verified boot and free software reconciling freedom and
play

Verified Boot and Free Software: Reconciling Freedom and Security - PowerPoint PPT Presentation

Aug 10, 2023 •537 likes •947 views

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski contact@paulk.fr Monday July 4 th 2016 Introducing Verified Boot and Related Issues Introducing Verified Boot and Related Issues Bootup Process BIOS History

  1. Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski contact@paulk.fr Monday July 4 th 2016

  2. Introducing Verified Boot and Related Issues

  3. Introducing Verified Boot and Related Issues Bootup Process

  4. BIOS History Basic Input/Output System: • 1980s: • Basic hardware initialization • Operating system load • BIOS interrupt calls (used by CP/M, DOS) • Purpose: hardware abstraction • Read-only memory • 1990s: • Increasing hardware complexity • Drivers in operating systems, initialization only • Read/write memory (updates) • 2000s: • Run-time services (SMM/SMI, ACPI) • Unified Extensible Firmware Interface (UEFI) • Back to hardware abstraction

  5. SPI Flash?

  6. SPI Flash

  7. (Traditional) x86 Bootup Process hardware reset spi flash bootblock reset vector: 0xfffffff0 spi flash romstage cache as ram spi flash ramstage ram smm handlers spi flash hdd payload bootloader smi hdd kernel hdd

  8. ARM Bootup Process hardware reset hardwired silicon bootrom hardwired silicon various sram spl various peci bootloader ram various call tee kernel smc

  9. Trusted Execution Environment Need for trusted run-time software: • Operating system is flawed • Privileged operations, hardware access • Sensitive operations (privacy/security) Implementing a trusted environment: • Independent or setup by bootup software • Cooperation with the platform (e.g. TrustZone ) • Privileged mode, interfacing (e.g. SMC)

  10. Introducing Verified Boot and Related Issues Software Freedom

  11. Freedom and Privacy/Security Considerations and Issues Bootup software considerations: • Precedence over the system • Runs during the system lifetime • Loads the TEE • Great control, abilities and user data access • Hardware initialization knowledge Associated issues: • Trust and control: • Audit (weaknesses, backdoors) • Bug fix (delays, EOL) • User modification • Restrictions • Access to knowledge

  12. Basic Freedoms Guarantees: basic freedoms 0. Run for any purpose 1. Study and modify 2. Redistribution 3. Redistribution of modifications Free software is a hard requirement!

  13. Free Bootup Software Bootrom (ARM): • Read-only: hardwired • Always non-free (hardware design) Free bootup software projects: • Coreboot • U-Boot, Barebox • Libreboot Usual non-free components: • x86 : Option ROM/VGA BIOS, CPU microcodes • Intel x86 : FSP, MRC, ME • AMD x86 : IMC, SMU, PSP • Various firmwares (xHCI, ethernet, . . . )

  14. Introducing Verified Boot and Related Issues Bootup Software Verification

  15. Early Software Verification Security approaches distinction: • Verified boot: to boot or not to boot • Measured boot: state indication Verified boot rationale: • Read/write bootup software • Attack surface, compromisation • Chain of trust up to the system, handlers Design implications: • Early bootup software must be trusted • Next stage validation: signatures • Read-only signatures

  16. Early Attempts at Integrity Preservation Pin-driven write-protect: flashrom/board enable.c: • Easy to find out s t a t i c i n t i n t e l p i i x 4 g p o 2 7 l o w e r ( void ) { return i n t e l p i i x 4 g p o s e t (27 , 0) ; • Flashrom board enables } Platform-based approaches: • Platform SPI access/write disable • Protected Ranges (PRx) Pitfalls: • Privileged access (SMM) • Internal controller access (ME, IMC) • External access • Platform-specific logic

  17. UEFI and Secure Boot Secure boot implementations: • Bootloader or kernel verification • Ships with verification keys • Assumes it’s not compromised User control: • Secure boot disable? • Replacing keys?

  18. (Actually) Verified Boot Strong root of trust: • Keys in OTP memory • Bootrom enforcing verification Motivations: • Multiple read/write storage • Reliable root of trust Implementations: • ARM platforms • Intel Bootguard • Intel TXT ACM (dynamic root of trust)

  19. Introducing Verified Boot and Related Issues Software Freedom Issues

  20. Incompatibility with Free Software Issues for freedom: • Free bootup software is impossible ! • Free TEE software is impossible ! • Free kernel is impossible ! Implications for privacy/security: • No control, no choice for trust • (Un)intentional weaknesses • Ability to compromise the system, exfiltrate data: • At boot time • At run time: TEE, SMM/SMI, ACPI, PECI Neither freedom, nor privacy/security :(

  21. (Barely) Undercover Motivations Usual scenario (Android): • Verified SPL and bootloader • Verified TEE • Chain of trust break Story time: • LG Optimus Black • Google Pixel C Rationale? Anyone? It’s pronounced DRM .

  22. Tivoization and Licenses Tivoization: • Free, copyleft bootup software • Modified versions release • Signed binaries for verified boot Case study: • Samsung Galaxy Tab 2 • X-Loader SPL

  23. Tivoization and Licenses Tivoization: • Free, copyleft bootup software • Modified versions release • Signed binaries for verified boot Case study: • Samsung Galaxy Tab 2 • X-Loader SPL x-loader/SecureBootSign.pl: $RemoteServer1 = ” 10.2 54.12 4.52 ” ; $RemoteServer2 = ” 1 0 . 9 0 . 1 3 . 3 6 ” ; [ . . . ] $handle = IO : : Socket : : INET − > new ( ” $RemoteServer :80 ” ) or $newerr =1; $handle − > send ( ”GET http :// $RemoteServer / SigningKey . php? model=$modelname&type= $runtype&f i l e n a m e=$ i n p u t f i l e n a m e&f i l e p a t h=$ f t p s u b p a t h&p r e f i x=$ p r e f i x& viewtype=$viewtype&ppa=$ c o n f i g f i l e n a m e HTTP/1.0 ” ) ;

  24. Tivoization and Licenses Tivoization: • Free, copyleft bootup software • Modified versions release • Signed binaries for verified boot Case study: • Samsung Galaxy Tab 2 • X-Loader SPL Oh, the irony! Licenses: • GPLv3

  25. All About the Main CPU? Software is everywhere: • Main processor: Bootup, TEE, System • Management processors: ME, IMC, SMU, BMC. . . • Auxiliary processors: GPU, VPU, DSP. . . • Controllers: EC, xHCI, multimedia, battery. . . • Peripherals: Wi-Fi, bluetooth, GPS, webcam. . . Verified boot: • Main processor: common (ARM) • Management processors: common • Auxiliary processors: increasing (GPUs) • Controllers: uncommon • Peripherals: uncommon Freedom and privacy/security everywhere?

  26. Reconciling Freedom and Security

  27. Reconciling Freedom and Security General-Purpose Possibility

  28. Coreboot, GRUB and PGP Verified boot with free software example: • Free bootup software (Coreboot) • Payload with PGP verification (GRUB) • Storage set read-only (or hidden) • External access to storage Platform assumptions: • No signature verification from bootrom • Ability to lock the storage (access/write/regions) Possible with non-Bootguard x86 platforms! (with Coreboot support)

  29. SPI Flash Write-Protect Write-protect ( WP ) pin: • Reliable root of integrity! • Physical switch • Solder it to ground

  30. Reconciling Freedom and Security CrOS Security Model and Devices

  31. Design Guidelines CrOS security design: • Reliable, scalable verified boot for CPU and EC • Does not cover external access (evil maid) • Free software, user-friendly Chain of trust: • SPI flash write-protect root of trust • The screw: write-protect switch • RO early stages, keys and recovery • RW (verified) next stages and kernel

  32. The Screw

  33. Verified Boot Software Software components: Replacing software and keys: • Bootup software: Coreboot generate keys • Payload: Depthcharge build depthcharge, coreboot and ec • Verified boot: Vboot • EC firmware: Chrome EC package and sign remove the screw Boot modes: • Normal mode flash internally flash externally • Recovery mode insert the screw • Developer mode boot!

  34. Normal Boot hardware reset spi flash keys bootblock Boot path: spi flash spi flash • RO bootblock verstage ro • RO verstage spi flash verified rw • RW next stages ec software romstage-ramstage • RO to RW EC sync, rw spi flash • Internal kernel • No interaction depthcharge internal kernel

  35. Recovery Boot Trigger: hardware reset spi flash • Verification error keys bootblock • User request spi flash spi flash Boot path: verstage • RO only spi flash romstage-ramstage Boot media: • External recovery spi flash • Recovery keys depthcharge external recovery Recovering: kernel • Instructions ro

  36. Developer Boot Enable: hardware reset • Recovery mode spi flash • Wipes data bootblock keys • CrOS root spi flash spi flash • Crossystem verstage ro Boot path: spi flash verified rw • RO to RW ec software romstage-ramstage sync, rw • Kernel verification spi flash depthcharge Boot media: external external • Internal internal • External legacy kernel kernel • Legacy

  37. Devices Hardware design constraints: • SPI flash and the screw • TPM • Servo debug connector Chromebooks, Chromeboxes, Chromebases, Chromebits Platforms: • x86 : Intel Sandybridge, Haswell, Broadwell, Baytrail, Skylake • Signed ARM : Samsung Exynos • Unsigned ARM : Rockchip RK3288, nVidia Tegra K1 Unsigned ARM devices are great for freedom and privacy/security!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe 2016, 12.10.2016 Marc Kleine-Budde <mkl@pengutronix.de> Slide 1 - http://www.pengutronix.de - 13.10.2016 Why Verified Boot? Attractive hacking

774 views • 20 slides
Freedom & AI Can Free Software include ethical AI systems? Justin W. Flory Mike Nolan

Freedom & AI Can Free Software include ethical AI systems? Justin W. Flory Mike Nolan

Freedom & AI Can Free Software include ethical AI systems? Justin W. Flory Mike Nolan Rochester Institute of Technology UNICEF Office of Innovation @jflory7 @__nolski__ When a measure becomes a target, it ceases to be a good

584 views • 41 slides
The Art of DJing, Psychedelic Therapy, and Software Freedom A Proposal for Using Music to

The Art of DJing, Psychedelic Therapy, and Software Freedom A Proposal for Using Music to

The Art of DJing, Psychedelic Therapy, and Software Freedom A Proposal for Using Music to Maximize Therapeutic Outcomes Be Wilson MD candidate, University of Illinois at Chicago Mixxx DJ Software developer Introduction Feel free to ask

503 views • 17 slides
Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop Hardware Enablement Team This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License Topics What / why? Pre-kernel:

434 views • 16 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
U-Boot from Scratch Jagan Teki www.amarulasolutions.com Jagan Teki Jagan nadhaSutradharudu Teki

U-Boot from Scratch Jagan Teki www.amarulasolutions.com Jagan Teki Jagan nadhaSutradharudu Teki

U-Boot from Scratch Jagan Teki www.amarulasolutions.com Jagan Teki Jagan nadhaSutradharudu Teki Free software engineer Enthusiastic Linux kernel hacker U-Boot maintainer for SPI, SPI-FLASH, Allwinner sunXi SoC Buildroot,

1.38k views • 86 slides
What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I What Use Is Verified Software? 1 Software and Systems The world at large cares little for verified

734 views • 14 slides
Software Freedom & Bro Karen M. Sandler BroCon September 13, 2016 I am Executive

Software Freedom & Bro Karen M. Sandler BroCon September 13, 2016 I am Executive

Software Freedom & Bro Karen M. Sandler BroCon September 13, 2016 I am Executive Director, Conservancy Pro bono counsel Free and open source software enthusiast A patient @o0karen0o @Conservancy Actually, I have a big

694 views • 27 slides
Feb 2011 Free software Overview and Objectives What is software? What does free mean,

Feb 2011 Free software Overview and Objectives What is software? What does free mean,

Penarth Computer Club Feb 2011 Free software Overview and Objectives What is software? What does free mean, look at licensing Discuss Piracy (or Theft) Mention some best practice techniques Look at some recommended free

881 views • 29 slides
When Free Software Isn't Better When Free Software Isn't Better benjamin mako hill :: when

When Free Software Isn't Better When Free Software Isn't Better benjamin mako hill :: when

When Free Software Isn't Better When Free Software Isn't Better benjamin mako hill :: when free software isn't better Why free software isn't always very good, why that's not a problem, and how we make it better. Free Software is... Free

690 views • 43 slides
Linux Quick Boot ELC 2014 May 1st, 2014 Tristan Lelong Senior Embedded Software Engineer TABLE

Linux Quick Boot ELC 2014 May 1st, 2014 Tristan Lelong Senior Embedded Software Engineer TABLE

Linux Quick Boot ELC 2014 May 1st, 2014 Tristan Lelong Senior Embedded Software Engineer TABLE OF CONTENTS 1. Introduction 2. Linux boot process 3. Boot time optimization 4. How to keep a full featured system 5. Conclusion Introduction

963 views • 83 slides
Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers and Lightweight Multi-kernels Balazs Gerofi , Yutaka Ishikawa , Rolf Riesen , Robert W. Wisniewski bgerofi@riken.jp RIKEN Advanced

485 views • 29 slides
Freedom on Android Devices Erik Albers Free Software Foundation Europe Twitter: @3albers Blog:

Freedom on Android Devices Erik Albers Free Software Foundation Europe Twitter: @3albers Blog:

Freedom on Android Devices Erik Albers Free Software Foundation Europe Twitter: @3albers Blog: https://blogs.fsfe.org/eal Mail: eal@fsfe.org Control of Content / DRM Control of Data Remote control of content Remote Control of Hardware

468 views • 26 slides
Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky

Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky

Software Infrastructure Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky Software Infrastructure is Shaky When exhaustive testing is impossible, our trust can only be based on proof. Edsger W.

538 views • 40 slides
Introduction Me: Software Engineer at DENX, Gmbh U-Boot Custodian for Freescale's i.MX

Introduction Me: Software Engineer at DENX, Gmbh U-Boot Custodian for Freescale's i.MX

Software Update on Embedded Systems Do not brick your device Stefano Babic ELCE October 2014 Introduction Me: Software Engineer at DENX, Gmbh U-Boot Custodian for Freescale's i.MX Focus on Linux embedded with PowerPC and ARM

728 views • 35 slides
Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Top 10 Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure Boot Theory Internal boot ROM 1 st stage boot loader N th stage Verify signature Optional decrypt boot loader OS / Application 2

517 views • 25 slides
Project 1: Bootloader COS 318 Fall 2015 Project 1:

Project 1: Bootloader COS 318 Fall 2015 Project 1:

Project 1: Bootloader COS 318 Fall 2015 Project 1: Schedule Design Review - Monday, 9/28 - 10-min Ime slots from 1:30pm-6:20pm - Write funcIons

731 views • 27 slides
Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction 1. About 2. Technical

Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction 1. About 2. Technical

Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction 1. About 2. Technical Overview 3. Windows Boot Environment 2. Stoned Architecture 1. Plugins 2. Boot Applications 3. Bootkit Installation & Usage 4. General

723 views • 38 slides
Tapestry Workshop The University of Virginia July 15, 2009 And kinesthetic computer science

Tapestry Workshop The University of Virginia July 15, 2009 And kinesthetic computer science

Tapestry Workshop The University of Virginia July 15, 2009 And kinesthetic computer science activities Lynn Lambert Christopher Newport University Newport News, Virginia Author: Tim Bell (not pictured: Ian Witten and Mike Fellows) Tapestry

596 views • 48 slides
Why open source firmware is important Jessie Frazelle - @jessfraz Points of View 1. Security

Why open source firmware is important Jessie Frazelle - @jessfraz Points of View 1. Security

Why open source firmware is important Jessie Frazelle - @jessfraz Points of View 1. Security 2. Usability 3. Visibility First Point of View: Security... Software Software Operating System Kernel Firmware Hardware Software Software

783 views • 62 slides
SE SECU CURE BO BOOT F FOR F FPGAS HE HEADS HA HARDWARE E AND EM EMBED EDDED ED DESIG

SE SECU CURE BO BOOT F FOR F FPGAS HE HEADS HA HARDWARE E AND EM EMBED EDDED ED DESIG

SE SECU CURE BO BOOT F FOR F FPGAS HE HEADS HA HARDWARE E AND EM EMBED EDDED ED DESIG IGN AND SECURIT ITY LAB Lab Director Fareena Saqib, Assistant Professor Email: fsaqib@uncc.edu Office: EPIC 2164 Phone: 704-687-8098 Wh Why

556 views • 20 slides
Fundraising and Finance November 6, 2019 CAMPAIGN FINANCE COMPLIANCE DISCLAIMER Presentation

Fundraising and Finance November 6, 2019 CAMPAIGN FINANCE COMPLIANCE DISCLAIMER Presentation

Campaign Boot Camp: Fundraising and Finance November 6, 2019 CAMPAIGN FINANCE COMPLIANCE DISCLAIMER Presentation is for educational purposes only and designed for candidates who plan to raise or spend $2,000 or more on their election

984 views • 71 slides
Experiences booting one million virtual machines (and a few tools we developed) Ron Minnich Don

Experiences booting one million virtual machines (and a few tools we developed) Ron Minnich Don

Experiences booting one million virtual machines (and a few tools we developed) Ron Minnich Don Rudish 08961 - Scalable Computing R & D Eurosys 2010 Minnich, Rudish, Gentile, Armstrong, Wylie, Pedretti, Thompson Experiences booting one

692 views • 38 slides

More recommend