Submit Search
Upload
Secureboot Survival Guide
•
8 likes
•
1,646 views
L
lcplcp1
Follow
Slides for COSCUP 2014
Read less
Read more
Software
Report
Share
Report
Share
1 of 48
Download Now
Download to read offline
Recommended
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded System
insydesoftware
LCA13: Power State Coordination Interface
LCA13: Power State Coordination Interface
Linaro
U-Boot - An universal bootloader
U-Boot - An universal bootloader
Emertxe Information Technologies Pvt Ltd
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
Embedded_Linux_Booting
Embedded_Linux_Booting
Rashila Rr
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Anne Nicolas
BeagleBone Black Bootloaders
BeagleBone Black Bootloaders
SysPlay eLearning Academy for You
Scientific calcultor-Java
Scientific calcultor-Java
Shaibal Ahmed
More Related Content
What's hot
Embedded Operating System - Linux
Embedded Operating System - Linux
Emertxe Information Technologies Pvt Ltd
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
Yannick Gicquel
Bootloaders (U-Boot)
Bootloaders (U-Boot)
Omkar Rane
Advanced C - Part 1
Advanced C - Part 1
Emertxe Information Technologies Pvt Ltd
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
Scripting para Mikrotik - Presentación Nunsys en MUM
Scripting para Mikrotik - Presentación Nunsys en MUM
Nunsys S.L.
Bootloaders
Bootloaders
Anil Kumar Pugalia
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
Real-Time Innovations (RTI)
linux device driver
linux device driver
Rahul Batra
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
Buland Singh
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
Linaro
Slideshare - linux crypto
Slideshare - linux crypto
Jin Wu
Uboot startup sequence
Uboot startup sequence
Houcheng Lin
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
emBO_Conference
Performance Profiling in Rust
Performance Profiling in Rust
InfluxData
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platform
Emertxe Information Technologies Pvt Ltd
U Boot or Universal Bootloader
U Boot or Universal Bootloader
Satpal Parmar
/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity
Takuya ASADA
Audio Drivers
Audio Drivers
Anil Kumar Pugalia
LCA14: LCA14-418: Testing a secure framework
LCA14: LCA14-418: Testing a secure framework
Linaro
What's hot
(20)
Embedded Operating System - Linux
Embedded Operating System - Linux
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
Bootloaders (U-Boot)
Bootloaders (U-Boot)
Advanced C - Part 1
Advanced C - Part 1
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Scripting para Mikrotik - Presentación Nunsys en MUM
Scripting para Mikrotik - Presentación Nunsys en MUM
Bootloaders
Bootloaders
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
linux device driver
linux device driver
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
Slideshare - linux crypto
Slideshare - linux crypto
Uboot startup sequence
Uboot startup sequence
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
Performance Profiling in Rust
Performance Profiling in Rust
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platform
U Boot or Universal Bootloader
U Boot or Universal Bootloader
/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity
Audio Drivers
Audio Drivers
LCA14: LCA14-418: Testing a secure framework
LCA14: LCA14-418: Testing a secure framework
Similar to Secureboot Survival Guide
2, installation
2, installation
ted-xu
Configuration tutorial for pytorch environment under windows.pdf
Configuration tutorial for pytorch environment under windows.pdf
shuaihaohan135
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
裝機安 Angelo
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理
Jason Zheng
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理
haiyuan ning
GNU Build System
GNU Build System
imacat .
讓 Asp.net 在 raspberry pi 上飛
讓 Asp.net 在 raspberry pi 上飛
dplayerd
Con t532-基于 windows 7 的硬件设备安装体验-richie fang
Con t532-基于 windows 7 的硬件设备安装体验-richie fang
sirensings
玩转Windows
玩转Windows
dozer47528
Raspberry pi 基本操作
Raspberry pi 基本操作
艾鍗科技
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
Laird Cheng
[精彩回顾]Linux新手教程
[精彩回顾]Linux新手教程
NJU OPEN
Nagios的安装部署和与cacti的整合(linuxtone)
Nagios的安装部署和与cacti的整合(linuxtone)
Yiwei Ma
用 Drone 打造輕量級容器持續交付平台
用 Drone 打造輕量級容器持續交付平台
Bo-Yi Wu
Docker tutorial
Docker tutorial
azole Lai
GNU Autoconf / Automake #1
GNU Autoconf / Automake #1
imacat .
烏托邦教學 簡易硬體維修
烏托邦教學 簡易硬體維修
TanYuDe
尚观Linux研究室 linux驱动程序全解析
尚观Linux研究室 linux驱动程序全解析
hangejnu
運用 Docker 整合 Laravel 提升團隊開發效率
運用 Docker 整合 Laravel 提升團隊開發效率
Bo-Yi Wu
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Jason Cheng
Similar to Secureboot Survival Guide
(20)
2, installation
2, installation
Configuration tutorial for pytorch environment under windows.pdf
Configuration tutorial for pytorch environment under windows.pdf
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理
GNU Build System
GNU Build System
讓 Asp.net 在 raspberry pi 上飛
讓 Asp.net 在 raspberry pi 上飛
Con t532-基于 windows 7 的硬件设备安装体验-richie fang
Con t532-基于 windows 7 的硬件设备安装体验-richie fang
玩转Windows
玩转Windows
Raspberry pi 基本操作
Raspberry pi 基本操作
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
[精彩回顾]Linux新手教程
[精彩回顾]Linux新手教程
Nagios的安装部署和与cacti的整合(linuxtone)
Nagios的安装部署和与cacti的整合(linuxtone)
用 Drone 打造輕量級容器持續交付平台
用 Drone 打造輕量級容器持續交付平台
Docker tutorial
Docker tutorial
GNU Autoconf / Automake #1
GNU Autoconf / Automake #1
烏托邦教學 簡易硬體維修
烏托邦教學 簡易硬體維修
尚观Linux研究室 linux驱动程序全解析
尚观Linux研究室 linux驱动程序全解析
運用 Docker 整合 Laravel 提升團隊開發效率
運用 Docker 整合 Laravel 提升團隊開發效率
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Secureboot Survival Guide
1.
Secure Boot Survival Guide Gary
Lin Software Engineer – SUSE Labs glin@suse.com
2.
什麼是 Secure Boot
?
3.
先來談談 UEFI 吧!
4.
UEFI Hardware Firmware Unified Extensible Firmware
Interface OS Based on http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#mediaviewer/File:Efi-simple.svg
5.
其實就跟 BIOS 一樣 啦!
6.
BIOS 時代 BIOS Bootloader
7.
UEFI 時代 UEFI UEFI
Image
8.
UEFI 的 Secure
Boot 為 Windows 8 認証的必要 條件
9.
所以說什麼是 Secure Boot
?
10.
鎖
11.
UEFI UEFI Image Secure
Boot UEFI Secure Boot Verified UEFI Image ?
12.
Bootloader UEFI OS db db PK KEK db
13.
這些 key 是哪裡來的?
14.
硬體出廠前預先載入的
15.
UEFI PK KEK db UEFI CA
16.
銅鑼灣只有一個浩南
17.
UEFI 只有一個 CA
18.
Microsoft UEFI CA
19.
UEFI CA Signing
Policy ● 入會費 $99 ● 送審者需有 EV Certificate (2014/3 起 ) ● 只接受產品等級的程式 ● 不接受 GPLv3 授權的程式,如 Grub2 http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx
20.
http://farm3.staticflickr.com/2559/4199675334_66c3e3d61d.jpg
21.
Linux 使用者 /
發行商有 什麼選擇?
22.
方案一 不爽不要用
23.
可是客戶要求 ...
24.
方案二 隔開 UEFI 與
Grub2
25.
shim (Matthew Garret) PreLoader
(James Bottomley)
26.
shim db OS Vendor load db AT Var UEFI
load Grub2 Vendor Kernel Vendor AT: Authenticated
27.
但是 ...
28.
使用者還是不能隨意修改
29.
方案二 改 自己的程式自己簽
30.
UEFI Variables ● Authenticated
Variable ● Runtime Service Variable ● Boot Service Variable
31.
UEFI Variables Boot Service
Runtime Service Authenticated UEFI - Read Yes Yes Yes UEFI - Write Yes Yes Restricted OS - Read No Yes Yes OS - Write No Yes Restricted * 此處指 Non-volatile Variables
32.
Machine Owner Key
33.
shim db OS Vendor MOKList BS Var load db AT
Var UEFI load Grub2 MOK Kernel MOK AT: Authenticated BS: Boot Service
34.
Grub2 Vendor Kernel MOK Kernel Vendor Grub2 MOK load load load load load shim db OS Vendor MOKList BS
Var
35.
mokutil --import MOKNew RT Var Password shim
MokManager MOKList BS Var load 3. verify 4.enroll reboot 1. request 2.detect Linux UEFI RT: Runtime
36.
簽章工具 -- pesign ●
針對 PE-COFF 的簽章工具 ● 使用 Mozilla NSS 管理憑證 ● 支援多重簽章
37.
pesign 用法 ● 初始化資料庫 –
$ certutil -N -d certdb ● 載入公私鑰 – $ pk12util -d certdb -i mykey.p12 ● 簽章 – $ pesign -n certdb -c mykey -s -i myloader.efi -o myloader-signed.efi For more details: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
38.
使用 shim+MOK 的 distro ●
SUSE Enterprise Linux / openSUSE ● Red Hat Enterprise Linux / Fedora ● Ubuntu ● Alt Linux ● more
39.
Secure Boot 不再是 Linux
的問題
40.
我有 Secure Boot
我超強!
41.
Hack In The
Box 2014 Setup for Failure: More Ways to Defeat SecureBoot http://haxpo.nl/hitb2014ams-kallenberg-cornwell-kovah-butterworth/
42.
Not So Secure ●
某 A 廠沒保護好關鍵的 UEFI variable ● 某些廠商沒設定好 SPI Flash 的保 護機制
43.
沒有絕對安全的系統 請時常注意安全更新
44.
http://farm3.staticflickr.com/2698/4304968451_677b6a2cb5.jpg photo credit: Marco
Bellucci via photopin
45.
photo credit: J.
Star https://www.flickr.com/photos/jstar/409405305/
46.
References ● UEFI Forum http://www.uefi.org/ ●
Wikipedia: UEFI http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface ● Microsoft UEFI CA Signing Policy http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx ● Will your computer's "Secure Boot" turn out to be "Restricted Boot"? http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot ● shim https://github.com/mjg59/shim ● preloader http://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git ● Machine Owner Key https://www.suse.com/communities/conversations/uefi-secure-boot-details/ ● mokutil https://github.com/lcp/mokutil ● pesign https://github.com/vathpela/pesign ● Alt Linux UEFI Secure Boot mini-HOWTO http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
47.
Backup
48.
UEFI 的好處 ● BSD
開放原碼授權的參考實作 (edk2) ● 以 C 為開發語言 ● 多硬體架構支援,如 x86-64, IA-32, IA-64, ARM, AArch64 ● 模組化設計
Download Now