Secure boot general

o Standard Boot
o Secure Boot
o Trusted Boot
o Secure boot mechanism in 5G plugin unit (High-level)
o Secure boot Demonstration
o Enable and disable secure boot
o Installing your own certificates
o How firmware behavior changes when UEFI secure boot is enabled
Agenda

o In standard boot process when we turn on HW, it passes POST (Power On Self-Test) and BIOS is initialized. Then
the hardware is initialized and its firmware is loaded to the memory. After that the bootloader is called. The
problem is that firmware, bootloader and other components loaded at this stage are not verified. So attacker
which has access to our machine could temper with these components and replace bootloader with malicious
one. This malware could be a rootkit or a bootkit which are almost impossible to detect.
Standard Boot
BIOS/UEFI
Firmware
Upgrade
SPI Flash
(R/W - BOOT, RO - Linux)
SPI Flash (RO)
Firmware Upgrade
Boot Loader
GRUB/IPXE
CPU
(POST)
Kernel + Initrd Linux + App

o In a Secure Boot, each step in the process checks a cryptographic signature on the executable of the next step
before it’s launched. Thus, the BIOS will check a signature on the loader, and the loader will check signatures
on all the kernel objects that it loads. The objects in the chain are usually signed by the software manufacturer,
using private keys that match up with public keys already in the BIOS. If any of the software modules in the
boot chain have been hacked, then the signatures won’t match, and the device won’t boot the image.
o The BIOS contains a public key that’s controlled by the equipment manufacturer. Any authorized change to the BIOS must be signed with
the corresponding private key
o The BIOS itself is required to check the validity of the signature on a proposed update, using the public key stored in a protected part of
the BIOS flash.
Secure Boot
BIOS/UEFI
Firmware
Upgrade
SPI Flash
(R/W - BOOT, RO - Linux)
SPI Flash (RO)
Boot Loader
GRUB/IPXE
CPU
Kernel + Initrd Linux + App
SignatureSignature Signature Signature
o Cryptocon tool will be
used to sign BIOS capsules.
o Sbsign tool will be used to
sign Kernel/EFI application
files.
Core Root of Trust

o Upon system power-up, the TPM goes through a set of initialization and self-test functions. It then passes
control to the CRTM which starts the chain of measurement by measuring and passing control to the BIOS
- Measure next block by computing the hash of the executable code of next block
- Compare this measurement into the TPM's PCR by using the TPM command with corresponding index
- Finally pass control to next block
Trust Boot

o The CRTM is a piece of executable code starting the measurement of BIOS
o It is located in read only memory so that it cannot be tampered in the field.
o This initial executable SW code and the device public key are further called Core Root of Trust for
Measurement (CRTM).
CRTM Block

o Trusted Boot and Secure Boot have some qualities in common, and some differences:
Trusted Boot compared to Secure Boot
Secure Boot Trusted Boot
Secure Boot verifies firmware components
during boot and stops the boot if verification
fails.
Trusted Boot records measurements to the TPM
for later verification and continues the boot no
matter what was measured.
Secure Boot performs verification using
cryptographic signatures.
Trusted Boot enables verification using TPM
quotes and Remote Attestation.

Proposed solution for Plugin Unit secure boot

o Platform Key (PK) : The platform key establishes a trust relationship between the platform owner and the
platform firmware.
o Key Exchange Key (KEK) : The Key exchange keys establish a trust relationship between the operating system
and the platform firmware
o Allowed Signature database (db) : White listed certificates
o Forbidden Signature Database (dbx) : Black listed certificates
Secure Boot related keys

Secure boot general

More Related Content

What's hot

Similar to Secure boot general

Recently uploaded

Secure boot general