Secure boot general
•Download as PPTX, PDF•
1 like•556 views
The document discusses secure boot, trusted boot, and their differences. It provides an overview of standard boot processes, secure boot processes where each step is cryptographically signed, and trusted boot which records measurements to the TPM for later verification. It also proposes a solution for secure boot in 5G plugin units using platform keys, key exchange keys, and allowed/forbidden signature databases.
Report
Share
Report
Share
Recommended
LCU13: An Introduction to ARM Trusted Firmware
Resource: LCU13
Name: An Introduction to ARM Trusted Firmware
Date: 28-10-2013
Speaker: Andrew Thoelke
Video: http://www.youtube.com/watch?v=q32BEMMxmfw
Secure Your Encryption with HSM
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Session ID: SFO17-200
Session Name: - SFO17-200
Speaker:
Track:
★ Session Summary ★
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-200/
Presentation:
Video:
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
http://www.linaro.org
http://connect.linaro.org
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/102696
Boot process: BIOS vs UEFI
BIOS and UEFI are types of firmware that control the boot process. BIOS uses the MBR partition table and boots by loading the MBR, then the partition bootsector. UEFI uses the GPT partition table and ESP partition, and its boot manager loads UEFI drivers and bootloaders. Secure Boot is an UEFI extension that verifies signatures of boot components for security.
Trusted firmware deep_dive_v1.0_
LCU13: Deep Dive into ARM Trusted Firmware
Resource: LCU13
Name: Deep Dive into ARM Trusted Firmware
Date: 31-10-2013
Speaker: Dan Handley / Charles Garcia-Tobin
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
Trusted platform module copy
This document provides an overview of Trusted Platform Modules (TPM). It discusses the genesis of TPM, how TPM 1.2 evolved into TPM 2.0 with support for new cryptographic algorithms. It describes the different types of TPM implementations from discrete to software TPMs. The document also outlines some past attacks against TPMs including differential power analysis and extracting secrets. It provides a case study on reset attacks and concludes with the key industry players involved in developing TPM standards over time.
U-boot and Android Verified Boot 2.0
1) Verified boot is the process of assuring users of the integrity of software running on a device by reducing risks from malware and preventing rollbacks to vulnerable past versions. It uses hashing, public key cryptography, and tamper-evident storage.
2) Android Verified Boot 2.0 (AVB) is Google's recommended method for verified boot integration. It uses a signed VBMeta structure containing hashes, hashtrees and rollback indexes to verify the integrity of partitions before booting.
3) AVB supports features like A/B partitions, locked/unlocked device states, and delegates verification authority through chained partitions. It interacts with bootloaders, uses avbtool to generate signatures,
Recommended
LCU13: An Introduction to ARM Trusted Firmware
Resource: LCU13
Name: An Introduction to ARM Trusted Firmware
Date: 28-10-2013
Speaker: Andrew Thoelke
Video: http://www.youtube.com/watch?v=q32BEMMxmfw
Secure Your Encryption with HSM
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Session ID: SFO17-200
Session Name: - SFO17-200
Speaker:
Track:
★ Session Summary ★
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-200/
Presentation:
Video:
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
http://www.linaro.org
http://connect.linaro.org
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/102696
Boot process: BIOS vs UEFI
BIOS and UEFI are types of firmware that control the boot process. BIOS uses the MBR partition table and boots by loading the MBR, then the partition bootsector. UEFI uses the GPT partition table and ESP partition, and its boot manager loads UEFI drivers and bootloaders. Secure Boot is an UEFI extension that verifies signatures of boot components for security.
Trusted firmware deep_dive_v1.0_
LCU13: Deep Dive into ARM Trusted Firmware
Resource: LCU13
Name: Deep Dive into ARM Trusted Firmware
Date: 31-10-2013
Speaker: Dan Handley / Charles Garcia-Tobin
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
Trusted platform module copy
This document provides an overview of Trusted Platform Modules (TPM). It discusses the genesis of TPM, how TPM 1.2 evolved into TPM 2.0 with support for new cryptographic algorithms. It describes the different types of TPM implementations from discrete to software TPMs. The document also outlines some past attacks against TPMs including differential power analysis and extracting secrets. It provides a case study on reset attacks and concludes with the key industry players involved in developing TPM standards over time.
U-boot and Android Verified Boot 2.0
1) Verified boot is the process of assuring users of the integrity of software running on a device by reducing risks from malware and preventing rollbacks to vulnerable past versions. It uses hashing, public key cryptography, and tamper-evident storage.
2) Android Verified Boot 2.0 (AVB) is Google's recommended method for verified boot integration. It uses a signed VBMeta structure containing hashes, hashtrees and rollback indexes to verify the integrity of partitions before booting.
3) AVB supports features like A/B partitions, locked/unlocked device states, and delegates verification authority through chained partitions. It interacts with bootloaders, uses avbtool to generate signatures,
Introduction to Optee (26 may 2016)
This introduces the linaro OP-TEE project in the context of the Automotive Grade Linux distribution. This TEE is today considered as a potential key element to provides some security enforcement in the scope of Software OTA for the AGL distribution.
This brief slides set was presented during AGL Face to Face Technical Meeting 25 – 27 May, Vannes, France
Basics of boot-loader
A bootloader loads an operating system after hardware tests. It begins by initializing hardware and loading the BIOS. The BIOS then loads the master boot record from the disk, which loads secondary bootloaders. These load the operating system by accessing memory in both real and protected modes. The boot process involves loading kernel files and an initial ramdisk to start processes and mount the full filesystem.
IPSec Overview
This document provides an overview of Internet Protocol Security (IPSec) and compares it to Secure Sockets Layer (SSL). IPSec provides authentication and encryption of IP packets and can encrypt both IP headers and payload data, making it application independent. It uses the Encapsulating Security Payload (ESP) protocol to encrypt data. For two devices to communicate securely using IPSec, they must first use Internet Key Exchange (IKE) to securely exchange security associations (SAs) and a shared secret key. The SAs are then used to encrypt packets sent between the devices using ESP in either transport or tunnel mode.
Basics of ssl
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
U-Boot - An universal bootloader
The U-Boot is an "Universal Bootloader" ("Das U-Boot") is a monitor program that is under GPL. This production quality boot-loader is used as default boot loader by several board vendors. It is easily portable and easy to port and to debug by supporting PPC, ARM, MIPS, x86,m68k, NIOS, Microblaze architectures. Here is a presentation that introduces U-Boot.
Embedded Linux Basics
Slides of a course that is given to teach embedded linux to engineers. The full course is 2-days; this is the first time a 'light' version was given lasting a single day.
Focus is on
. What is Linux
. How do I compile
. How do I flash
USB Drivers
The document discusses USB drivers and provides an overview of USB host and gadget subsystems in Linux. It describes USB host and gadget device driver types, registration processes, data structures used, and key functions for interacting with USB controllers, the USB core, and endpoints. The document outlines views of the USB host and gadget subsystems and how drivers interface with lower-level USB controller drivers and higher-level user applications through the USB core.
Linux booting Process
The document summarizes the 6 main steps of the Linux booting process:
1) BIOS performs initial checks and loads the master boot record (MBR) from the hard drive.
2) The MBR loads the GRUB boot loader.
3) GRUB loads and executes the Linux kernel and initrd images.
4) The kernel initializes hardware and mounts the initrd, then loads modules and root partition.
5) The init process reads /etc/inittab to determine the default runlevel and loads appropriate programs.
6) Runlevel programs like sendmail start based on the runlevel and sequence numbers in their names.
What is SSL ? The Secure Sockets Layer (SSL) Protocol
SSL is a protocol that allows clients and servers to securely communicate over the internet. It uses public-key encryption to authenticate servers, optionally authenticate clients, and establish an encrypted connection to securely transmit data. The SSL handshake allows the client and server to negotiate encryption parameters to generate shared secrets and session keys, which are then used to encrypt all further communication during the SSL session. Common implementations of SSL include OpenSSL and Apache-SSL.
Linux-Internals-and-Networking
This document provides an overview of Linux internals and networking concepts covered in 3 sentences or less:
It introduces Linux internals topics like processes, memory management, and virtual file systems. It also discusses networking concepts and provides a brief history of operating systems development. The document contains various sections on Linux components, kernel subsystems, virtual file systems, and transitioning to systems programming.
MR201406 A Re-introduction to SELinux
• Each SELinux access control model is simple, but actually
access control is more complex
• Red Hat puts a lot of effort into SELinux, policy and utils for
SELinux usability
– Enlarging default policy modules
– Encouraging Policy module system
– Analyzing and generating policies from access violation log
LCU14 302- How to port OP-TEE to another platform
This document describes how to port the open source Trusted Execution Environment (OP-TEE) to a new platform. It involves cloning the existing platform code, modifying compiler and linker options, configuring platform-specific settings, updating memory mappings, and initializing platform-specific components. The document provides details on each of these porting steps and recommends OP-TEE documentation resources.
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted Firmware
---------------------------------------------------
Speaker: Andrew Thoelke
Date: September 19, 2014
---------------------------------------------------
★ Resources ★
Zerista: http://lcu14.zerista.com/event/member/137787
Google Event: https://plus.google.com/u/0/events/c6cbh0rr2488ls6bkogvi4ggcic
Video: https://www.youtube.com/watch?v=je0_-yYgKdc&list=UUIVqQKxCyQLJS6xvSmfndLA
Etherpad: http://pad.linaro.org/p/lcu14-500
---------------------------------------------------
★ Event Details ★
Linaro Connect USA - #LCU14
September 15-19th, 2014
Hyatt Regency San Francisco Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
PEW PEW PEW: Designing Secure Boot Securely
Secure boot is under constant attack on embedded devices used across industries. Secure boot is essential for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this presentation, we present our vision on secure boot design and what it takes to make it secure.
Q4.11: Introduction to eMMC
The document introduces Samsung's eMMC memory technology. It summarizes the key features and enhancements of eMMC versions 4.4, 4.41, and 4.5, including improved performance, security, and reliability. Some notable additions in eMMC 4.5 are higher data transfer rates up to 200MHz SDR mode, packed commands to boost I/O performance, cache functionality to reduce write latency, and sanitize feature to securely purge all unused data at once. Sample availability timelines for eMMC 4.5 chips with and without 200MHz support are also provided.
Practical Trusted Platform Module (TPM2) Programming
This document summarizes information from a presentation on practical Trusted Platform Module (TPM) programming. It discusses TPM hierarchies, keys, and the problems TPMs help solve such as secure device identification, key generation and storage, device health attestation, and algorithm agility. It provides examples from the resource "A Practical Guide to TPM 2.0" and the TPM simulator tool "tpm2_tools".
Basic Linux Internals
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
OPTEE on QEMU - Build Tutorial
This tutorial presents the steps to run OPTEE on QEMU. The steps were extracted from the github page (https://github.com/OP-TEE/build).
Secure Shell(ssh)
Secure Shell (SSH) is a protocol for secure network communication that provides encrypted transmission and authentication between devices. It was created as a secure replacement for insecure remote login protocols like Telnet. SSH operates using three main protocols - the transport layer protocol provides host authentication and encrypted data transmission. The user authentication protocol authenticates users through methods like passwords or public keys. The connection protocol runs on top of the encrypted transport layer and allows for multiplexed channels for remote sessions, file transfers, and other network functions through features like port forwarding.
Embedded Linux Kernel - Build your custom kernel
Build your own Embedded Linux Kernel by understanding it source code organization, compilation ecosystem and compiling it for a custom target.
Case study on chrome os in detail.History, architecture,process
The document describes the architecture and design of the Chrome OS firmware. It discusses how the firmware is implemented to achieve fast and secure booting. The firmware removes unnecessary components to speed up booting and implements system recovery, verified boot, and fast boot functionality. It also details the key structures and data flows in the firmware, including the firmware map, boot process, and how verification extends from the kernel upward through each stage of booting.
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
This document discusses Secure Boot and its implementation for Linux distributions. It begins by introducing UEFI firmware and Secure Boot, which verifies that only signed operating systems load. It then outlines the solution used by SUSE, which involves expanding the shim loader to give users freedom and flexibility by supporting enrollment of user-generated keys. The document concludes by detailing the various components like the kernel, bootloaders, build systems, and user tools that would need to be adapted to fully implement Secure Boot support for a Linux distribution.
More Related Content
What's hot
Introduction to Optee (26 may 2016)
This introduces the linaro OP-TEE project in the context of the Automotive Grade Linux distribution. This TEE is today considered as a potential key element to provides some security enforcement in the scope of Software OTA for the AGL distribution.
This brief slides set was presented during AGL Face to Face Technical Meeting 25 – 27 May, Vannes, France
Basics of boot-loader
A bootloader loads an operating system after hardware tests. It begins by initializing hardware and loading the BIOS. The BIOS then loads the master boot record from the disk, which loads secondary bootloaders. These load the operating system by accessing memory in both real and protected modes. The boot process involves loading kernel files and an initial ramdisk to start processes and mount the full filesystem.
IPSec Overview
This document provides an overview of Internet Protocol Security (IPSec) and compares it to Secure Sockets Layer (SSL). IPSec provides authentication and encryption of IP packets and can encrypt both IP headers and payload data, making it application independent. It uses the Encapsulating Security Payload (ESP) protocol to encrypt data. For two devices to communicate securely using IPSec, they must first use Internet Key Exchange (IKE) to securely exchange security associations (SAs) and a shared secret key. The SAs are then used to encrypt packets sent between the devices using ESP in either transport or tunnel mode.
Basics of ssl
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
U-Boot - An universal bootloader
The U-Boot is an "Universal Bootloader" ("Das U-Boot") is a monitor program that is under GPL. This production quality boot-loader is used as default boot loader by several board vendors. It is easily portable and easy to port and to debug by supporting PPC, ARM, MIPS, x86,m68k, NIOS, Microblaze architectures. Here is a presentation that introduces U-Boot.
Embedded Linux Basics
Slides of a course that is given to teach embedded linux to engineers. The full course is 2-days; this is the first time a 'light' version was given lasting a single day.
Focus is on
. What is Linux
. How do I compile
. How do I flash
USB Drivers
The document discusses USB drivers and provides an overview of USB host and gadget subsystems in Linux. It describes USB host and gadget device driver types, registration processes, data structures used, and key functions for interacting with USB controllers, the USB core, and endpoints. The document outlines views of the USB host and gadget subsystems and how drivers interface with lower-level USB controller drivers and higher-level user applications through the USB core.
Linux booting Process
The document summarizes the 6 main steps of the Linux booting process:
1) BIOS performs initial checks and loads the master boot record (MBR) from the hard drive.
2) The MBR loads the GRUB boot loader.
3) GRUB loads and executes the Linux kernel and initrd images.
4) The kernel initializes hardware and mounts the initrd, then loads modules and root partition.
5) The init process reads /etc/inittab to determine the default runlevel and loads appropriate programs.
6) Runlevel programs like sendmail start based on the runlevel and sequence numbers in their names.
What is SSL ? The Secure Sockets Layer (SSL) Protocol
SSL is a protocol that allows clients and servers to securely communicate over the internet. It uses public-key encryption to authenticate servers, optionally authenticate clients, and establish an encrypted connection to securely transmit data. The SSL handshake allows the client and server to negotiate encryption parameters to generate shared secrets and session keys, which are then used to encrypt all further communication during the SSL session. Common implementations of SSL include OpenSSL and Apache-SSL.
Linux-Internals-and-Networking
This document provides an overview of Linux internals and networking concepts covered in 3 sentences or less:
It introduces Linux internals topics like processes, memory management, and virtual file systems. It also discusses networking concepts and provides a brief history of operating systems development. The document contains various sections on Linux components, kernel subsystems, virtual file systems, and transitioning to systems programming.
MR201406 A Re-introduction to SELinux
• Each SELinux access control model is simple, but actually
access control is more complex
• Red Hat puts a lot of effort into SELinux, policy and utils for
SELinux usability
– Enlarging default policy modules
– Encouraging Policy module system
– Analyzing and generating policies from access violation log
LCU14 302- How to port OP-TEE to another platform
This document describes how to port the open source Trusted Execution Environment (OP-TEE) to a new platform. It involves cloning the existing platform code, modifying compiler and linker options, configuring platform-specific settings, updating memory mappings, and initializing platform-specific components. The document provides details on each of these porting steps and recommends OP-TEE documentation resources.
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted Firmware
---------------------------------------------------
Speaker: Andrew Thoelke
Date: September 19, 2014
---------------------------------------------------
★ Resources ★
Zerista: http://lcu14.zerista.com/event/member/137787
Google Event: https://plus.google.com/u/0/events/c6cbh0rr2488ls6bkogvi4ggcic
Video: https://www.youtube.com/watch?v=je0_-yYgKdc&list=UUIVqQKxCyQLJS6xvSmfndLA
Etherpad: http://pad.linaro.org/p/lcu14-500
---------------------------------------------------
★ Event Details ★
Linaro Connect USA - #LCU14
September 15-19th, 2014
Hyatt Regency San Francisco Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
PEW PEW PEW: Designing Secure Boot Securely
Secure boot is under constant attack on embedded devices used across industries. Secure boot is essential for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this presentation, we present our vision on secure boot design and what it takes to make it secure.
Q4.11: Introduction to eMMC
The document introduces Samsung's eMMC memory technology. It summarizes the key features and enhancements of eMMC versions 4.4, 4.41, and 4.5, including improved performance, security, and reliability. Some notable additions in eMMC 4.5 are higher data transfer rates up to 200MHz SDR mode, packed commands to boost I/O performance, cache functionality to reduce write latency, and sanitize feature to securely purge all unused data at once. Sample availability timelines for eMMC 4.5 chips with and without 200MHz support are also provided.
Practical Trusted Platform Module (TPM2) Programming
This document summarizes information from a presentation on practical Trusted Platform Module (TPM) programming. It discusses TPM hierarchies, keys, and the problems TPMs help solve such as secure device identification, key generation and storage, device health attestation, and algorithm agility. It provides examples from the resource "A Practical Guide to TPM 2.0" and the TPM simulator tool "tpm2_tools".
Basic Linux Internals
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
OPTEE on QEMU - Build Tutorial
This tutorial presents the steps to run OPTEE on QEMU. The steps were extracted from the github page (https://github.com/OP-TEE/build).
Secure Shell(ssh)
Secure Shell (SSH) is a protocol for secure network communication that provides encrypted transmission and authentication between devices. It was created as a secure replacement for insecure remote login protocols like Telnet. SSH operates using three main protocols - the transport layer protocol provides host authentication and encrypted data transmission. The user authentication protocol authenticates users through methods like passwords or public keys. The connection protocol runs on top of the encrypted transport layer and allows for multiplexed channels for remote sessions, file transfers, and other network functions through features like port forwarding.
Embedded Linux Kernel - Build your custom kernel
Build your own Embedded Linux Kernel by understanding it source code organization, compilation ecosystem and compiling it for a custom target.
What's hot (20)
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Practical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) Programming
Similar to Secure boot general
Case study on chrome os in detail.History, architecture,process
The document describes the architecture and design of the Chrome OS firmware. It discusses how the firmware is implemented to achieve fast and secure booting. The firmware removes unnecessary components to speed up booting and implements system recovery, verified boot, and fast boot functionality. It also details the key structures and data flows in the firmware, including the firmware map, boot process, and how verification extends from the kernel upward through each stage of booting.
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
This document discusses Secure Boot and its implementation for Linux distributions. It begins by introducing UEFI firmware and Secure Boot, which verifies that only signed operating systems load. It then outlines the solution used by SUSE, which involves expanding the shim loader to give users freedom and flexibility by supporting enrollment of user-generated keys. The document concludes by detailing the various components like the kernel, bootloaders, build systems, and user tools that would need to be adapted to fully implement Secure Boot support for a Linux distribution.
UEFI Firmware Rootkits: Myths and Reality
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The EFI secure boot is a protocol to verify authenticity of loaded and executed PE binary. Usually it is a second stage bootloader, e.g. GRUB2, or an OS kernel. The shim is an extension to the EFI secure boot which makes whole authentication process more flexible. The presentation will deal with the most important aspects of EFI secure boot and shim. Additionally, it will discuss how Xen hypervisor boot process can be protected with EFI secure boot and shim. However, this does not mean that everything is done and work out of the box. So, in the end it will be shown what is done to make EFI secure boot and shim usable when you boot Xen using GRUB2.
BOOTING.ppt
The document discusses the booting and shutting down process of an operating system. It describes the stages of booting as:
1) The CPU passes control to the BIOS after powering on, and the BIOS runs POST checks and selects the first boot device.
2) The BIOS loads the MBR of the boot device, which contains boot loader code and partition table information.
3) The boot loader loads the user-selected kernel into memory and passes control to it to start the operating system.
Ht w25
This document discusses firmware threats and solutions. It begins with a presentation on firmware threats, implications, and UEFI Secure Boot. It then discusses how UEFI Secure Boot and Windows 8 Trusted Boot work to secure the boot process. Finally, it covers secure firmware updates and concludes that securing firmware is foundational to system security.
File000124
The document discusses the boot processes of Windows, Linux, and Macintosh operating systems. It provides terminology related to booting and describes the basic system boot process. It then details the boot sequence of Windows XP, including the roles of the BIOS, MBR, boot sector, and NTLDR. It also summarizes the boot processes of Linux and Macintosh.
bios.docx
The BIOS is the program that runs when a computer is powered on. It performs hardware checks and initializes devices. It then attempts to locate bootable software on storage devices like hard disks or USB drives in order of boot priority set in the BIOS. If a bootable device is found, the BIOS loads and executes the boot software which takes over the boot process. The BIOS can be customized through a setup utility to configure hardware settings and set passwords and boot priorities.
Bootkits: past, present & future
This document discusses the history and evolution of bootkits from legacy BIOS to UEFI environments. It describes various bootkit techniques used in BIOS and UEFI, including MBR/VBR modification, hidden file systems, and replacing bootloaders. It also covers attacks against secure boot and forensic tools for analyzing firmware like HiddenFsReader and CHIPSEC.
COC. 1 COMPUTER SYSTEM SPECIFICATIONS-BIOS.pptx
Computer system specifications describe the key components that determine a computer's performance, including the processor, RAM, graphics system, and hard drive. The processor speed and architecture, amount of RAM, graphics card capabilities, and hard drive speed and capacity all impact how well a computer can perform. The BIOS or UEFI firmware installed on the motherboard initializes these hardware components and allows the operating system to boot. Updating the BIOS/UEFI firmware can provide improvements and support for newer hardware.
Modern Personal ComputerBoot up ProcessThe boot up process i.docx
Modern Personal Computer
Boot up Process
The boot up process is necessary for Windows as the hardware does not know where the Operating system is stored. There has to be a simple yet powerful program which loads the kernel in the main memory and executes it. This program in Windows is known as the Bootstrap Loader.
The Windows boot up process comprises of the following procedures:
· The Power-On Self-Test Phase:
Firstly a self-test is performed by the power supply to ensure that the volume and current levels are correct before the Power Good signal is sent to the processor. As soon as this stage is cleared, the microprocessor triggers the BIOS to perform a series of operations.
· BIOS ROM Phase:
BIOS first carry out the P.O.S.T that performs and verifies all initial hardware checks. After this, the hardware' firmware will individually carry out its own diagnostic test such as S.M.A.R.T.
The system will now attempt to determine the sequence of devices to load based on the settings stored in the BIOS to start the operating system. It will start by reading from the first boot up device which usually is the Floppy disk. If the floppy drive does not contain a diskette, it bypasses the first boot up device and detects the second device, which is usually the hard disk. It'll then start by reading the boot code instructions located in the master boot record and copies all execution into the memory when the instructions are validated and no errors are found.
· Boot Loader Phase
Control is then passed on to the partition loader code which accesses the partition table to identify the primary partition, extended partitions and active partition which is needed to determine the file system and locate the operating system loader file which will call upon the boot.ini file which is located at the root directory to determine the location and entries of the operating system boot partition. At this point in time, the boot up menu is displayed on the screen to allow you to select an operating system to start.
NTLDR will pass all information from the Windows registry and Boot.ini file into the next phase.
· Operating System Configuration Phase
Next step is to load the kernel, hardware abstraction layer and registry information.
After this is completed, the control is passed over to the DOS based program which collects and configures all installed hardware devices such as the video adapters and communication ports.
It searches for hardware profiles information and load the essential software drivers to control the hardware devices.
· Security & Logon Phase
Lastly, Ntoskrnl.exe will start up Winlogon.exe which triggers the Lsass.exe or Local Security Administration which is the logon dialog interface that prompts you to select your user profile and verifies your necessary credentials before you are transferred to the Windows desktop.
Scheduling Strategies:
· Windows has 6 process classes with 7 priorities within each class
· Process Classes included:
1. Idle
2. ...
LCA14: LCA14-105: UEFI secure boot
Resource: LCA14
Name: LCA14-105: UEFI secure boot
Date: 03-03-2014
Speaker: Ard Biesheuvel
Video: https://www.youtube.com/watch?v=09nb3Fiobw0
Share Harsh-Deliwala-92200938143-1DC3.pptx
The BIOS is boot firmware that initializes hardware and allows an operating system to load. It identifies devices like the hard drive and sets the hardware state. The BIOS acts as an interface between the OS and hardware. It comes preinstalled on the motherboard ROM chip and performs a power-on self-test of components. It has setup options to configure settings like date/time and boot order that are stored in CMOS memory powered by a battery.
The People Terminating Unit
This document proposes securing identity and transactions on the internet through a dedicated "People Terminating Unit" (PTU). The PTU would utilize hardware security features like a Trusted Platform Module (TPM) and secure boot to prevent tampering. It would generate and store cryptographic keys, register users to public ledgers, and support digital signatures with an attached FIDO security token for identity attestation. The goal is to create a locked-down device for secure identity and transactions without relying on the security of general purpose computers, mobile devices, or networks.
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
Tony Chen
Every game console since the first Atari was more or less designed to prevent the piracy of games and yet every single game console has been successfully modified to enable piracy. However, this trend has come to an end. Both the Xbox One and the PS4 have now been on the market for close to 6 years, without hackers being able to crack the system to enable piracy or cheating. This is the first time in history that game consoles have lasted this long without being cracked. In this talk, we will discuss how we achieved this for the Xbox One. We will first describe the Xbox security design goals and why it needs to guard against physical attacks, followed by descriptions of the hardware and software architecture to keep the Xbox secure. This includes details about the custom SoC we built with AMD and how we addressed the fact that all data read from flash, the hard drive, and even DRAM cannot be trusted. We will also discuss the corresponding software changes needed with the custom hardware to keep the system and the games secure against physical attacks.Booting
The document provides information about booting of a computer system. It discusses that booting is required because the hardware does not know where the operating system resides or how to load it. A bootstrap loader, such as BIOS, is needed to locate the kernel and load it into memory.
The boot process begins with a reset event that loads instructions into the instruction register from a predefined memory location containing a jump to the bootstrap program stored in ROM. The bootstrap program then runs diagnostics, loads device drivers and initializes memory before locating and loading the operating system kernel to start the system startup process.
BIOS and Secure Boot Attacks Uncovered
This document summarizes several attacks against platform firmware and secure boot. It describes attacks that modify the platform key in NVRAM to disable secure boot, modify the image verification policies to bypass signature checks, exploit confusion between PE and TE file formats to skip signature verification, and corrupt the "Setup" UEFI variable to potentially brick the system. The attacks demonstrate vulnerabilities in how some firmware implementations store and handle sensitive secure boot configuration data in non-volatile variables.
Mikrotik
This document provides frequently asked questions about MikroTik RouterOS. It addresses questions about what RouterOS is, how to install and license it, how to configure features like networking, bandwidth management, wireless connectivity, and BGP routing. The document provides concise answers and instructions for tasks like upgrading RouterOS, recovering lost passwords, and troubleshooting common issues.
CSS-PPT-W1-D1.pdf
The document provides instructions on installing and configuring a computer system. It discusses installing various input/output devices like the keyboard, mouse, monitor, webcam, printer and installing drivers. It also covers creating bootable devices, configuring the BIOS, installing operating systems like Windows, formatting storage devices with different file systems, installing software applications and testing procedures.
TC and TPM.ppt
This document discusses the Trusted Platform Module (TPM) and how it can be used to establish trust in computing platforms. The TPM is a chip that is included in many laptops and PCs to securely store keys, passwords, and digital certificates and to authenticate hardware. It helps address challenges in bootstrapping trust through features like cryptographically signing software components during the boot process and platform configuration registers that record system states. Examples of how TPM is used include trusted boot, disk encryption via BitLocker, and remote attestation of a system's software state.
Similar to Secure boot general (20)
Case study on chrome os in detail.History, architecture,process
Case study on chrome os in detail.History, architecture,process
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
Modern Personal ComputerBoot up ProcessThe boot up process i.docx
Modern Personal ComputerBoot up ProcessThe boot up process i.docx
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
Recently uploaded
5th LF Energy Power Grid Model Meet-up Slides
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays, June 2024 with Maria Copot 20
HCL Notes and Domino License Cost Reduction in the World of DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
GNSS spoofing via SDR (Criptored Talks 2024)
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Dandelion Hashtable: beyond billion requests per second on a commodity server
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Presentation of the OECD Artificial Intelligence Review of Germany
Consult the full report at https://www.oecd.org/digital/oecd-artificial-intelligence-review-of-germany-609808d6-en.htm
Digital Marketing Trends in 2024 | Guide for Staying Ahead
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
AWS Cloud Cost Optimization Presentation.pptx
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Building Production Ready Search Pipelines with Spark and Milvus
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
JavaLand 2024: Application Development Green Masterplan
My presentation slides I used at JavaLand 2024
Recently uploaded (20)
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Secure boot general
- 1. o Standard Boot o Secure Boot o Trusted Boot o Secure boot mechanism in 5G plugin unit (High-level) o Secure boot Demonstration o Enable and disable secure boot o Installing your own certificates o How firmware behavior changes when UEFI secure boot is enabled Agenda
- 2. o In standard boot process when we turn on HW, it passes POST (Power On Self-Test) and BIOS is initialized. Then the hardware is initialized and its firmware is loaded to the memory. After that the bootloader is called. The problem is that firmware, bootloader and other components loaded at this stage are not verified. So attacker which has access to our machine could temper with these components and replace bootloader with malicious one. This malware could be a rootkit or a bootkit which are almost impossible to detect. Standard Boot BIOS/UEFI Firmware Upgrade SPI Flash (R/W - BOOT, RO - Linux) SPI Flash (RO) Firmware Upgrade Boot Loader GRUB/IPXE CPU (POST) Kernel + Initrd Linux + App
- 3. o In a Secure Boot, each step in the process checks a cryptographic signature on the executable of the next step before it’s launched. Thus, the BIOS will check a signature on the loader, and the loader will check signatures on all the kernel objects that it loads. The objects in the chain are usually signed by the software manufacturer, using private keys that match up with public keys already in the BIOS. If any of the software modules in the boot chain have been hacked, then the signatures won’t match, and the device won’t boot the image. o The BIOS contains a public key that’s controlled by the equipment manufacturer. Any authorized change to the BIOS must be signed with the corresponding private key o The BIOS itself is required to check the validity of the signature on a proposed update, using the public key stored in a protected part of the BIOS flash. Secure Boot BIOS/UEFI Firmware Upgrade SPI Flash (R/W - BOOT, RO - Linux) SPI Flash (RO) Boot Loader GRUB/IPXE CPU Kernel + Initrd Linux + App SignatureSignature Signature Signature o Cryptocon tool will be used to sign BIOS capsules. o Sbsign tool will be used to sign Kernel/EFI application files. Core Root of Trust
- 4. o Upon system power-up, the TPM goes through a set of initialization and self-test functions. It then passes control to the CRTM which starts the chain of measurement by measuring and passing control to the BIOS - Measure next block by computing the hash of the executable code of next block - Compare this measurement into the TPM's PCR by using the TPM command with corresponding index - Finally pass control to next block Trust Boot
- 5. o The CRTM is a piece of executable code starting the measurement of BIOS o It is located in read only memory so that it cannot be tampered in the field. o This initial executable SW code and the device public key are further called Core Root of Trust for Measurement (CRTM). CRTM Block
- 6. o Trusted Boot and Secure Boot have some qualities in common, and some differences: Trusted Boot compared to Secure Boot Secure Boot Trusted Boot Secure Boot verifies firmware components during boot and stops the boot if verification fails. Trusted Boot records measurements to the TPM for later verification and continues the boot no matter what was measured. Secure Boot performs verification using cryptographic signatures. Trusted Boot enables verification using TPM quotes and Remote Attestation.
- 7. Proposed solution for Plugin Unit secure boot
- 8. o Platform Key (PK) : The platform key establishes a trust relationship between the platform owner and the platform firmware. o Key Exchange Key (KEK) : The Key exchange keys establish a trust relationship between the operating system and the platform firmware o Allowed Signature database (db) : White listed certificates o Forbidden Signature Database (dbx) : Black listed certificates Secure Boot related keys