UEFI Secure Boot and DRI. Kalyan Kumar N

Similar documents
SSN Lab Assignment: UEFI Secure Boot

Embedded Base Boot Requirements. Dong Wei

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

Secure Boot from A to Z

Implementing Secure Boot: A Refresher on Key & Database Configuration

EMBEDDED LINUX ON ARM9 Weekend Workshop

Using Linux as a Secure Boot Loader for OpenPOWER Servers

Android Bootloader and Verified Boot

Yocto Project and OpenEmbedded training 3-day session

Using the UEFI Shell. October 2010 UEFI Taipei Plugfest Insyde Software

The ultimate guide to software updates on embedded Linux devices

ARM Server s Firmware Security

Attacking and Defending the Platform

Windows 8 BIOS Boot settings

Hands-on with the Sitara Linux SDK

ECE 471 Embedded Systems Lecture 16

EFI Secure Boot, shim and Xen Current Status and Developments

UEFI Porting Update for ARM Platforms

CIS 4360 Secure Computer Systems Secured System Boot

IoT devices: secure boot and sw maintenance. Open IoT Summit Igor Stoppa

Zephyr Kernel Installation & Setup Manual

Dynamic secure firmware configuration. Dan Handley (Arm)

Open Source Facebook. David Hendricks: Firmware Engineer Andrea Barberio: Production Engineer

Manufacturing Tools in the UEFI Secure Boot Environment

Birds of a Feather Session - OSS Vancouver Eystein Stenberg, Mender.io

Introducing Poplar: First 96Boards TV Platform. Mark Gregotski, Director LHG Hermit Wang, SW Architect, Digital Media IC & Solutions HiSilicon

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Lab2 - Bootloader. Conventions. Department of Computer Science and Information Engineering National Taiwan University

Big and Bright - Security

Security in NVMe Enterprise SSDs

ECE 471 Embedded Systems Lecture 16

How we added software updates to AGL

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

Use of Mojo PowerPoint Template. Your name, Title

Linux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage

OP-TEE Using TrustZone to Protect Our Own Secrets

Zefeer Embedded Linux Kit

ARM Trusted Firmware From Embedded to Enterprise. Dan Handley

Rootfs made easy with Buildroot

PreBoot Provisioning Solutions with UEFI

Implementing Full Device Cloning on the NVIDIA Jetson Platform

Take Control of your PC with UEFI Secure Boot

IPL+UBI: Flexible and Reliable with Linux as the Bootloader

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Grub Manual Install Ubuntu Without >>>CLICK HERE<<<

Deploying Secure Boot: Key Creation and Management

OVERDRIVE Quick Start Guide. v.1.0

CompTIA Linux+ Guide to Linux Certification Fourth Edition. Chapter 2 Linux Installation and Usage

Developing Environment for Intel Mainstone Board

Defeating Invisible Enemies: Firmware Based Security in OpenPOWER Systems. Linux Security Summit George Wilson IBM Linux Technology Center

ECE 471 Embedded Systems Lecture 12

Impact of platform firmware on Linux kernel. Megha Dey, Sai Praneeth Prakhya Intel Open Source Technology Center

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

Software Updates for Connected Devices

Impact of platform firmware on Linux kernel. Megha Dey, Sai Praneeth Prakhya Intel Open Source Technology Center

Reliability, Availability, and Serviceability (RAS) on AArch64. Fu Wei (Linaro LEG) Supreeth Venkatesh (ARM)

Linux. For BCT RE2G2. User Guide. Document Reference: BCTRE2G2 Linux User Guide. Document Issue: Associated SDK release: 1.

S3C6410-TFAUbuntu Easy Guide

D1Y - Embedded Linux with Yocto

DUAL OS INSTALLATION

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018

96Boards Enablement for opensuse

ARM Trusted Firmware Evolution HKG15 February Andrew Thoelke Systems & Software, ARM

Booting Linux Fast & Fancy. Embedded Linux Conference Europe Cambridge, Robert Schwebel

VIGIL Server Recovery User Guide

The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else

FDE itc: Encryption Engine (EE) cpp Functional and Assurance Requirements

Update Remotely IoT Devices using Eclipse hawkbit and SWUpdate. Nicola La Gloria

RAUC Documentation. Release v0.4. Jan Luebbe, Enrico Joerns, Juergen Borleis

BIOS Setup. User s Guide. (For Skylake-W Platform) Rev.1.1

ovirt Node November 1, 2011 Mike Burns Alan Pevec Perry Myers ovirt Node 1

Protecting your system from the scum of the universe

Mohan J. Kumar Intel Fellow Intel Corporation

A Study of User Data Integrity During Acquisition of Android Devices

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Command Line Parameters Linux Copy Files From Usb

CHAPTER 7. Astlinux and Asterisk Installation on Embedded System

Welcome to Rootkit Country

Intel Firmware Engine

Cisco CIMC Firmware Update Utility User Guide

Oxalis Getting Started

Certification. System Initialization and Services

Secure storage in OP-TEE. Jens Wiklander

Introduction to IOS-XR 6.0. Joachim Jerberg Jensen System Engineer, Global Service Providers CCIE SP #42403

D1 - Embedded Linux. Building and installing an embedded and real-time Linux platform. Objectives. Course environment.

GadgetPC Single Board Computer. System Restore Guide. Document Revision: 1.04 Date: 31 January, 2010

ARM Security Solutions and Numonyx Authenticated Flash

The Future of Security is in Open Silicon Linux Security Summit 2018

HKG Android Verified Boot 2.0 and U-boot. Igor Opaniuk, Texas Instruments

Firmware. OSF (open System. Gundrala Devender Goud Engineering Director/Azure/Microsoft OCP/OSF Project Lead

RAUC Documentation. Release v0.4. Jan Luebbe, Enrico Joerns, Juergen Borleis

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

The blob bootloader. The blob bootloader. Thomas Petazzoni Free Electrons

Overview. Wait, which firmware? Threats Update methods request_firmware() hooking Regression testing Future work

CompTIA Linux+/LPIC-1 COPYRIGHTED MATERIAL

whitepaper ClickShare Security

Isar. Build Debian-Based Products with BitBake. Baurzhan Ismagulov. Embedded Linux Conference Europe Oct 11-13, 2016 Berlin, Germany

Read-only rootfs. Theory and practice. Chris Simmonds. Embedded Linux Conference Europe Read-only rootfs 1 Copyright , 2net Ltd

Transcription:

UEFI Secure Boot and DRI Kalyan Kumar N

Agenda Introduction RDK Boot Loader DRI (Disaster Recovery Image) RootFS Validation Build Environment

Introduction Standardization of the RDK set-top box firmware boot process Increase industry awareness of UEFI/EDK2 solutions for set-top boot implementation Need secure boot with chain of trust with secure keys Implement RDK Bootloader and Disaster Recovery Image (DRI) requirements (use cases) using well defined standard.

RDK Boot Loader RDK BootLoader selects the valid Platform Code Image (PCI) from the Device non-volatile memory to load and execute. Enables secure boot by registering PK and KEK Key. LoadImage protocol of UEFI Boot service is used to load the kernel image from boot partition. kernel arguments are passed using Loadoptions of LoadedImageProtocol. Installs the FDT blob into EFI system configuration table

RDK Boot Loader FDT file will be read and install Using gfdttableguid. To maintain chain of trust key to validate Linux kernel can be placed in partition other than Boot partition. Key which validates Rootfs can be placed in Boot partition and will registred to UEFI variable and exported to Linux kernel.

RDK DRI RDK DRI reference implementation is UEFI application Resides in Flash memory and provides HTTP download method. Downloads PCI image file via Ethernet ( USB to Ethernet interface) and store image into flash memory. DRI downloads Monolith Image comprised of 3 separate components 1. Linux Kernel 2. FDT file 3. Root FileSystem

RDK DRI Linux and RootFs components are separately signed. Enabled USB host driver with support of Ethernet Adapter. Enabled Http drivers in Network Pkg. URL and IP details will be given to Http Driver After Downloading, Components are stored into different Flash partitions, and will validated prior to use.

RootFS validation After kernel secure boot, RDK wants rootfs also has to be authenticated. Kernel will bootup with temporary initramfs and will validates signed rootfs image and mount the same. Yocto build command for creating initramfs: INITRAMFS_IMAGE = "core-image-minimal-initramfs" INITRAMFS_FSTYPES = "cpio" Keys to validate Rootfs will be exported to kernel through UEFI.

RootFS validation Kernel provides EFIVAR file system, which enables accessing UEFI variables from kernel. Sign RootFS using openssl and generate sha256 hash file which will be part of monolithic image to verify the signature. Ex: openssl dgst -sha256 -sign "Key.key" -out rootfs.sha256 rootfs.tar.bz2 Once secure Linux kernel bootup with initramfs, it validate rootfs,untar and mount the rootfs.

Build Environment EDK2 by default, does not support Hikey board. Openplatformpkg based on edk2 supports various development boards such as RPI, ARM juno etc. including HiKey OpenPlatformPkg can be added as an extra Pkg to edk2, to support UEFI for HiKey RdkPkg need to be added to EDK2, which provides application to access driver from OpenPlatformPkg and boot Linux kernel.

Build Environment edk2: https://github.com/tianocore/edk2.git Hikey UEFI Firmware: https://github.com/linaro-home/openplatformpkg.git -b hikey-rdk Rdk boot Loader and DRI https://github.com/linaro-home/rdkpkg.git RDK secure Boot Build setup script : Build script

Thank You #SFO17 SFO17 keynotes and videos on: connect.linaro.org For further information: www.linaro.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback