dasharo/slimbootloader.github.io
0
0
Fork 0
mirror of https://github.com/Dasharo/slimbootloader.github.io.git synced 2026-03-06 15:26:36 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
8f7edc76c735b5def2ef525673ea977473ef8e0d
slimbootloader.github.io/security/verified-boot.html

170 lines
9.8 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Verified Boot &mdash; Slim Bootloader 1.0 documentation</title>
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../_static/graphviz.css" type="text/css" />
<link rel="stylesheet" href="../_static/custom.css" type="text/css" />
<link rel="shortcut icon" href="../_static/sbl_logo_blue_32x32_icon.ico"/>
<!--[if lt IE 9]>
<script src="../_static/js/html5shiv.min.js"></script>
<![endif]-->
<script src="../_static/jquery.js"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/sphinx_highlight.js"></script>
<script src="../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="SBL Build and Sign" href="key-management.html" />
<link rel="prev" title="Boot Guard" href="boot-guard.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html" class="icon icon-home">
Slim Bootloader
<img src="../_static/sbl_logo_white_200x200.png" class="logo" alt="Logo"/>
</a>
<div class="version">
1.0
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../introduction/index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../getting-started/index.html">Getting Started</a></li>
<li class="toctree-l1"><a class="reference internal" href="../supported-hardware/index.html">Supported Hardware</a></li>
<li class="toctree-l1"><a class="reference internal" href="../developer-guides/index.html">Developers Guide</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Security Features</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="boot-guard.html">Boot Guard</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Verified Boot</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#sbl-hash-store">SBL Hash Store</a></li>
<li class="toctree-l3"><a class="reference internal" href="#verified-boot-flow">Verified Boot FLow</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="key-management.html">SBL Build and Sign</a></li>
<li class="toctree-l2"><a class="reference internal" href="key-management.html#key-management">Key Management</a></li>
<li class="toctree-l2"><a class="reference internal" href="measured-boot.html">Measured Boot</a></li>
<li class="toctree-l2"><a class="reference internal" href="firmware-update.html">Firmware Update</a></li>
<li class="toctree-l2"><a class="reference internal" href="container-security.html">Container Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="firmware-resiliency-and-recovery.html">Firmware Resiliency and Recovery</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../how-tos/index.html">How-Tos</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tools/index.html">Tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tutorials/index.html">Tutorials</a></li>
<li class="toctree-l1"><a class="reference internal" href="../specs/index.html">Specifications</a></li>
<li class="toctree-l1"><a class="reference internal" href="../references/references.html">References and Links</a></li>
<li class="toctree-l1"><a class="reference internal" href="../references/terminology.html">Terminology and Acronyms</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">Slim Bootloader</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="index.html">Security Features</a></li>
<li class="breadcrumb-item active">Verified Boot</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="verified-boot">
<h1>Verified Boot<a class="headerlink" href="#verified-boot" title="Permalink to this heading"></a></h1>
<p>Slim Bootloader supports verified boot as part of its secure boot feature. Verification uses either of the following two approaches.</p>
<p><strong>1. Hash verification</strong></p>
<blockquote>
<div><p>A hash function is used to create a digest during build and saved as part of the image which is then used to compare against the digest computed during boot to make sure they are the same. The digest calculated during build and saved as part of the image is trusted as its part of the trust chain.</p>
<p>This method is used to verify components for which the digest can be computed during SBL build time.</p>
</div></blockquote>
<p><strong>2. Signature verification</strong></p>
<blockquote>
<div><p>This method of verification is used for independently updateable components like configuration data, IP firmware blobs, OS images, etc.</p>
<p>This method uses asymmetric cryptography, and uses a public-private key pair.
Public keys, which may be disseminated widely, and private keys, which are known only to the owner. The private key is used to encrypt the hash digest of an image and the public key is used to verify that the image has not been modified. The public key itself is verified using a hash verification.</p>
</div></blockquote>
<section id="sbl-hash-store">
<h2>SBL Hash Store<a class="headerlink" href="#sbl-hash-store" title="Permalink to this heading"></a></h2>
<p>SBL maintains a “Hash Store” to save digests needed by the bootloader. This includes the hash digests of SBL stages as well as the hash digests of the public keys used to verify discrete components.</p>
<p>The hash store is included in Stage 1A and is verified as part of IBB by the HWROT. The hash store can be extended using a loadable module as well. Stage 1B verifies this loadable module before extending the built-in hash store.</p>
</section>
<section id="verified-boot-flow">
<h2>Verified Boot FLow<a class="headerlink" href="#verified-boot-flow" title="Permalink to this heading"></a></h2>
<p>The initial Root of Trust (RoT) provides the anchor of trust for the platform and is typically rooted in hardware. The chain of trust is maintained by cryptographically verifying each subsequent component before it is executed. If the verification of a component fails, the boot process will be halted.</p>
<p>Verified boot ensures all executed code comes from a trusted source. SBL supports verified boot.</p>
<p>Below picture depicts how SBL maintains chain-of-trust as platform boots across various stages:</p>
<img alt="Security Chain-of-Trust" src="../_images/sec_chain_of_trust.jpg" />
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Secure Chain-of-Trust for ApolloLake platform differs slightly from the above picture.</p>
</div>
<p>To enable verified boot, see <a class="reference internal" href="../how-tos/enable-verified-boot.html#enable-verified-boot"><span class="std std-ref">Enable Verified Boot</span></a>.</p>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="boot-guard.html" class="btn btn-neutral float-left" title="Boot Guard" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="key-management.html" class="btn btn-neutral float-right" title="SBL Build and Sign" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2018 - 2024, Intel Corporation.
<span class="lastupdated">Last updated on Nov 19, 2024.
</span></p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink