verified boot and free software reconciling freedom and
play

Verified Boot and Free Software: Reconciling Freedom and Security - PowerPoint PPT Presentation

Aug 10, 2023 •537 likes •947 views

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski contact@paulk.fr Monday July 4 th 2016 Introducing Verified Boot and Related Issues Introducing Verified Boot and Related Issues Bootup Process BIOS History

  1. Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski contact@paulk.fr Monday July 4 th 2016

  2. Introducing Verified Boot and Related Issues

  3. Introducing Verified Boot and Related Issues Bootup Process

  4. BIOS History Basic Input/Output System: • 1980s: • Basic hardware initialization • Operating system load • BIOS interrupt calls (used by CP/M, DOS) • Purpose: hardware abstraction • Read-only memory • 1990s: • Increasing hardware complexity • Drivers in operating systems, initialization only • Read/write memory (updates) • 2000s: • Run-time services (SMM/SMI, ACPI) • Unified Extensible Firmware Interface (UEFI) • Back to hardware abstraction

  5. SPI Flash?

  6. SPI Flash

  7. (Traditional) x86 Bootup Process hardware reset spi flash bootblock reset vector: 0xfffffff0 spi flash romstage cache as ram spi flash ramstage ram smm handlers spi flash hdd payload bootloader smi hdd kernel hdd

  8. ARM Bootup Process hardware reset hardwired silicon bootrom hardwired silicon various sram spl various peci bootloader ram various call tee kernel smc

  9. Trusted Execution Environment Need for trusted run-time software: • Operating system is flawed • Privileged operations, hardware access • Sensitive operations (privacy/security) Implementing a trusted environment: • Independent or setup by bootup software • Cooperation with the platform (e.g. TrustZone ) • Privileged mode, interfacing (e.g. SMC)

  10. Introducing Verified Boot and Related Issues Software Freedom

  11. Freedom and Privacy/Security Considerations and Issues Bootup software considerations: • Precedence over the system • Runs during the system lifetime • Loads the TEE • Great control, abilities and user data access • Hardware initialization knowledge Associated issues: • Trust and control: • Audit (weaknesses, backdoors) • Bug fix (delays, EOL) • User modification • Restrictions • Access to knowledge

  12. Basic Freedoms Guarantees: basic freedoms 0. Run for any purpose 1. Study and modify 2. Redistribution 3. Redistribution of modifications Free software is a hard requirement!

  13. Free Bootup Software Bootrom (ARM): • Read-only: hardwired • Always non-free (hardware design) Free bootup software projects: • Coreboot • U-Boot, Barebox • Libreboot Usual non-free components: • x86 : Option ROM/VGA BIOS, CPU microcodes • Intel x86 : FSP, MRC, ME • AMD x86 : IMC, SMU, PSP • Various firmwares (xHCI, ethernet, . . . )

  14. Introducing Verified Boot and Related Issues Bootup Software Verification

  15. Early Software Verification Security approaches distinction: • Verified boot: to boot or not to boot • Measured boot: state indication Verified boot rationale: • Read/write bootup software • Attack surface, compromisation • Chain of trust up to the system, handlers Design implications: • Early bootup software must be trusted • Next stage validation: signatures • Read-only signatures

  16. Early Attempts at Integrity Preservation Pin-driven write-protect: flashrom/board enable.c: • Easy to find out s t a t i c i n t i n t e l p i i x 4 g p o 2 7 l o w e r ( void ) { return i n t e l p i i x 4 g p o s e t (27 , 0) ; • Flashrom board enables } Platform-based approaches: • Platform SPI access/write disable • Protected Ranges (PRx) Pitfalls: • Privileged access (SMM) • Internal controller access (ME, IMC) • External access • Platform-specific logic

  17. UEFI and Secure Boot Secure boot implementations: • Bootloader or kernel verification • Ships with verification keys • Assumes it’s not compromised User control: • Secure boot disable? • Replacing keys?

  18. (Actually) Verified Boot Strong root of trust: • Keys in OTP memory • Bootrom enforcing verification Motivations: • Multiple read/write storage • Reliable root of trust Implementations: • ARM platforms • Intel Bootguard • Intel TXT ACM (dynamic root of trust)

  19. Introducing Verified Boot and Related Issues Software Freedom Issues

  20. Incompatibility with Free Software Issues for freedom: • Free bootup software is impossible ! • Free TEE software is impossible ! • Free kernel is impossible ! Implications for privacy/security: • No control, no choice for trust • (Un)intentional weaknesses • Ability to compromise the system, exfiltrate data: • At boot time • At run time: TEE, SMM/SMI, ACPI, PECI Neither freedom, nor privacy/security :(

  21. (Barely) Undercover Motivations Usual scenario (Android): • Verified SPL and bootloader • Verified TEE • Chain of trust break Story time: • LG Optimus Black • Google Pixel C Rationale? Anyone? It’s pronounced DRM .

  22. Tivoization and Licenses Tivoization: • Free, copyleft bootup software • Modified versions release • Signed binaries for verified boot Case study: • Samsung Galaxy Tab 2 • X-Loader SPL

  23. Tivoization and Licenses Tivoization: • Free, copyleft bootup software • Modified versions release • Signed binaries for verified boot Case study: • Samsung Galaxy Tab 2 • X-Loader SPL x-loader/SecureBootSign.pl: $RemoteServer1 = ” 10.2 54.12 4.52 ” ; $RemoteServer2 = ” 1 0 . 9 0 . 1 3 . 3 6 ” ; [ . . . ] $handle = IO : : Socket : : INET − > new ( ” $RemoteServer :80 ” ) or $newerr =1; $handle − > send ( ”GET http :// $RemoteServer / SigningKey . php? model=$modelname&type= $runtype&f i l e n a m e=$ i n p u t f i l e n a m e&f i l e p a t h=$ f t p s u b p a t h&p r e f i x=$ p r e f i x& viewtype=$viewtype&ppa=$ c o n f i g f i l e n a m e HTTP/1.0 ” ) ;

  24. Tivoization and Licenses Tivoization: • Free, copyleft bootup software • Modified versions release • Signed binaries for verified boot Case study: • Samsung Galaxy Tab 2 • X-Loader SPL Oh, the irony! Licenses: • GPLv3

  25. All About the Main CPU? Software is everywhere: • Main processor: Bootup, TEE, System • Management processors: ME, IMC, SMU, BMC. . . • Auxiliary processors: GPU, VPU, DSP. . . • Controllers: EC, xHCI, multimedia, battery. . . • Peripherals: Wi-Fi, bluetooth, GPS, webcam. . . Verified boot: • Main processor: common (ARM) • Management processors: common • Auxiliary processors: increasing (GPUs) • Controllers: uncommon • Peripherals: uncommon Freedom and privacy/security everywhere?

  26. Reconciling Freedom and Security

  27. Reconciling Freedom and Security General-Purpose Possibility

  28. Coreboot, GRUB and PGP Verified boot with free software example: • Free bootup software (Coreboot) • Payload with PGP verification (GRUB) • Storage set read-only (or hidden) • External access to storage Platform assumptions: • No signature verification from bootrom • Ability to lock the storage (access/write/regions) Possible with non-Bootguard x86 platforms! (with Coreboot support)

  29. SPI Flash Write-Protect Write-protect ( WP ) pin: • Reliable root of integrity! • Physical switch • Solder it to ground

  30. Reconciling Freedom and Security CrOS Security Model and Devices

  31. Design Guidelines CrOS security design: • Reliable, scalable verified boot for CPU and EC • Does not cover external access (evil maid) • Free software, user-friendly Chain of trust: • SPI flash write-protect root of trust • The screw: write-protect switch • RO early stages, keys and recovery • RW (verified) next stages and kernel

  32. The Screw

  33. Verified Boot Software Software components: Replacing software and keys: • Bootup software: Coreboot generate keys • Payload: Depthcharge build depthcharge, coreboot and ec • Verified boot: Vboot • EC firmware: Chrome EC package and sign remove the screw Boot modes: • Normal mode flash internally flash externally • Recovery mode insert the screw • Developer mode boot!

  34. Normal Boot hardware reset spi flash keys bootblock Boot path: spi flash spi flash • RO bootblock verstage ro • RO verstage spi flash verified rw • RW next stages ec software romstage-ramstage • RO to RW EC sync, rw spi flash • Internal kernel • No interaction depthcharge internal kernel

  35. Recovery Boot Trigger: hardware reset spi flash • Verification error keys bootblock • User request spi flash spi flash Boot path: verstage • RO only spi flash romstage-ramstage Boot media: • External recovery spi flash • Recovery keys depthcharge external recovery Recovering: kernel • Instructions ro

  36. Developer Boot Enable: hardware reset • Recovery mode spi flash • Wipes data bootblock keys • CrOS root spi flash spi flash • Crossystem verstage ro Boot path: spi flash verified rw • RO to RW ec software romstage-ramstage sync, rw • Kernel verification spi flash depthcharge Boot media: external external • Internal internal • External legacy kernel kernel • Legacy

  37. Devices Hardware design constraints: • SPI flash and the screw • TPM • Servo debug connector Chromebooks, Chromeboxes, Chromebases, Chromebits Platforms: • x86 : Intel Sandybridge, Haswell, Broadwell, Baytrail, Skylake • Signed ARM : Samsung Exynos • Unsigned ARM : Rockchip RK3288, nVidia Tegra K1 Unsigned ARM devices are great for freedom and privacy/security!

Recommend

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe 2016, 12.10.2016 Marc Kleine-Budde <mkl@pengutronix.de> Slide 1 - http://www.pengutronix.de - 13.10.2016 Why Verified Boot? Attractive hacking

774 views • 20 slides
Freedom & AI Can Free Software include ethical AI systems? Justin W. Flory Mike Nolan

Freedom & AI Can Free Software include ethical AI systems? Justin W. Flory Mike Nolan

Freedom & AI Can Free Software include ethical AI systems? Justin W. Flory Mike Nolan Rochester Institute of Technology UNICEF Office of Innovation @jflory7 @__nolski__ When a measure becomes a target, it ceases to be a good

584 views • 41 slides
The Art of DJing, Psychedelic Therapy, and Software Freedom A Proposal for Using Music to

The Art of DJing, Psychedelic Therapy, and Software Freedom A Proposal for Using Music to

The Art of DJing, Psychedelic Therapy, and Software Freedom A Proposal for Using Music to Maximize Therapeutic Outcomes Be Wilson MD candidate, University of Illinois at Chicago Mixxx DJ Software developer Introduction Feel free to ask

503 views • 17 slides
Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop Hardware Enablement Team This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License Topics What / why? Pre-kernel:

434 views • 16 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
U-Boot from Scratch Jagan Teki www.amarulasolutions.com Jagan Teki Jagan nadhaSutradharudu Teki

U-Boot from Scratch Jagan Teki www.amarulasolutions.com Jagan Teki Jagan nadhaSutradharudu Teki

U-Boot from Scratch Jagan Teki www.amarulasolutions.com Jagan Teki Jagan nadhaSutradharudu Teki Free software engineer Enthusiastic Linux kernel hacker U-Boot maintainer for SPI, SPI-FLASH, Allwinner sunXi SoC Buildroot,

1.38k views • 86 slides
What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I What Use Is Verified Software? 1 Software and Systems The world at large cares little for verified

734 views • 14 slides
Software Freedom & Bro Karen M. Sandler BroCon September 13, 2016 I am Executive

Software Freedom & Bro Karen M. Sandler BroCon September 13, 2016 I am Executive

Software Freedom & Bro Karen M. Sandler BroCon September 13, 2016 I am Executive Director, Conservancy Pro bono counsel Free and open source software enthusiast A patient @o0karen0o @Conservancy Actually, I have a big

694 views • 27 slides
Feb 2011 Free software Overview and Objectives What is software? What does free mean,

Feb 2011 Free software Overview and Objectives What is software? What does free mean,

Penarth Computer Club Feb 2011 Free software Overview and Objectives What is software? What does free mean, look at licensing Discuss Piracy (or Theft) Mention some best practice techniques Look at some recommended free

881 views • 29 slides
When Free Software Isn't Better When Free Software Isn't Better benjamin mako hill :: when

When Free Software Isn't Better When Free Software Isn't Better benjamin mako hill :: when

When Free Software Isn't Better When Free Software Isn't Better benjamin mako hill :: when free software isn't better Why free software isn't always very good, why that's not a problem, and how we make it better. Free Software is... Free

690 views • 43 slides
Linux Quick Boot ELC 2014 May 1st, 2014 Tristan Lelong Senior Embedded Software Engineer TABLE

Linux Quick Boot ELC 2014 May 1st, 2014 Tristan Lelong Senior Embedded Software Engineer TABLE

Linux Quick Boot ELC 2014 May 1st, 2014 Tristan Lelong Senior Embedded Software Engineer TABLE OF CONTENTS 1. Introduction 2. Linux boot process 3. Boot time optimization 4. How to keep a full featured system 5. Conclusion Introduction

963 views • 83 slides
Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers and Lightweight Multi-kernels Balazs Gerofi , Yutaka Ishikawa , Rolf Riesen , Robert W. Wisniewski bgerofi@riken.jp RIKEN Advanced

485 views • 29 slides
Freedom on Android Devices Erik Albers Free Software Foundation Europe Twitter: @3albers Blog:

Freedom on Android Devices Erik Albers Free Software Foundation Europe Twitter: @3albers Blog:

Freedom on Android Devices Erik Albers Free Software Foundation Europe Twitter: @3albers Blog: https://blogs.fsfe.org/eal Mail: eal@fsfe.org Control of Content / DRM Control of Data Remote control of content Remote Control of Hardware

468 views • 26 slides
Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky

Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky

Software Infrastructure Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky Software Infrastructure is Shaky When exhaustive testing is impossible, our trust can only be based on proof. Edsger W.

538 views • 40 slides
Introduction Me: Software Engineer at DENX, Gmbh U-Boot Custodian for Freescale's i.MX

Introduction Me: Software Engineer at DENX, Gmbh U-Boot Custodian for Freescale's i.MX

Software Update on Embedded Systems Do not brick your device Stefano Babic ELCE October 2014 Introduction Me: Software Engineer at DENX, Gmbh U-Boot Custodian for Freescale's i.MX Focus on Linux embedded with PowerPC and ARM

728 views • 35 slides
Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me Software-Consultant ERP, Supply Chain Contributor to U-Boot since 2017 Maintainer of the UEFI sub-system since 02/2019 I Want a Network Drive Many

598 views • 28 slides
Updating an Embedded System About me Me: Software Engineer at DENX, Gmbh U-Boot

Updating an Embedded System About me Me: Software Engineer at DENX, Gmbh U-Boot

SWUpdate Updating an Embedded System About me Me: Software Engineer at DENX, Gmbh U-Boot Custodian for NXP's i.MX Focus on Linux embedded Author of FOSS SWUpdate Do we update ? Local Update Push Software Pull Software

870 views • 38 slides
Free Software and HPC Free Software and HPC Juan Antonio A nel Cabanelas aetherlux@es.gnu.org

Free Software and HPC Free Software and HPC Juan Antonio A nel Cabanelas aetherlux@es.gnu.org

Free Software and HPC Free Software and HPC Juan Antonio A nel Cabanelas aetherlux@es.gnu.org EPhysLab, Universidade de Vigo - Ourense j.anhel@uvigo.es Juan Antonio A nel Cabanelas () Free Software and HPC 1 / 7 talk Should we worry

319 views • 7 slides
Free software in academia A dialogue on free software use and development practice and philosophy

Free software in academia A dialogue on free software use and development practice and philosophy

Free software in academia A dialogue on free software use and development practice and philosophy in university curricula and scholarly projects Morgan Lemmer-Webber Tom Callaway Stephen Jacobs D. Joe Anderson Libre Planet 2018 L i b r

509 views • 7 slides
The Freedom Ticket A Southeast Queens Proof of Concept December 2015 What is Freedom Ticket ?

The Freedom Ticket A Southeast Queens Proof of Concept December 2015 What is Freedom Ticket ?

The Freedom Ticket A Southeast Queens Proof of Concept December 2015 What is Freedom Ticket ? Railroad Fare + Free Transfer = Freedom Ticket Freedom Ticket Roll-out Phase 1: Southeast Queens & Brooklyn 2017 Phase 2: Expansion to

406 views • 13 slides
The Toolkit for Accurate Scientific Software Stephen F. Siegel, Timothy Zirkel, Yi Wei Verified

The Toolkit for Accurate Scientific Software Stephen F. Siegel, Timothy Zirkel, Yi Wei Verified

The Toolkit for Accurate Scientific Software Stephen F. Siegel, Timothy Zirkel, Yi Wei Verified Software Laboratory Department of Computer and Information Sciences University of Delaware Newark, DE, USA Third International Workshop on

498 views • 33 slides
Funding Free Software Developers with... Why? Because Free Software Developers... Freely

Funding Free Software Developers with... Why? Because Free Software Developers... Freely

Funding Free Software Developers with... Why? Because Free Software Developers... Freely share the Need to pay their result of their work in bills in order to a way that benefits continue doing what the whole society. they do.

369 views • 8 slides
A q -Deformed Symplectic sp (4) Algebra: How Free Is an Additional Degree of Freedom? K. D.

A q -Deformed Symplectic sp (4) Algebra: How Free Is an Additional Degree of Freedom? K. D.

Nuclear Theory22 ed. V. Nikolaev, Heron Press, Sofia, 2003 A q -Deformed Symplectic sp (4) Algebra: How Free Is an Additional Degree of Freedom? K. D. Sviratcheva 1 , C. Bahri 1 , A. I. Georgieva 1 , 2 , and J. P. Draayer 1 1 Louisiana State

429 views • 12 slides

More recommend