify image signature before flashing it. – Any intruder can still modify image contents after flashing Or just verify whole image each boot. – So slooow. We have to authenticate image contents in runtime! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,3
4.
Restricted © 2019
Mentor Graphics Corporation Measured boot Measured boot is a technique of securely calculating a log of all boot components Measured boot is typically thought as related to x86 platform only However nothing stops us from employing the same technique for embedded devices TPM chip is a hardware component that assists Measured Boot process D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,4
5.
Restricted © 2019
Mentor Graphics Corporation Measured Boot for embedded devices D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,5 Boot time Digest all boot components Optionally use calculated boot state to unencrypt next stage Runtime Digest selected set of files as they are accessed – E.g. digest all root-owned executable files – Or digest all root-owned files – Or anything you can come up with Use digested information to unlock encryption keys Use digested information to remotely verify device state
6.
Restricted © 2019
Mentor Graphics Corporation Measuring boot components TPM provides at least 24 PCRs (platform configuration register) to store boot log information These registers are reset only at board reset time The only way to change them is to Extend: – PCR[i] = Hash ( PCR[i] || ExtendArgument ) The code to access TPM is less than 500 lines of code Modify your bootloader to Extend PCRs with the digests of next boot image D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,6
7.
Restricted © 2019
Mentor Graphics Corporation Measuring inside Linux Linux provides IMA (Integrity Measurement Architecture) and EVM (Extended Verification Module) subsystems IMA maintains a runtime list of files measurements – Policy controlled – Can be anchored in TPM to provide aggregate integrity value Steps to enable: – Enable in kernel – Mount filesystems with iversions option – Provide a signed policy – Load a policy at boot time D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,7
8.
Restricted © 2019
Mentor Graphics Corporation Measuring inside Linux: protecting from tampering Linux EVM subsystem protects against filsystem tampering It can use either HMAC or digital signature to verify security attributes: – security.ima (IMA's stored “good” hash for the file) – security.selinux (the selinux label/context on the file) – security.SMACK64 (Smack's label on the file) – security.capability (Capability's label on executables) Steps to enable: – Enable in kernel – Load certificate or HMAC key – Enable in securityfs D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,8
9.
Restricted © 2019
Mentor Graphics Corporation Using measured state: local attestation Use aggregated state to seal next state keys – Seal EVM HMAC key with bootloader data ● Attacker can not get HMAC key by tampering with bootloaders – Seal rootfs encryption key with bootloader and kernel data ● One can not access rootfs if any of boot components are changed! Your Initials, Presentation Title, Month Year9
10.
Restricted © 2019
Mentor Graphics Corporation Using measured state: remote attestation Remote attestation is a method by which a host authenticates it's hardware and software configuration to a remote host (server) Use TPM capability to cryptographically sign measurements log and provide such log to remote server Your Initials, Presentation Title, Month Year10
11.
Restricted © 2019
Mentor Graphics Corporation Deploying in embedded device Patch your bootloader Using MEL/Yocto/OE use one of 3 layers: – meta-secure-core (complex solution) – meta-measured (a bit outdated) – meta-security (optimal after receiving all our patches) Use initramfs to load IMA policy and EVM certificate Your Initials, Presentation Title, Month Year11
12.
Restricted © 2019
Mentor Graphics Corporation Deploying in embedded device #2 Choose a solution for remote attestation – OpenAttestation is an SDK for developing custom complex solutions – We recommend using strongSwan’s TNC (trusted network connect) capability to maintain a DB of devices – We ourselves ended up with a set of scripts to provisioning keys, gathering data and verifying the log Your Initials, Presentation Title, Month Year12
13.
Restricted © 2019
Mentor Graphics Corporation What can we do without TPM TPM chips are cheap, but what if hardware is already finalized? Enable IMA/EVM! – Verifying all executable files to be signed by you – EPERM for all other binaries Your Initials, Presentation Title, Month Year13
14.
Restricted © 2019
Mentor Graphics Corporation QUESTIONS?
15.
Restricted © 2019
Mentor Graphics Corporation www.mentor.com
Download now