SlideShare a Scribd company logo

Measured boot for embedded devices

D
Dmitry Baryshkov

This document discusses using measured boot techniques to authenticate code on embedded devices. It describes how measured boot works by securely calculating a log of all boot components. While traditionally used on x86 platforms, these techniques can also be applied to embedded devices. The document outlines how to modify a bootloader to extend measurements to platform configuration registers and how to measure files within Linux using the Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM). It also discusses how the measured state can be used for local attestation by sealing keys and for remote attestation by signing the measurements log. Finally, it provides recommendations for deploying these techniques on embedded devices using bootloader patches and build system layers.

Presentations & Public Speaking
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Dmitry Eremin-Solenikov Ivan Nikolaenko Measured Boot for embedded devices Open Source Software Engineer DI SW December, 2019
Restricted © 2019 Mentor Graphics Corporation Approaching authentic execution environment  Usually device manufacturer would like to be sure that deployed device executes authentic code: — Because it might be a medical device, — Or a safety-critcal device — Or just to insure generic platform integrity  We need to authenticate image contents! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,2
Restricted © 2019 Mentor Graphics Corporation Traditional approaches  No authentication at all. – Oops  Verify image signature before flashing it. – Any intruder can still modify image contents after flashing  Or just verify whole image each boot. – So slooow.  We have to authenticate image contents in runtime! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,3
Restricted © 2019 Mentor Graphics Corporation Measured boot  Measured boot is a technique of securely calculating a log of all boot components  Measured boot is typically thought as related to x86 platform only  However nothing stops us from employing the same technique for embedded devices  TPM chip is a hardware component that assists Measured Boot process D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,4
Restricted © 2019 Mentor Graphics Corporation Measured Boot for embedded devices D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,5 Boot time  Digest all boot components  Optionally use calculated boot state to unencrypt next stage Runtime  Digest selected set of files as they are accessed – E.g. digest all root-owned executable files – Or digest all root-owned files – Or anything you can come up with  Use digested information to unlock encryption keys  Use digested information to remotely verify device state
Restricted © 2019 Mentor Graphics Corporation Measuring boot components  TPM provides at least 24 PCRs (platform configuration register) to store boot log information  These registers are reset only at board reset time  The only way to change them is to Extend: – PCR[i] = Hash ( PCR[i] || ExtendArgument )  The code to access TPM is less than 500 lines of code  Modify your bootloader to Extend PCRs with the digests of next boot image D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,6
Restricted © 2019 Mentor Graphics Corporation Measuring inside Linux  Linux provides IMA (Integrity Measurement Architecture) and EVM (Extended Verification Module) subsystems  IMA maintains a runtime list of files measurements – Policy controlled – Can be anchored in TPM to provide aggregate integrity value  Steps to enable: – Enable in kernel – Mount filesystems with iversions option – Provide a signed policy – Load a policy at boot time D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,7
Restricted © 2019 Mentor Graphics Corporation Measuring inside Linux: protecting from tampering  Linux EVM subsystem protects against filsystem tampering  It can use either HMAC or digital signature to verify security attributes: – security.ima (IMA's stored “good” hash for the file) – security.selinux (the selinux label/context on the file) – security.SMACK64 (Smack's label on the file) – security.capability (Capability's label on executables)  Steps to enable: – Enable in kernel – Load certificate or HMAC key – Enable in securityfs D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,8
Restricted © 2019 Mentor Graphics Corporation Using measured state: local attestation  Use aggregated state to seal next state keys – Seal EVM HMAC key with bootloader data ● Attacker can not get HMAC key by tampering with bootloaders – Seal rootfs encryption key with bootloader and kernel data ● One can not access rootfs if any of boot components are changed! Your Initials, Presentation Title, Month Year9
Restricted © 2019 Mentor Graphics Corporation Using measured state: remote attestation  Remote attestation is a method by which a host authenticates it's hardware and software configuration to a remote host (server)  Use TPM capability to cryptographically sign measurements log and provide such log to remote server Your Initials, Presentation Title, Month Year10
Restricted © 2019 Mentor Graphics Corporation Deploying in embedded device  Patch your bootloader  Using MEL/Yocto/OE use one of 3 layers: – meta-secure-core (complex solution) – meta-measured (a bit outdated) – meta-security (optimal after receiving all our patches)  Use initramfs to load IMA policy and EVM certificate Your Initials, Presentation Title, Month Year11
Restricted © 2019 Mentor Graphics Corporation Deploying in embedded device #2  Choose a solution for remote attestation – OpenAttestation is an SDK for developing custom complex solutions – We recommend using strongSwan’s TNC (trusted network connect) capability to maintain a DB of devices – We ourselves ended up with a set of scripts to provisioning keys, gathering data and verifying the log Your Initials, Presentation Title, Month Year12
Restricted © 2019 Mentor Graphics Corporation What can we do without TPM TPM chips are cheap, but what if hardware is already finalized? Enable IMA/EVM! – Verifying all executable files to be signed by you – EPERM for all other binaries Your Initials, Presentation Title, Month Year13
Restricted © 2019 Mentor Graphics Corporation QUESTIONS?
Restricted © 2019 Mentor Graphics Corporation www.mentor.com

More Related Content

What's hot (20)

DOCX
Actividad 04 Seguridad en la red y las aplicaciones.docx
Andrea Gomez
 
PPTX
Information security
AlaaMahmoud108
 
PPTX
Concientización empresarial en Seguridad de la información
Marcos Harasimowicz
 
PPT
Cyber forensics
pranjal dutta
 
PDF
Cisco cybersecurity essentials chapter 8
Mukesh Chinta
 
PPTX
La razón para auditar informática
Giovani Roberto Gómez Millán
 
PPTX
Insider threat v3
Lancope, Inc.
 
PPTX
System hacking
CAS
 
PPTX
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
PDF
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Bachir Benyammi
 
PDF
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
PDF
What about GDPR?
Martin Hawksey
 
PPTX
Security risk management
Prachi Gulihar
 
PDF
CyberSecurity Awareness Training Presentation v2024.09
DallasHaselhorst
 
PPT
Sit presentation
cchoi02
 
PPTX
Memory forensics
Sunil Kumar
 
PDF
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
 
PDF
Insider threat
ARCON TECHSOLUTIONS
 
PDF
Cyber Security Governance
Priyanka Aash
 
PPTX
Proceso de la auditoria de sistemas ti
Jose Alvarado Robles
 
Actividad 04 Seguridad en la red y las aplicaciones.docx
Andrea Gomez
 
Information security
AlaaMahmoud108
 
Concientización empresarial en Seguridad de la información
Marcos Harasimowicz
 
Cyber forensics
pranjal dutta
 
Cisco cybersecurity essentials chapter 8
Mukesh Chinta
 
La razón para auditar informática
Giovani Roberto Gómez Millán
 
Insider threat v3
Lancope, Inc.
 
System hacking
CAS
 
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Bachir Benyammi
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
What about GDPR?
Martin Hawksey
 
Security risk management
Prachi Gulihar
 
CyberSecurity Awareness Training Presentation v2024.09
DallasHaselhorst
 
Sit presentation
cchoi02
 
Memory forensics
Sunil Kumar
 
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
 
Insider threat
ARCON TECHSOLUTIONS
 
Cyber Security Governance
Priyanka Aash
 
Proceso de la auditoria de sistemas ti
Jose Alvarado Robles
 

Similar to Measured boot for embedded devices (20)

PPTX
Trusted Platform Module (TPM)
k33a
 
PPT
TC and TPM.ppt
yhaxpsos
 
PPTX
[Wroclaw #3] Trusted Computing
OWASP
 
PDF
Embedded device-care Point of View - security
MaazPatni1
 
PPTX
Txt Introduction
Logic Solutions, Inc.
 
PDF
Integrity Protection for Embedded Systems
Samsung Open Source Group
 
PDF
Emulating Trusted Platform Module 2.0 on Raspberry Pi 2
ClaraZara1
 
PDF
EMULATING TRUSTED PLATFORM MODULE 2.0 ON RASPBERRY PI 2
ijsptm
 
PPTX
Hardware_root_trust_x86.pptx
Atul Vaish
 
PDF
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
PDF
Practical Trusted Platform Module (TPM2) Programming
Brandon Arvanaghi
 
PPTX
Secure boot general
Prabhu Swamy
 
PDF
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado
 
PPTX
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Dan Griffin
 
PPTX
Security for io t apr 29th mentor embedded hangout
mentoresd
 
PDF
Introduction of Opentitan security model
Chiawei Wang
 
PDF
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
Shinagawa Laboratory, The University of Tokyo
 
PDF
Anti-evil maid with UEFI and Xen
Tamas K Lengyel
 
PPTX
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Jan Ketil Skanke
 
PDF
Ht w25
SelectedPresentations
 
Trusted Platform Module (TPM)
k33a
 
TC and TPM.ppt
yhaxpsos
 
[Wroclaw #3] Trusted Computing
OWASP
 
Embedded device-care Point of View - security
MaazPatni1
 
Txt Introduction
Logic Solutions, Inc.
 
Integrity Protection for Embedded Systems
Samsung Open Source Group
 
Emulating Trusted Platform Module 2.0 on Raspberry Pi 2
ClaraZara1
 
EMULATING TRUSTED PLATFORM MODULE 2.0 ON RASPBERRY PI 2
ijsptm
 
Hardware_root_trust_x86.pptx
Atul Vaish
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Practical Trusted Platform Module (TPM2) Programming
Brandon Arvanaghi
 
Secure boot general
Prabhu Swamy
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Dan Griffin
 
Security for io t apr 29th mentor embedded hangout
mentoresd
 
Introduction of Opentitan security model
Chiawei Wang
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
Shinagawa Laboratory, The University of Tokyo
 
Anti-evil maid with UEFI and Xen
Tamas K Lengyel
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Jan Ketil Skanke
 
Ht w25
SelectedPresentations
 
Ad

Recently uploaded (20)

PDF
From 0 to Gemini: a Workshop created by GDG Firenze
gdgflorence
 
PPTX
Presentationexpressions You are student leader and have just come from a stud...
BENSTARBEATZ
 
PPTX
A brief History of counseling in Social Work.pptx
Josaya Injesi
 
PPTX
Bob Stewart Humble Obedience 07-13-2025.pptx
FamilyWorshipCenterD
 
PPTX
some leadership theories MBA management.pptx
rkseo19
 
PDF
Medical Technology Corporation: Supply Chain Strategy
daretruong
 
PPTX
Speech Act, types of Speech Act in Pragmatics
gracehananatalias
 
PPTX
Pastor Bob Stewart Acts 21 07 09 2025.pptx
FamilyWorshipCenterD
 
PPTX
AI presentation for everyone in every fields
dodinhkhai1
 
PDF
Cloud Computing Service Availability.pdf
chakrirocky1
 
PPTX
677697609-States-Research-Questions-Final.pptx
francistiin8
 
PDF
Generalization predition MOOCs - Conference presentation - eMOOCs 2025
pmmorenom01
 
PDF
FINAL ZAKROS - UNESCO SITE CANDICACY - PRESENTATION - September 2024
StavrosKefalas1
 
PPTX
Food_and_Drink_Bahasa_Inggris_Kelas_5.pptx
debbystevani36
 
PPT
Wireless Communications Course lecture1.ppt
abdullahyaqot2015
 
PPTX
BARRIERS TO EFFECTIVE COMMUNICATION.pptx
shraddham25
 
PDF
Mining RACE Newsletter 10 - first half of 2025
Mining RACE
 
PPTX
Inspired by VeinSense: Supercharge Your Hackathon with Agentic AI
ShubhamSharma2528
 
PDF
The Family Secret (essence of loveliness)
Favour Biodun
 
PDF
Leveraging the Power of Jira Dashboard.pdf
siddharthshukla742740
 
From 0 to Gemini: a Workshop created by GDG Firenze
gdgflorence
 
Presentationexpressions You are student leader and have just come from a stud...
BENSTARBEATZ
 
A brief History of counseling in Social Work.pptx
Josaya Injesi
 
Bob Stewart Humble Obedience 07-13-2025.pptx
FamilyWorshipCenterD
 
some leadership theories MBA management.pptx
rkseo19
 
Medical Technology Corporation: Supply Chain Strategy
daretruong
 
Speech Act, types of Speech Act in Pragmatics
gracehananatalias
 
Pastor Bob Stewart Acts 21 07 09 2025.pptx
FamilyWorshipCenterD
 
AI presentation for everyone in every fields
dodinhkhai1
 
Cloud Computing Service Availability.pdf
chakrirocky1
 
677697609-States-Research-Questions-Final.pptx
francistiin8
 
Generalization predition MOOCs - Conference presentation - eMOOCs 2025
pmmorenom01
 
FINAL ZAKROS - UNESCO SITE CANDICACY - PRESENTATION - September 2024
StavrosKefalas1
 
Food_and_Drink_Bahasa_Inggris_Kelas_5.pptx
debbystevani36
 
Wireless Communications Course lecture1.ppt
abdullahyaqot2015
 
BARRIERS TO EFFECTIVE COMMUNICATION.pptx
shraddham25
 
Mining RACE Newsletter 10 - first half of 2025
Mining RACE
 
Inspired by VeinSense: Supercharge Your Hackathon with Agentic AI
ShubhamSharma2528
 
The Family Secret (essence of loveliness)
Favour Biodun
 
Leveraging the Power of Jira Dashboard.pdf
siddharthshukla742740
 
Ad

Measured boot for embedded devices

  • 1. Dmitry Eremin-Solenikov Ivan Nikolaenko Measured Boot for embedded devices Open Source Software Engineer DI SW December, 2019
  • 2. Restricted © 2019 Mentor Graphics Corporation Approaching authentic execution environment  Usually device manufacturer would like to be sure that deployed device executes authentic code: — Because it might be a medical device, — Or a safety-critcal device — Or just to insure generic platform integrity  We need to authenticate image contents! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,2
  • 3. Restricted © 2019 Mentor Graphics Corporation Traditional approaches  No authentication at all. – Oops  Verify image signature before flashing it. – Any intruder can still modify image contents after flashing  Or just verify whole image each boot. – So slooow.  We have to authenticate image contents in runtime! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,3
  • 4. Restricted © 2019 Mentor Graphics Corporation Measured boot  Measured boot is a technique of securely calculating a log of all boot components  Measured boot is typically thought as related to x86 platform only  However nothing stops us from employing the same technique for embedded devices  TPM chip is a hardware component that assists Measured Boot process D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,4
  • 5. Restricted © 2019 Mentor Graphics Corporation Measured Boot for embedded devices D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,5 Boot time  Digest all boot components  Optionally use calculated boot state to unencrypt next stage Runtime  Digest selected set of files as they are accessed – E.g. digest all root-owned executable files – Or digest all root-owned files – Or anything you can come up with  Use digested information to unlock encryption keys  Use digested information to remotely verify device state
  • 6. Restricted © 2019 Mentor Graphics Corporation Measuring boot components  TPM provides at least 24 PCRs (platform configuration register) to store boot log information  These registers are reset only at board reset time  The only way to change them is to Extend: – PCR[i] = Hash ( PCR[i] || ExtendArgument )  The code to access TPM is less than 500 lines of code  Modify your bootloader to Extend PCRs with the digests of next boot image D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,6
  • 7. Restricted © 2019 Mentor Graphics Corporation Measuring inside Linux  Linux provides IMA (Integrity Measurement Architecture) and EVM (Extended Verification Module) subsystems  IMA maintains a runtime list of files measurements – Policy controlled – Can be anchored in TPM to provide aggregate integrity value  Steps to enable: – Enable in kernel – Mount filesystems with iversions option – Provide a signed policy – Load a policy at boot time D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,7
  • 8. Restricted © 2019 Mentor Graphics Corporation Measuring inside Linux: protecting from tampering  Linux EVM subsystem protects against filsystem tampering  It can use either HMAC or digital signature to verify security attributes: – security.ima (IMA's stored “good” hash for the file) – security.selinux (the selinux label/context on the file) – security.SMACK64 (Smack's label on the file) – security.capability (Capability's label on executables)  Steps to enable: – Enable in kernel – Load certificate or HMAC key – Enable in securityfs D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,8
  • 9. Restricted © 2019 Mentor Graphics Corporation Using measured state: local attestation  Use aggregated state to seal next state keys – Seal EVM HMAC key with bootloader data ● Attacker can not get HMAC key by tampering with bootloaders – Seal rootfs encryption key with bootloader and kernel data ● One can not access rootfs if any of boot components are changed! Your Initials, Presentation Title, Month Year9
  • 10. Restricted © 2019 Mentor Graphics Corporation Using measured state: remote attestation  Remote attestation is a method by which a host authenticates it's hardware and software configuration to a remote host (server)  Use TPM capability to cryptographically sign measurements log and provide such log to remote server Your Initials, Presentation Title, Month Year10
  • 11. Restricted © 2019 Mentor Graphics Corporation Deploying in embedded device  Patch your bootloader  Using MEL/Yocto/OE use one of 3 layers: – meta-secure-core (complex solution) – meta-measured (a bit outdated) – meta-security (optimal after receiving all our patches)  Use initramfs to load IMA policy and EVM certificate Your Initials, Presentation Title, Month Year11
  • 12. Restricted © 2019 Mentor Graphics Corporation Deploying in embedded device #2  Choose a solution for remote attestation – OpenAttestation is an SDK for developing custom complex solutions – We recommend using strongSwan’s TNC (trusted network connect) capability to maintain a DB of devices – We ourselves ended up with a set of scripts to provisioning keys, gathering data and verifying the log Your Initials, Presentation Title, Month Year12
  • 13. Restricted © 2019 Mentor Graphics Corporation What can we do without TPM TPM chips are cheap, but what if hardware is already finalized? Enable IMA/EVM! – Verifying all executable files to be signed by you – EPERM for all other binaries Your Initials, Presentation Title, Month Year13
  • 14. Restricted © 2019 Mentor Graphics Corporation QUESTIONS?
  • 15. Restricted © 2019 Mentor Graphics Corporation www.mentor.com