Browse Source

background section on Secure Boot

master
Trolli Schmittlauch 2 years ago
parent
commit
324f7b3f05
3 changed files with 27 additions and 1 deletions
  1. BIN
      main.pdf
  2. +4
    -1
      main.tex
  3. +23
    -0
      mybib.bib

BIN
main.pdf View File


+ 4
- 1
main.tex View File

@ -127,7 +127,10 @@ Afterwards we cover the technologies dedicated to provide a \ac{TEE} in modern p
\subsection[SecureBoot]{UEFI Secure Boot}\label{sec:SecureBoot}
\textit{Secure Boot} is a functionality of the \ac{UEFI} boot firmware component \cite{unifiedefiforuminc.UEFISpecificationVersion2017} to allow only the launch of authenticated boot images. To achieve that, boot images can be signed with X.509 certificates. Only if the image verifies correctly against a key stored in non-volatile firmware memory or against an entry in an explicit whitelist of signatures. This first check on which bootloader or \ac{OS} image to launch can be the anchor of a trust chain, if each consecutive execution step also checks the authenticity of software to be launched.
\textit{Secure Boot} is a functionality of the \ac{UEFI} boot firmware component \cite{unifiedefiforuminc.UEFISpecificationVersion2017} to allow only the launch of authenticated boot images. To achieve that, boot images can be signed with X.509 certificates. Only if the image verifies correctly against a key stored in non-volatile firmware memory or against an entry in an explicit allow list of signatures. This first check on which bootloader or \ac{OS} image to launch can be the anchor of a trust chain, if each consecutive execution step also checks the authenticity of software to be launched. The allow and deny lists can be updated from the running \ac{OS} and deploying own custom platform keys for verification can be possible through setup-mode of \ac{UEFI}.
Firmwares adhering to the \ac{UEFI} standard are the dominant system software for the PC platform (including x86 devices like servers, laptops and mobile devices, but also more and more devices with ARM chipsets). Microsoft has been criticized for requiring devices \cite{MicrosoftHardwareCertification2014} shipped with the Windows \ac{OS} to have Secure Boot enabled by default, verifying boot images against Microsoft's key, mentioning that this could lead to lock-down of consumer hardware and the inability to install alternative operating systems on it. \\
Earlier versions of the requirements mandated an option to disable Secure Boot on x86 devices while also mandating that it must always be enabled on ARM-based devices. \cite{moodyMicrosoftBlockingLinux} Nevertheless complete lockout of other operating systems doesn't seem to be imminent at least on x86 devices as there is a shim bootloader signed by Microsoft \cite{matthewgarrettAnnouncingShimReview}, enabling the launch of other unsigned boot images. The signature of this specific binary could though be put on the firmware's deny list through updates.
\subsection{TPM}\label{sec:TPM}


+ 23
- 0
mybib.bib View File

@ -258,4 +258,27 @@ This paper's contributions are a summary of the Intel-specific architectural and
file = {/home/spiollinux/Zotero/storage/HUEEIARA/2017 - UEFI Specification version 2.7 errata A.pdf}
}
@misc{MicrosoftHardwareCertification2014,
title = {Microsoft {{Hardware Certification Policies}} and {{Processes}}},
year = {2014}
}
@misc{moodyMicrosoftBlockingLinux,
title = {Is {{Microsoft Blocking Linux Booting}} on {{ARM Hardware}}?},
copyright = {Copyright 2018 IDG Communications Ltd},
abstract = {Back in September last year, there was a bit of a to-do about Microsoft's UEFI Secure Boot technology in Windows 8, when a Red Hat engineer posted the following:Microsoft requires that machines conforming to the Windows 8 logo program and...},
howpublished = {https://www.computerworlduk.com/it-business/is-microsoft-blocking-linux-booting-on-arm-hardware-3569162/},
journal = {ComputerworldUK},
author = {Moody, Glyn},
file = {/home/spiollinux/Zotero/storage/Q9TQHLHG/is-microsoft-blocking-linux-booting-on-arm-hardware-3569162.html}
}
@misc{matthewgarrettAnnouncingShimReview,
title = {Announcing the {{Shim}} Review Process},
language = {en},
howpublished = {https://mjg59.dreamwidth.org/47438.html},
author = {{Matthew Garrett}},
file = {/home/spiollinux/Zotero/storage/FGYE9G6G/47438.html}
}

Loading…
Cancel
Save