dasharo/slimbootloader.github.io
0
0
Fork 0
mirror of https://github.com/Dasharo/slimbootloader.github.io.git synced 2026-03-06 15:26:36 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
slimbootloader.github.io/security/container-security.html

236 lines
13 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Container Security &mdash; Slim Bootloader 1.0 documentation</title>
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../_static/graphviz.css" type="text/css" />
<link rel="stylesheet" href="../_static/custom.css" type="text/css" />
<link rel="shortcut icon" href="../_static/sbl_logo_blue_32x32_icon.ico"/>
<!--[if lt IE 9]>
<script src="../_static/js/html5shiv.min.js"></script>
<![endif]-->
<script src="../_static/jquery.js"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/sphinx_highlight.js"></script>
<script src="../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Firmware Resiliency and Recovery" href="firmware-resiliency-and-recovery.html" />
<link rel="prev" title="Firmware Update" href="firmware-update.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html" class="icon icon-home">
Slim Bootloader
<img src="../_static/sbl_logo_white_200x200.png" class="logo" alt="Logo"/>
</a>
<div class="version">
1.0
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../introduction/index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../getting-started/index.html">Getting Started</a></li>
<li class="toctree-l1"><a class="reference internal" href="../supported-hardware/index.html">Supported Hardware</a></li>
<li class="toctree-l1"><a class="reference internal" href="../developer-guides/index.html">Developers Guide</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Security Features</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="boot-guard.html">Boot Guard</a></li>
<li class="toctree-l2"><a class="reference internal" href="verified-boot.html">Verified Boot</a></li>
<li class="toctree-l2"><a class="reference internal" href="key-management.html">SBL Build and Sign</a></li>
<li class="toctree-l2"><a class="reference internal" href="key-management.html#key-management">Key Management</a></li>
<li class="toctree-l2"><a class="reference internal" href="measured-boot.html">Measured Boot</a></li>
<li class="toctree-l2"><a class="reference internal" href="firmware-update.html">Firmware Update</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Container Security</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#auth-types-supported">Auth Types Supported</a></li>
<li class="toctree-l3"><a class="reference internal" href="#container-formats">Container Formats</a></li>
<li class="toctree-l3"><a class="reference internal" href="#container-firmware">Container Firmware</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="firmware-resiliency-and-recovery.html">Firmware Resiliency and Recovery</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../how-tos/index.html">How-Tos</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tools/index.html">Tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tutorials/index.html">Tutorials</a></li>
<li class="toctree-l1"><a class="reference internal" href="../specs/index.html">Specifications</a></li>
<li class="toctree-l1"><a class="reference internal" href="../references/references.html">References and Links</a></li>
<li class="toctree-l1"><a class="reference internal" href="../references/terminology.html">Terminology and Acronyms</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">Slim Bootloader</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="index.html">Security Features</a></li>
<li class="breadcrumb-item active">Container Security</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="container-security">
<h1>Container Security<a class="headerlink" href="#container-security" title="Permalink to this heading"></a></h1>
<p>Container in SBL is a method for sub region support. Its an encapsulation of multiple components as depicted in the image below.</p>
<img alt="../_images/sbl_container.PNG" class="align-center" src="../_images/sbl_container.PNG" />
<p><strong>Container</strong></p>
<p>Container region header encapsulates details about its components and public key hashes or component hashes. Container header has to be signed using RSA private key. Respective public key hash would be store in SBL Hash Store and it is verified while container gets registered.</p>
<p><strong>Components</strong></p>
<p>Component region can be added as compressed form or raw images. These region supports both hash verification and siging with RSA private keys. Public key hash or component hash would be stored in container main header. These hashes would be verified when components get loaded.</p>
<p><strong>Mono Signing</strong></p>
<p>Mono signing is a method in which all components region would be signed in a single shot and verified using RSA or with hash verification.</p>
<p>Refer <a class="reference internal" href="../tools/GenContainer.html#gen-container-tool"><span class="std std-ref">Container Tool</span></a> for details on container format and for its creation.</p>
<section id="auth-types-supported">
<h2>Auth Types Supported<a class="headerlink" href="#auth-types-supported" title="Permalink to this heading"></a></h2>
<p>Slimboot container and its components can be signed and it can be authenticated by using the following authorization types.</p>
<table class="docutils align-default">
<thead>
<tr class="row-odd"><th class="head" colspan="2"><p>Auth Type</p></th>
<th class="head" colspan="2"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td colspan="2"><p>SHA2_256</p></td>
<td colspan="2"><p>SHA256 hash verification</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>SHA2_384</p></td>
<td colspan="2"><p>SHA384 hash verification</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>RSA2048_PKCS1_SHA2_256</p></td>
<td colspan="2"><p>RSA signed for key size 2048, sha256 hash &amp; PKCS1.5 padding</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>RSA3072_PKCS1_SHA2_384</p></td>
<td colspan="2"><p>RSA signed for key size 3072, sha384 hash &amp; PKCS1.5 padding</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>RSA2048_PSS_SHA2_256</p></td>
<td colspan="2"><p>RSA signed for key size 2048, sha256 hash &amp; PSS padding</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>RSA3072_PSS_SHA2_384</p></td>
<td colspan="2"><p>RSA signed for key size 3072, sha384 hash &amp; PSS padding</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>NONE</p></td>
<td colspan="2"><p>No Authorization. Supported only for sub region components</p></td>
</tr>
</tbody>
</table>
</section>
<section id="container-formats">
<h2>Container Formats<a class="headerlink" href="#container-formats" title="Permalink to this heading"></a></h2>
<p>Container supports following signatures methods. OEMs can define the methods as per their usecase.
Corresponding public key hashes need to be enrolled in SBL hash store.</p>
<table class="docutils align-default">
<thead>
<tr class="row-odd"><th class="head" colspan="2"><p>Signature</p></th>
<th class="head" colspan="2"><p>Key for Signing container header</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td colspan="2"><p>BOOT</p></td>
<td colspan="2"><p>KEY_ID_OS1_PRIVATE_RSA3072 (OS Key)</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>KEYH</p></td>
<td colspan="2"><p>KEY_ID_MASTER_RSA3072 (Master Key)</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>OEM Defined</p></td>
<td colspan="2"><p>OEM to define and add to signing scripts</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>IPFW and others</p></td>
<td colspan="2"><p>KEY_ID_CONTAINER_RSA3072 (Container Def Key)</p></td>
</tr>
</tbody>
</table>
<p><strong>BOOT</strong></p>
<p>This is for booting a OS kernel image. Refer <a class="reference internal" href="../how-tos/create-container-boot-image.html#create-container-boot-image"><span class="std std-ref">Create Container Boot Image</span></a> for creation of bootable format.
Bootable container image is signed with RSA private key and the corresponding hash is stored in SBL Hash store.</p>
<p><strong>KEYH</strong></p>
<p>This is used external hash store creation. SBL maintains a loadable “Hash Store” to save digests of public keys used to sign external loadable by the bootloader.</p>
<p><strong>OEM Defined</strong></p>
<p>OEM can define their container methods.</p>
</section>
<section id="container-firmware">
<h2>Container Firmware<a class="headerlink" href="#container-firmware" title="Permalink to this heading"></a></h2>
<p>Signatures defined apart from above category would fall in this category.</p>
<p>This section provides an overriew of container format for firmware stored in flash. IPFW is container signature used widely in SBL for components as PSE, TSN, TCC and so.</p>
<p><strong>Key Requirement and Ownership</strong></p>
<p>This picture depicts the various keys used for container components update on flash.</p>
<img alt="../_images/ipfw_key_ownership.jpg" class="align-center" src="../_images/ipfw_key_ownership.jpg" />
<p>Container Def Key - This key is used to sign the container header. Respective public key hash is stored in SBL hash store.</p>
<p>Container Component Key - This key is used to sign the components inside the container. Public key hash is stored in container header.</p>
<p>FwUpdate Key - Private Key used to sign the capsule firmware blob. Respective public key hash is stored in SBL hash store.</p>
<p><strong>Container Component Update Flow</strong></p>
<ol class="arabic simple">
<li><p>Sign the raw component binary using <a class="reference internal" href="../tools/GenContainer.html#gen-container-tool"><span class="std std-ref">Container Tool</span></a> Sign command</p></li>
<li><p>Generate the capsule firmware update image using <a class="reference internal" href="firmware-update.html#firmware-update"><span class="std std-ref">Firmware Update</span></a> tool.</p></li>
<li><p>Perform the capsule image update to update the respective component region :ref:firmware-update</p></li>
</ol>
<img alt="../_images/sbl_container_comp_update.jpg" class="align-center" src="../_images/sbl_container_comp_update.jpg" />
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="firmware-update.html" class="btn btn-neutral float-left" title="Firmware Update" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="firmware-resiliency-and-recovery.html" class="btn btn-neutral float-right" title="Firmware Resiliency and Recovery" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2018 - 2025, Intel Corporation.
<span class="lastupdated">Last updated on Jun 27, 2025.
</span></p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink