adam's notes

Boot Passwords and Secure Boot

boot password requires the user to authenticate before the operating system is loaded.

  • Different system software will provide different support for authentication methods
  • usually at least two passwords, though some systems may allow for more:
    1. Supervisor/Administrator/Setup—Protect access to the system setup program
    2. User/System—Lock access to the whole computer
      • very secure way of protecting an entire PC as nothing can be done until the firmware has initialized the system

Secure boot is a UEFI feature designed to prevent a computer from being hijacked by malware.

  • the computer firmware is configured with cryptographic keys that can identify trusted code
  • system firmware checks the operating system boot loader using the stored keys to ensure that it has been digitally signed by the OS vendor
  • prevents a boot loader that has been modified by malware or an OS installed without authorization from being used
  • how it works:
    1. Read the boot loader from disk
    2. Compute the hash of the boot loader
    3. Decrypt the boot loader’s digital signature
    4. Verify that the signature is accurate
  • remote attestation
    • sends a compliance report to an external server of the hash values calculated to provide assurance that the computer is not running malware

Info

  • Keys from vendors such as Microsoft (Windows and Windows Server) and Linux distributions (Fedora, openSUSE, and Ubuntu) will be pre-loaded.
  • Additional keys for other boot loaders can be installed (or the pre-loaded ones removed) via the system setup software
  • also possible to disable secure boot

Measured boot allows each device in the boot chain to verify the hash of the next device

  • more flexible than secure boot
  • relies on attestation
    • trusted hashed are stored in the TPM

Hardware root of trust verifies firmware integrity.

  • ensures the UEFI firmware itself is not tampered with
  • stores the keys used to validate the UEFI firmware in hardware
  • verifies that the UEFI is intact and unaltered before the boot process begins

A trusted execution environment are systems that combine a hardware root of trust, UEFI, TPM, and Secure Boot.

  • combine secure elements across hardware, operating systems, and software

Graph View

Backlinks