More Related Content
Similar to Measured boot for embedded devices (20)
Measured boot for embedded devices
- 2. Restricted © 2019 Mentor Graphics Corporation
Approaching authentic execution
environment
Usually device manufacturer would like to be sure that
deployed device executes authentic code:
— Because it might be a medical device,
— Or a safety-critcal device
— Or just to insure generic platform integrity
We need to authenticate image contents!
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,2
- 3. Restricted © 2019 Mentor Graphics Corporation
Traditional approaches
No authentication at all.
– Oops
Verify image signature before flashing it.
– Any intruder can still modify image contents after flashing
Or just verify whole image each boot.
– So slooow.
We have to authenticate image contents in runtime!
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,3
- 4. Restricted © 2019 Mentor Graphics Corporation
Measured boot
Measured boot is a technique of securely calculating a log of all boot
components
Measured boot is typically thought as related to x86 platform only
However nothing stops us from employing the same technique for
embedded devices
TPM chip is a hardware component that assists Measured Boot process
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,4
- 5. Restricted © 2019 Mentor Graphics Corporation
Measured Boot for embedded devices
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,5
Boot time
Digest all boot
components
Optionally use calculated
boot state to unencrypt
next stage
Runtime
Digest selected set of files as
they are accessed
– E.g. digest all root-owned
executable files
– Or digest all root-owned files
– Or anything you can come
up with
Use digested information to
unlock encryption keys
Use digested information to
remotely verify device state
- 6. Restricted © 2019 Mentor Graphics Corporation
Measuring boot components
TPM provides at least 24 PCRs (platform configuration register) to store
boot log information
These registers are reset only at board reset time
The only way to change them is to Extend:
– PCR[i] = Hash ( PCR[i] || ExtendArgument )
The code to access TPM is less than 500 lines of code
Modify your bootloader to Extend PCRs with the digests of next boot image
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,6
- 7. Restricted © 2019 Mentor Graphics Corporation
Measuring inside Linux
Linux provides IMA (Integrity Measurement Architecture) and EVM
(Extended Verification Module) subsystems
IMA maintains a runtime list of files measurements
– Policy controlled
– Can be anchored in TPM to provide aggregate integrity value
Steps to enable:
– Enable in kernel
– Mount filesystems with iversions option
– Provide a signed policy
– Load a policy at boot time
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,7
- 8. Restricted © 2019 Mentor Graphics Corporation
Measuring inside Linux: protecting from
tampering
Linux EVM subsystem protects against filsystem tampering
It can use either HMAC or digital signature to verify security attributes:
– security.ima (IMA's stored “good” hash for the file)
– security.selinux (the selinux label/context on the file)
– security.SMACK64 (Smack's label on the file)
– security.capability (Capability's label on executables)
Steps to enable:
– Enable in kernel
– Load certificate or HMAC key
– Enable in securityfs
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,8
- 9. Restricted © 2019 Mentor Graphics Corporation
Using measured state: local attestation
Use aggregated state to seal next state keys
– Seal EVM HMAC key with bootloader data
●
Attacker can not get HMAC key by tampering with
bootloaders
– Seal rootfs encryption key with bootloader and kernel
data
●
One can not access rootfs if any of boot components
are changed!
Your Initials, Presentation Title, Month Year9
- 10. Restricted © 2019 Mentor Graphics Corporation
Using measured state: remote attestation
Remote attestation is a method by which a host
authenticates it's hardware and software configuration to a
remote host (server)
Use TPM capability to cryptographically sign
measurements log and provide such log to remote server
Your Initials, Presentation Title, Month Year10
- 11. Restricted © 2019 Mentor Graphics Corporation
Deploying in embedded device
Patch your bootloader
Using MEL/Yocto/OE use one of 3 layers:
– meta-secure-core (complex solution)
– meta-measured (a bit outdated)
– meta-security (optimal after receiving all our patches)
Use initramfs to load IMA policy and EVM certificate
Your Initials, Presentation Title, Month Year11
- 12. Restricted © 2019 Mentor Graphics Corporation
Deploying in embedded device #2
Choose a solution for remote attestation
– OpenAttestation is an SDK for developing custom
complex solutions
– We recommend using strongSwan’s TNC (trusted
network connect) capability to maintain a DB of devices
– We ourselves ended up with a set of scripts to
provisioning keys, gathering data and verifying the log
Your Initials, Presentation Title, Month Year12
- 13. Restricted © 2019 Mentor Graphics Corporation
What can we do without TPM
TPM chips are cheap, but what if hardware is already
finalized?
Enable IMA/EVM!
– Verifying all executable files to be signed by you
– EPERM for all other binaries
Your Initials, Presentation Title, Month Year13