Hi Ilias > -----Original Message----- > From: boot-architecture <[email protected]> On > Behalf Of Ilias Apalodimas > Sent: Friday, May 24, 2019 8:59 PM > To: [email protected] > Subject: [EXT] Securing the boot flow in U-Boot > > Caution: EXT Email > > Hello all, > > Continuing the discussions we had on securing the boot flow and OS as much as > possible, we came up with the following idea. > > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
I believe you are planning to support as UEFI specs [Chapter 31, UEFI spec 2.7] > This will cover the next payload (shim/grub2/shim depending on board needs). > > In order to provide better overall security for the OS we'll need to at least > verify DTB (if provided externally), initramfs and kernel modules. > > 1. For the kernel modules we can use kernel module signing facilities [1] > 2. In case someone wants to provide an external DTB, we can use FIT images > to secure that. The FIT images will contain the DTB(s) we need. Those will > only be used if the authentication process succeeds. This will allow us to > verify DTBs without introducing any new functionality to U-Boot. > 3. We need to verify initramfs as well. This can be accomplished in various > ways. > Packing kernel + initramfs or using dm-verity are the two obvious ones but we > are open to suggestions. > This also makes the development process for LEDGE pretty clear. We'll have to > add UEFI Secure Boot implementation on U-Boot *only* since the rest of the > functionality can be achieved with the existing code (minor adjustments might > be > needed though). > > What do you think? Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable should be written in MM mode. > [1] > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ker > nel.org%2Fdoc%2Fhtml%2Fv4.15%2Fadmin-guide%2Fmodule- > signing.html&data=02%7C01%7Cudit.kumar%40nxp.com%7C67b7f9e9588 > c49dcbbd708d6e05c949a%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0 > %7C636943085576955336&sdata=d76zsRb9eYBiaIWswbT1ZCEodwAatkmt > LLKqqkkL65w%3D&reserved=0 > > > Thanks > /Ilias > _______________________________________________ > boot-architecture mailing list > [email protected] > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.linar > o.org%2Fmailman%2Flistinfo%2Fboot- > architecture&data=02%7C01%7Cudit.kumar%40nxp.com%7C67b7f9e9588 > c49dcbbd708d6e05c949a%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0 > %7C636943085576955336&sdata=l4QbkknOMe7kzcAa9kxJvHkD%2BJHqxh > R6ivV3BqwdIY4%3D&reserved=0 _______________________________________________ boot-architecture mailing list [email protected] https://lists.linaro.org/mailman/listinfo/boot-architecture
