7/24/2019 Trusted Boot Loader

1/37

April 12th, 2006 1

Trusted Boot Loader

Steve Johnson, Panasonic

Chair Security WG

San Jose

April 12, 2006

7/24/2019 Trusted Boot Loader

2/37

April 12th, 2006 2

Synopsis Background

Trusted boot Security enhancements to boot loader

Necessary code

U-Boot

Kernel authenticity

Secure U-Boot Conclusions

7/24/2019 Trusted Boot Loader

3/37

April 12th, 2006 3

Background

Trusted Computing Platform Alliance /Trusted Computing Group TCPA / TCG

Trusted Computing

Trusted Platform Module TPM

7/24/2019 Trusted Boot Loader

4/37

April 12th, 2006 4

TCG

Develops, defines, and promotes open standards

for hardware-enabled trusted computing and

security technologies

hardware building blocks

software interfaces

multiple platforms, peripherals, and devices.

Primary goal is to protect users information assets

(data, passwords, keys, etc.) from compromise due

to external software attack and physical theft.

7/24/2019 Trusted Boot Loader

5/37

April 12th, 2006 5

Trust and Trusted Computing

What is trust?

The expectation that a device will behave in a

particular manner for a specific purpose

System you are forced to trust vs. one that istrustworthy

What is trusted computing?

Technology developed and promoted by theTrusted Computing Group (TCG)

7/24/2019 Trusted Boot Loader

6/37

April 12th, 2006 6

Trusted Computing

Machine specific public and private keys

and certificate chain

Cryptographic functionality

Data can be signed with the machinesidentification

Data can be encrypted with the machines

secret key

7/24/2019 Trusted Boot Loader

7/37

April 12th, 2006 7

TCG components

Application

TCG Software Stack

TPM Device Driver

Operating System

Root of Trust

TPMBoot ROM

Measure

Measure

7/24/2019 Trusted Boot Loader

8/37

April 12th, 2006 8

TPM activities

Boot loader measures boot through kernel

and initrd

Initrd has TPM unseal kernel master key

If a match, TPM releases kernel master key

Key used to generate keys for further stages

If measurements dont match, boot is halted

7/24/2019 Trusted Boot Loader

9/37

April 12th, 2006 9

TPM major components

Cryptographic

Co-Processor

HMAC

Engine

SHA-1

Engine

Random

NumberGenerator

Key

Generation

Power

Detection

I/O

Opt-In

Volatile

Memory

Execution

Engine

Non-

Volatile

Memory

CommunicationBus

7/24/2019 Trusted Boot Loader

10/37

April 12th, 2006 10

Necessary TPM hardware

ROMCPU

TPM

CPUTPM

ROM

Trusted Area

NormalCPU

Discrete TPM

Embedded TPM

Software TPM

7/24/2019 Trusted Boot Loader

11/37

April 12th, 2006 11

Trusted boot

Trusted boot loader

Secure boot loader

7/24/2019 Trusted Boot Loader

12/37

April 12th, 2006 12

Security levels for boot loader

Root of Trust

(Secure Storage)

-

TPM

Ease of ManagementSecurity Features

Good (for connected device)+ Device Authentication

+ Integrity Protection

+ Integrity Report

Root of TrustOTrusted Boot

Good

+ Easy to update OS imagewithout modifying Bootloader

Root of Trust

(Signers public key)

OOSecure Boot(by signature)

Root of Trust(Reference Value)

-

Write Protected

Bootloader

HardwareSoftware

BadOSecure Boot(by digest)

Easy, but no protection--ONormal Boot

Signature

HashCRC

ECC

7/24/2019 Trusted Boot Loader

13/37

April 12th, 2006 13

Security enhancements

Simple integrity check

Error checks and recovery

Secure boot

Ensure secure initial state Ensure only an un-tampered system is run

Trusted/authenticated boot

Ensure a secure initial state Ensure only an un-tampered system is run

Measure and report

7/24/2019 Trusted Boot Loader

14/37

April 12th, 2006 14

Trusted boot

Each boot step is measured and stored

A sequence of measured values (stored

measurement log)

Executable code and associated informationcould be measured before it is executed

7/24/2019 Trusted Boot Loader

15/37

April 12th, 2006 15

GRUB booting

Stage 1

Initialization

Detect geometry of loading drive

Load the first sector of Stage 1.5

Jump to start of Stage 1.5 Stage 1.5

Load the rest of Stage 1.5

Jump to the starting address Load Stage 2

Jump to start of Stage 2

7/24/2019 Trusted Boot Loader

16/37

April 12th, 2006 16

GRUB booting

Stage 2

Load kernel

Jump to kernel start

7/24/2019 Trusted Boot Loader

17/37

April 12th, 2006 17

Trusted GRUB booting

Stage 1 measures stage 1.5 after loading it

Stage 1.5 measures stage 2 after loading it

Stage 2 measures stage 1.5

Stage 2 measures kernel

7/24/2019 Trusted Boot Loader

18/37

April 12th, 2006 18

Required code and components

Boot loader

Crypto functions

Hash

Asymmetric cipher (RSA) Hardware

Write protected initial boot code ROM

Flash memory with boot block protection

TPM

7/24/2019 Trusted Boot Loader

19/37

April 12th, 2006 19

U-Boot

Open source firmware for embedded

PowerPC, ARM, MIPS, x86,

Command line

Information commands

Memory commands Flash memory commands

Execution commands

Download Environment variables

Special

Miscellaneous

7/24/2019 Trusted Boot Loader

20/37

April 12th, 2006 20

U-Boot boot process

Invoke U-Boot

Starts running from ROM

Relocates itself to RAM

Initial setup and environment checks Locate the kernel and decompress it

Check CRC of kernel

Transfer control to kernel image

Kernel boots

7/24/2019 Trusted Boot Loader

21/37

April 12th, 2006 21

U-Boot security

Only knows CRC

Basically a sophisticated checksum

CRC good for finding random errors in a

transmission Little protection against malicious attacks

7/24/2019 Trusted Boot Loader

22/37

April 12th, 2006 22

Signed kernel

Hash calculated from kernel binary

MD5 or SHA-1

Use private key of public/private key pair to

encrypt digest Signature appended to kernel image as

meta-data

7/24/2019 Trusted Boot Loader

23/37

April 12th, 2006 23

Signed kernel

Kernel imageDigest/

hashMD5 orSHA-1

signature

Signed usingprivate key

Kernel image

signature

7/24/2019 Trusted Boot Loader

24/37

April 12th, 2006 24

Kernel image authenticity

Boot loader decompresses kernel image and

meta-data

Signature is extracted and decrypted using

public key Hash is calculated from kernel image

If signature matches hash, the kernel image

is authentic

7/24/2019 Trusted Boot Loader

25/37

April 12th, 2006 25

Signed kernel with u-boot

MD5 or

SHA-1

decrypt usingpublic key

Kernel image

signature

Kernel image

signature

Digest/hash

Digest/hash

compare

7/24/2019 Trusted Boot Loader

26/37

April 12th, 2006 26

Secure U-Boot process

Invoke u-boot

Starts running from ROM

Relocates itself to RAM

Initial setup and environment checks

Locate the kernel and decompress it

Check CRC of kernel

Authenticate kernel

Transfer control to kernel image

Kernel boots

7/24/2019 Trusted Boot Loader

27/37

April 12th, 2006 27

U-Boot booting process

Preliminary setup

CPU

Memory

Relocate self to RAM Initialize ARM boot

Flash

Environment

IP & MAC address

7/24/2019 Trusted Boot Loader

28/37

April 12th, 2006 28

U-Boot booting

Initialize ARM boot (continued)

Devices

Console

Interrupts

Ethernet

Boot kernel

Read image header Decompress image

Transfer control to kernel

7/24/2019 Trusted Boot Loader

29/37

April 12th, 2006 29

Required modifications

Identify appropriate places in u-boot for

modifications

Between decompress image and transfer control

to kernel

Add hash code

Add encryption/decryption code

Add key handling

7/24/2019 Trusted Boot Loader

30/37

April 12th, 2006 30

Hardware based protection

Not striving for full TCG compliance

Secure boot loader is sufficient for first

step

Where to store stuff?

7/24/2019 Trusted Boot Loader

31/37

April 12th, 2006 31

U-Boot start

U-Boot 1.1.4 (Mar 29 2006 - 10:01:55)

DRAM: 32 MB

Flash: 32 MB

In: serial

Out: serial

Err: serial

Hit any key to stop autoboot: 0

OMAP1510 Innovator #

7/24/2019 Trusted Boot Loader

32/37

April 12th, 2006 32

Innovator flash

.

.

.

OMAP flash: using static partition definition

Creating 5 MTD partitions on "omap-flash":

0x00000000-0x00020000 : "BootLoader"0x00020000-0x00060000 : "Params"

0x00060000-0x00260000 : "Kernel"

0x00260000-0x01000000 : "Flash0 FileSys"

0x01000000-0x02000000 : "Flash1 FileSys"

7/24/2019 Trusted Boot Loader

33/37

April 12th, 2006 33

U-Boot parameters

256K total

Room for key information

7/24/2019 Trusted Boot Loader

34/37

April 12th, 2006 34

Roadmap

Verify boot image

Hardware based protection Protection of ROM, boot block, flash memory

Complete TCG trusted boot

Need TPM TPM driver

TPM initialization

TPM APIs (Library) Integrate boot image verification and boot loader

protection

7/24/2019 Trusted Boot Loader

35/37

April 12th, 2006 35

Conclusions

Secure boot is needed

Trusted boot exists for BIOS based systems

with TPM

Not a lot required for secure boot forembedded systems

7/24/2019 Trusted Boot Loader

36/37

April 12th, 2006 36

Links

U-Boot

Documentation

http://www.denx.de/wiki/DULG/Manual

Project home page

http://sourceforge.net/projects/u-boot

TCG

https://www.trustedcomputinggroup.org/home

TPM https://www.trustedcomputinggroup.org/groups/tpm/

7/24/2019 Trusted Boot Loader

37/37

April 12th, 2006 37

Links

TPM device driver for Linux

http://sourceforge.net/projects/tpmdd

TCG Software Stack implementation

http://sourceforge.net/projects/trousers TCG patch for GRUB

http://trousers.sourceforge.net/grub.html