trusted boot loader
TRANSCRIPT
-
7/24/2019 Trusted Boot Loader
1/37
April 12th, 2006 1
Trusted Boot Loader
Steve Johnson, Panasonic
Chair Security WG
San Jose
April 12, 2006
-
7/24/2019 Trusted Boot Loader
2/37
April 12th, 2006 2
Synopsis Background
Trusted boot Security enhancements to boot loader
Necessary code
U-Boot
Kernel authenticity
Secure U-Boot Conclusions
-
7/24/2019 Trusted Boot Loader
3/37
April 12th, 2006 3
Background
Trusted Computing Platform Alliance /Trusted Computing Group TCPA / TCG
Trusted Computing
Trusted Platform Module TPM
-
7/24/2019 Trusted Boot Loader
4/37
April 12th, 2006 4
TCG
Develops, defines, and promotes open standards
for hardware-enabled trusted computing and
security technologies
hardware building blocks
software interfaces
multiple platforms, peripherals, and devices.
Primary goal is to protect users information assets
(data, passwords, keys, etc.) from compromise due
to external software attack and physical theft.
-
7/24/2019 Trusted Boot Loader
5/37
April 12th, 2006 5
Trust and Trusted Computing
What is trust?
The expectation that a device will behave in a
particular manner for a specific purpose
System you are forced to trust vs. one that istrustworthy
What is trusted computing?
Technology developed and promoted by theTrusted Computing Group (TCG)
-
7/24/2019 Trusted Boot Loader
6/37
April 12th, 2006 6
Trusted Computing
Machine specific public and private keys
and certificate chain
Cryptographic functionality
Data can be signed with the machinesidentification
Data can be encrypted with the machines
secret key
-
7/24/2019 Trusted Boot Loader
7/37
April 12th, 2006 7
TCG components
Application
TCG Software Stack
TPM Device Driver
Operating System
Root of Trust
TPMBoot ROM
Measure
Measure
-
7/24/2019 Trusted Boot Loader
8/37
April 12th, 2006 8
TPM activities
Boot loader measures boot through kernel
and initrd
Initrd has TPM unseal kernel master key
If a match, TPM releases kernel master key
Key used to generate keys for further stages
If measurements dont match, boot is halted
-
7/24/2019 Trusted Boot Loader
9/37
April 12th, 2006 9
TPM major components
Cryptographic
Co-Processor
HMAC
Engine
SHA-1
Engine
Random
NumberGenerator
Key
Generation
Power
Detection
I/O
Opt-In
Volatile
Memory
Execution
Engine
Non-
Volatile
Memory
CommunicationBus
-
7/24/2019 Trusted Boot Loader
10/37
April 12th, 2006 10
Necessary TPM hardware
ROMCPU
TPM
CPUTPM
ROM
Trusted Area
NormalCPU
Discrete TPM
Embedded TPM
Software TPM
-
7/24/2019 Trusted Boot Loader
11/37
April 12th, 2006 11
Trusted boot
Trusted boot loader
Secure boot loader
-
7/24/2019 Trusted Boot Loader
12/37
April 12th, 2006 12
Security levels for boot loader
Root of Trust
(Secure Storage)
-
TPM
Ease of ManagementSecurity Features
Good (for connected device)+ Device Authentication
+ Integrity Protection
+ Integrity Report
Root of TrustOTrusted Boot
Good
+ Easy to update OS imagewithout modifying Bootloader
Root of Trust
(Signers public key)
OOSecure Boot(by signature)
Root of Trust(Reference Value)
-
Write Protected
Bootloader
HardwareSoftware
BadOSecure Boot(by digest)
Easy, but no protection--ONormal Boot
Signature
HashCRC
ECC
-
7/24/2019 Trusted Boot Loader
13/37
April 12th, 2006 13
Security enhancements
Simple integrity check
Error checks and recovery
Secure boot
Ensure secure initial state Ensure only an un-tampered system is run
Trusted/authenticated boot
Ensure a secure initial state Ensure only an un-tampered system is run
Measure and report
-
7/24/2019 Trusted Boot Loader
14/37
April 12th, 2006 14
Trusted boot
Each boot step is measured and stored
A sequence of measured values (stored
measurement log)
Executable code and associated informationcould be measured before it is executed
-
7/24/2019 Trusted Boot Loader
15/37
April 12th, 2006 15
GRUB booting
Stage 1
Initialization
Detect geometry of loading drive
Load the first sector of Stage 1.5
Jump to start of Stage 1.5 Stage 1.5
Load the rest of Stage 1.5
Jump to the starting address Load Stage 2
Jump to start of Stage 2
-
7/24/2019 Trusted Boot Loader
16/37
April 12th, 2006 16
GRUB booting
Stage 2
Load kernel
Jump to kernel start
-
7/24/2019 Trusted Boot Loader
17/37
April 12th, 2006 17
Trusted GRUB booting
Stage 1 measures stage 1.5 after loading it
Stage 1.5 measures stage 2 after loading it
Stage 2 measures stage 1.5
Stage 2 measures kernel
-
7/24/2019 Trusted Boot Loader
18/37
April 12th, 2006 18
Required code and components
Boot loader
Crypto functions
Hash
Asymmetric cipher (RSA) Hardware
Write protected initial boot code ROM
Flash memory with boot block protection
TPM
-
7/24/2019 Trusted Boot Loader
19/37
April 12th, 2006 19
U-Boot
Open source firmware for embedded
PowerPC, ARM, MIPS, x86,
Command line
Information commands
Memory commands Flash memory commands
Execution commands
Download Environment variables
Special
Miscellaneous
-
7/24/2019 Trusted Boot Loader
20/37
April 12th, 2006 20
U-Boot boot process
Invoke U-Boot
Starts running from ROM
Relocates itself to RAM
Initial setup and environment checks Locate the kernel and decompress it
Check CRC of kernel
Transfer control to kernel image
Kernel boots
-
7/24/2019 Trusted Boot Loader
21/37
April 12th, 2006 21
U-Boot security
Only knows CRC
Basically a sophisticated checksum
CRC good for finding random errors in a
transmission Little protection against malicious attacks
-
7/24/2019 Trusted Boot Loader
22/37
April 12th, 2006 22
Signed kernel
Hash calculated from kernel binary
MD5 or SHA-1
Use private key of public/private key pair to
encrypt digest Signature appended to kernel image as
meta-data
-
7/24/2019 Trusted Boot Loader
23/37
April 12th, 2006 23
Signed kernel
Kernel imageDigest/
hashMD5 orSHA-1
signature
Signed usingprivate key
Kernel image
signature
-
7/24/2019 Trusted Boot Loader
24/37
April 12th, 2006 24
Kernel image authenticity
Boot loader decompresses kernel image and
meta-data
Signature is extracted and decrypted using
public key Hash is calculated from kernel image
If signature matches hash, the kernel image
is authentic
-
7/24/2019 Trusted Boot Loader
25/37
April 12th, 2006 25
Signed kernel with u-boot
MD5 or
SHA-1
decrypt usingpublic key
Kernel image
signature
Kernel image
signature
Digest/hash
Digest/hash
compare
-
7/24/2019 Trusted Boot Loader
26/37
April 12th, 2006 26
Secure U-Boot process
Invoke u-boot
Starts running from ROM
Relocates itself to RAM
Initial setup and environment checks
Locate the kernel and decompress it
Check CRC of kernel
Authenticate kernel
Transfer control to kernel image
Kernel boots
-
7/24/2019 Trusted Boot Loader
27/37
April 12th, 2006 27
U-Boot booting process
Preliminary setup
CPU
Memory
Relocate self to RAM Initialize ARM boot
Flash
Environment
IP & MAC address
-
7/24/2019 Trusted Boot Loader
28/37
April 12th, 2006 28
U-Boot booting
Initialize ARM boot (continued)
Devices
Console
Interrupts
Ethernet
Boot kernel
Read image header Decompress image
Transfer control to kernel
-
7/24/2019 Trusted Boot Loader
29/37
April 12th, 2006 29
Required modifications
Identify appropriate places in u-boot for
modifications
Between decompress image and transfer control
to kernel
Add hash code
Add encryption/decryption code
Add key handling
-
7/24/2019 Trusted Boot Loader
30/37
April 12th, 2006 30
Hardware based protection
Not striving for full TCG compliance
Secure boot loader is sufficient for first
step
Where to store stuff?
-
7/24/2019 Trusted Boot Loader
31/37
April 12th, 2006 31
U-Boot start
U-Boot 1.1.4 (Mar 29 2006 - 10:01:55)
DRAM: 32 MB
Flash: 32 MB
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 0
OMAP1510 Innovator #
-
7/24/2019 Trusted Boot Loader
32/37
April 12th, 2006 32
Innovator flash
.
.
.
OMAP flash: using static partition definition
Creating 5 MTD partitions on "omap-flash":
0x00000000-0x00020000 : "BootLoader"0x00020000-0x00060000 : "Params"
0x00060000-0x00260000 : "Kernel"
0x00260000-0x01000000 : "Flash0 FileSys"
0x01000000-0x02000000 : "Flash1 FileSys"
-
7/24/2019 Trusted Boot Loader
33/37
April 12th, 2006 33
U-Boot parameters
256K total
Room for key information
-
7/24/2019 Trusted Boot Loader
34/37
April 12th, 2006 34
Roadmap
Verify boot image
Hardware based protection Protection of ROM, boot block, flash memory
Complete TCG trusted boot
Need TPM TPM driver
TPM initialization
TPM APIs (Library) Integrate boot image verification and boot loader
protection
-
7/24/2019 Trusted Boot Loader
35/37
April 12th, 2006 35
Conclusions
Secure boot is needed
Trusted boot exists for BIOS based systems
with TPM
Not a lot required for secure boot forembedded systems
-
7/24/2019 Trusted Boot Loader
36/37
April 12th, 2006 36
Links
U-Boot
Documentation
http://www.denx.de/wiki/DULG/Manual
Project home page
http://sourceforge.net/projects/u-boot
TCG
https://www.trustedcomputinggroup.org/home
TPM https://www.trustedcomputinggroup.org/groups/tpm/
-
7/24/2019 Trusted Boot Loader
37/37
April 12th, 2006 37
Links
TPM device driver for Linux
http://sourceforge.net/projects/tpmdd
TCG Software Stack implementation
http://sourceforge.net/projects/trousers TCG patch for GRUB
http://trousers.sourceforge.net/grub.html