Questions tagged [secure-boot]
The secure-boot tag has no summary.
63 questions
0
votes
0
answers
47
views
What is commonly done in embedded/IoT systems to encrypt flash storage? Is TPM, PUFs, eFUSEs, TEE used to get the decryption key?
Assuming that RAM is inside the SoC, nullifying the possibility of cold-boot attacks, the only other way to obtain the decryption key is to extract it from the secure storage in which it is saved.
I ...
- 537
0
votes
2
answers
197
views
Does SecureBoot+Lockdown help protect against getting firmware-level malware, even if an attacker gains Root access?
This Reddit comment suggests that even if malicious software gains root access, SecureBoot + Lockdown mode in the Linux kernel can help prevent malware from gaining access to the kernel to perform ...
- 131
1
vote
0
answers
196
views
U-Boot hardening - how manage U-Boot Environment Variables
I'm running on a Linux Embedded product and U-Boot Bootloader.
I enabled the Secure Boot Chain of Trust, from ROM to Kernel + DM-verity and DM-Crypt partition protection.
Now I'm worried about the U-...
- 11
4
votes
2
answers
365
views
Do I need to verify a .ISO before flashing, if my laptop has secure boot?
My Dell XPS 9310 has secure boot enabled and the BIOS is up to date and there are no manual keys added there.
Can I download a ubuntu .ISO from anywhere and flash into any computer without worrying ...
- 317
0
votes
1
answer
183
views
Is the ability to use Machine Owner Keys effectively a bypass of SecureBoot security?
SecureBoot uses a PKI path to verify particular signed bootloader binaries before it runs these binaries. This PKI, as far as I understand, is basically owned by Microsoft, meaning that only Microsoft ...
- 607
-1
votes
2
answers
337
views
Laptop Repair vs. Evil Maid
Suppose you need a laptop repair, so you bring it to
A big box store where you have some sort of coverage (who will have the computer for 2-3 weeks)
A small chain of repair shops
a small independent ...
1
vote
1
answer
286
views
How do nonce hashes prevent replay attacks on Apple Silicon?
Apple Silicon-based Macs have a LocalPolicy file that controls the secure boot process. To prevent replay attacks of the LocalPolicy, hashes of nonces are used. From here:
The lpnh is used for anti-...
- 276
2
votes
1
answer
880
views
In a secure boot bootloader chain, does a bootloader image contain the RootCA certificate of the next bootloader?
This is coming from Qualcomm's Secure Boot explanation.
https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/secure-boot-image-authentication_11.30.16.pdf
Within it, it explains that ...
- 121
1
vote
2
answers
485
views
Why is Secure Boot in an ECU required when there is Secure Flashing capabilities?
it seems state of the art that the autmotive electronical Control units (ECUs) contain security features as Secure Flashing and Secure Boot. For secure flashing, each new software to be programmed is ...
- 11
1
vote
1
answer
603
views
Do I need Secure Boot on an Embedded Device?
I need to rate the risk of not having secure boot for a specific embedded device.
It is clear to me that secure boot is an essential part of the root of trust of a system.
In the scenario however, I ...
- 11
1
vote
2
answers
4k
views
Full disk encryption: Legacy boot mode (MBR) vs. EFI boot mode
FDE tools like VeraCrypt will encrypt the whole system drive when the machine uses legacy boot mode (MBR). But they will only encrypt the system partition if the machine uses EFI boot mode (the EFI ...
- 1,743
3
votes
0
answers
784
views
Secure boot + full disk encryption, should I sign the kernel?
I'm redoing my laptop installation from scratch, and this time I want a full secure boot chain.
Here's what I did so far :
Enroll my own keys in the UEFI firmware
Sign my grub bootloader
Full disk ...
- 130
0
votes
1
answer
421
views
Is there any security technology/technique beside tpm/secure boot which can verify the integrity of the bios or bootloader?
For any file on your OS you can get a md5 or sha256 value and if you suspect anything you get it again and compare. I was wondering if there is any way to do the same with the bios and bootloader and ...
- 31
1
vote
0
answers
311
views
How hard is it to modify UEFI nvram if the device is off and the UEFI is locked?
This assumes that:
Machine is powered off
No UEFI backdoors
No Reflashing the firmware
No clearing the NVRAM (The point is to modify/read a small amount of NVRAM, instead of resetting it)
Device ...
2
votes
1
answer
325
views
How do you boot from the network using https?
How do you boot a Linux live image from a CDN using Https as boot protocol?
The reason for netbooting using a CDN would be to start fresh with a non persistent operating system image. Booting fresh ...
- 265
2
votes
2
answers
2k
views
TPM Endorsement Key usage in secure and trusted boot
Taking into account a Root of Trust in a device using a TPM.
My understanding is that the bootloader, firmware, operating system, applications etc. are all verified on startup by validating signatures ...
- 309
3
votes
1
answer
817
views
Secure boot after an OTA update confusion
My understanding is that secure boot works by verifying each stage in the boot process before proceeding. So first, UEFI or booting firmware will validate the signature of the bootloader, then kernel, ...
- 309
1
vote
0
answers
266
views
Is grub implementation of secure boot inherently flawed?
Definitions
Grub is the second stage bootloader often found in Linux distributions.
shim is the first bootloader ran by the ROM firmware. It is signed by Microsoft.
ROM firmware is the code embedded ...
0
votes
0
answers
889
views
Does secure boot protect you from infected BIOS/firmware?
About secure boot, I've visited intel's website and they said:
The feature defines an entirely new interface between operating system and firmware/BIOS. When enabled and fully configured, Secure Boot ...
- 1
0
votes
0
answers
1k
views
Can an OS implement Trusted Boot without TPM given Secure Boot?
Since Secure Boot authenticates software, the OS only needs to check hardware. The implementation I have in mind measures hardware and compares the result of the measurement to the value in an EFI ...
- 167
0
votes
1
answer
1k
views
Can I store an openssl generated public key on a TPM (2.0) device?
I've got an Infineon SLB9670 TPM module connected to a BeagleBone Board. I would like to carry out RSA signature verification on the board by using the TPM as a key store (storing the public key). W.r....
- 3
2
votes
2
answers
1k
views
Secure boot for devices which don't have hardware security element
I understand that Root of Trust is necessary for implementing a secure boot on a device. Root of Trust is strong and trust worthy if this comes from hardware security elements like HSM/TPM/..
So for ...
- 183
1
vote
0
answers
121
views
Restricting what hard drive can be used with a given machine
I have a machine running CentOS 7 with a removable hard drive. I want to restrict what hard drive can be used with the machine i.e. the machine can only be used with one disk and nothing else.
I've ...
- 111
1
vote
0
answers
243
views
PKI Usage in Trusted Boot
I am trying to understand how PKI is used to boot an ARM board.
The following image relates to BL1:
The booting steps state:
Also from:
The certificate used in step 1 appears to be a content ...
- 1,105
2
votes
1
answer
386
views
What are the threats addressed by a Hardware Root-of-Trust?
SoC's have begun integrating a hardware Root-of-Trust to mitigate attacks on Secure Boot. Examples include Google's OpenTitan & Intel PFR. What are the threats addressed by discrete "Secure ...