What does it mean to trust your boot process? di… · 1 © 2019 Nokia What does it mean to trust your boot process? Gabriela Limonta code::dive 2019 21.11.2019

© 2019 Nokia1

What does it mean to trust your boot process?

Gabriela Limonta

code::dive 2019

21.11.2019

© 2019 Nokia2

Computer/Communications Engineer

~3 years working at Nokia

Researcher in the Cybersecurity Research Team at Nokia Bell Labs

Trusted Computing and Root Cause Analysis in Trusted Systems

I like knitting, running and calligraphy

(pretty bad at portraits, though :( )

Me

© 2019 Nokia3

Boot process

© 2019 Nokia4

Boot process

© 2019 Nokia5

Boot process

© 2019 Nokia7

• HW init and abstractions

• Interface to start OS

• Restrict access to privileged

resources

Hardware

Firmware

Hypervisor/Applications

Virtual Workload

Data/Information

Operating System/Kernel

© 2019 Nokia8Source: https://www.infoworld.com/artic le/2608141/in ternet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html

https://www.infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html

© 2019 Nokia9Source: https://www.infoworld.com/artic le/2608141/in ternet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html

Source: https://arstechnica.com/tech-policy/2014/05/photos -of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

https://www.infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html

https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

© 2019 Nokia10

So, how does the boot process actually work?

© 2019 Nokia12

x86 BIOS Boot

© 2019 Nokia13

x86 BIOS Boot

© 2019 Nokia14

x86 BIOS Boot

SPI

Load BIOS

© 2019 Nokia15

x86 BIOS Boot

SPI

Load BIOS

POST

© 2019 Nokia16

x86 BIOS Boot

SPI

Load BIOS

POST

Load BIOS

parameters from

CMOS

© 2019 Nokia17

x86 BIOS Boot

SPI

Load BIOS

POST

Load BIOS

parameters from

CMOS

Select Boot

Device (MBR)

© 2019 Nokia18

x86 BIOS Boot

SPI

Load BIOS

POST

Load BIOS

parameters from

CMOS

512 MB

Bootloader

Select Boot

Device (MBR)

© 2019 Nokia19

x86 BIOS Boot

SPI

Load BIOS

POST

Load BIOS

parameters from

CMOS

512 MB

Bootloader

Select Boot

Device (MBR)

Bootloader

(e.g. grub)

© 2019 Nokia20

x86 BIOS Boot

SPI

Load BIOS

POST

Load BIOS

parameters from

CMOS

512 MB

Bootloader

Select Boot

Device (MBR)

Bootloader

(e.g. grub)

© 2019 Nokia21

BIOS vs. UEFI

• MBR vs GPT

• Actual standard for booting

• Secure Boot

• More addressable space -> Mouse and pretty graphics support

© 2019 Nokia23

UEFI Boot

© 2019 Nokia24

UEFI Boot

(SEC)

Secure

boot up

© 2019 Nokia25

UEFI Boot

(SEC)

Secure

boot up

(PEI)

Pre-EFI Init

phase

© 2019 Nokia26

UEFI Boot

(SEC)

Secure

boot up

(PEI)

Pre-EFI Init

phase

(DXE)

Driver

Execution

Engine

© 2019 Nokia27

UEFI Boot

(SEC)

Secure

boot up

(PEI)

Pre-EFI Init

phase

(DXE)

Driver

Execution

Engine

(BDS)

Boot device

selection

© 2019 Nokia28

UEFI Boot

(SEC)

Secure

boot up

(PEI)

Pre-EFI Init

phase

(DXE)

Driver

Execution

Engine

(BDS)

Boot device

selection

(TSL)

Transient

System Load

and final

bootloader

© 2019 Nokia29

UEFI Boot

(SEC)

Secure

boot up

(PEI)

Pre-EFI Init

phase

(DXE)

Driver

Execution

Engine

(BDS)

Boot device

selection

(TSL)

Transient

System Load

and final

bootloader

(RT)

OS Runtime

Services

© 2019 Nokia30

Trusting x86: Secure and Measured Boot

© 2019 Nokia31

Secure Boot

© 2019 Nokia32

Secure Boot

Firmware

© 2019 Nokia33

Secure Boot

Firmware

© 2019 Nokia34

Secure Boot

Firmware Bootloader

© 2019 Nokia35

Secure Boot

Firmware Bootloader

© 2019 Nokia36

Secure Boot

Firmware Bootloader Kernel

© 2019 Nokia37

Secure Boot

Firmware Bootloader Kernel

© 2019 Nokia38

Secure Boot

Firmware Bootloader KernelKernel

Modules

© 2019 Nokia39

Secure Boot

Firmware Bootloader KernelKernel

Modules

© 2019 Nokia41

Secure Boot Key Databases PK

db

KEK

dbx

© 2019 Nokia42


db

KEK

dbx

© 2019 Nokia44


db

KEK

dbx

© 2019 Nokia45

© 2019 Nokia46


db

KEK

dbx

© 2019 Nokia47

© 2019 Nokia48


db

KEK

dbx

© 2019 Nokia49

© 2019 Nokia50

But wait, what about Linux?

© 2019 Nokia52

Still don’t like this?Take control and use your own keys....YMMV

© 2019 Nokia53

Verifying signatures is not enough

Source: https://arstechnica.com/information-technology/2019/03 /hijacked-asus-software-updates-installed-backdoor-on-at-least-0-5-million-pcs/

https://arstechnica.com/information-technology/2019/03/hijacked-asus-software-updates-installed-backdoor-on-at-least-0-5-million-pcs/

© 2019 Nokia56 Nokia internal use

If verifying is not enough, what do we do now?

© 2019 Nokia57

Enabler: TPM

© 2019 Nokia58

TPM comes in different flavors

© 2019 Nokia59


https://security.googleblog.com/2019/11/opentitan-

open-sourcing-transparent.html

© 2019 Nokia60




https://www.youtube.com/watch?v=oUvKEw8OchI

© 2019 Nokia61





https://youtu.be/e8DVmwj3OEs

© 2019 Nokia62





https://youtu.be/e8DVmwj3OEs

Image Source: Fixit

https://www.ifixit.com/Guide/Image/meta/XjfnyfJFiDdqgOpE

© 2019 Nokia63

Measured Boot

© 2019 Nokia64

Measured Boot

CRTM

© 2019 Nokia65

Measured Boot

CRTM

© 2019 Nokia66

Measured Boot

CRTM Firmware

© 2019 Nokia67

Measured Boot

CRTM Firmware

© 2019 Nokia68

Measured Boot

CRTM Firmware

© 2019 Nokia69

Measured Boot

CRTM Firmware Bootloader

© 2019 Nokia70

Measured Boot


© 2019 Nokia71

Measured Boot


© 2019 Nokia72

Measured Boot

CRTM Firmware Bootloader Kernel

© 2019 Nokia73

Measured Boot


© 2019 Nokia74

Measured Boot


© 2019 Nokia75

Measured Boot


PCR Extend (PCR, new_value) = hash(PCRold || new_value)

© 2019 Nokia77

Boot time measurement logs

Source: https://trustedcomputinggroup.org/resource/pc-client-specif ic-platform-firmware-profile-specification/

https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/

© 2019 Nokia80

Remote Attestation

AIs A trusted?Requestmeasurements

Return measurements

Compare measurements

against known

values

Attestation

Server

A is trusted ☺

Challenger

© 2019 Nokia81

Guarantees and LimitationsSecure and Measured Boot

• Stopping vs. Detecting (unauthorized components)

• Hashing vs. Signing

• Trust but verify


A different perspective…

© 2019 Nokia83

Raspberry Pi Boot sequence

© 2019 Nokia84

© 2019 Nokia85

Raspberry Pi Boot sequence

First Stage

Bootloader

(programmed in

ROM during

manufacture time)

Second Stage

Bootloader

(bootcode.bin)

GPU Firmware

(start.efl)

User code

(kernel.img, Linux

kernel)

Execution transferred to the CPU

© 2019 Nokia86

ARM

Cortex A Cortex M

© 2019 Nokia87

Non-Trusted World

Virtual Machine

Trusted World

User application

Rich OS

Hypervisor

Firmware

Secure Monitor

Trusted Execution

Environment

Trusted Apps

Trusted OS Kernel

© 2019 Nokia88

Non-Trusted World

Virtual Machine

Trusted World

User application

Rich OS

Hypervisor

Firmware

Secure Monitor

Trusted Execution

Environment

Trusted Apps

Trusted OS Kernel

© 2019 Nokia90

Still one problem…

© 2019 Nokia91

Still one problem… Where does firmware come from?


Still one problem… Where does firmware come from?

1Firmware Supplier

2OEM / Additional Firmware

3Customer

© 2019 Nokia93

sha1 :

0 : 0367be7a28f6c53f05584111e652b7d19323ae4c

1 : c775a358a3391252426820a28abe7c46db24e6a5

2 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236


4 : bfb572ec31ddd577f2fea5829583356a17f5cfcc

5 : 659f635966504c8afbd9e1e54d19c4aeda19d9d8


7 : 22c44c57537a3013be601046910cd91c04b11856

8 : 1d9dd06ae7d28286d26d9e140d63c4ce5b00bc4f

9 : 712e0de9c98c969117623df2e5cd4b068a93d5fc

10 : 5ec16885a8897c02b3cda67805e6fa9eabf88fea

11 : 0000000000000000000000000000000000000000

12 : 0000000000000000000000000000000000000000

13 : 0000000000000000000000000000000000000000

14 : 0000000000000000000000000000000000000000

15 : 0000000000000000000000000000000000000000

16 : 0000000000000000000000000000000000000000

17 : ffffffffffffffffffffffffffffffffffffffff






23 : 0000000000000000000000000000000000000000

© 2019 Nokia94

sha1 :

0 : 0367be7a28f6c53f05584111e652b7d19323ae4c

1 : c775a358a3391252426820a28abe7c46db24e6a5






7 : 22c44c57537a3013be601046910cd91c04b11856




11 : 0000000000000000000000000000000000000000

12 : 0000000000000000000000000000000000000000

13 : 0000000000000000000000000000000000000000

14 : 0000000000000000000000000000000000000000

15 : 0000000000000000000000000000000000000000

16 : 0000000000000000000000000000000000000000







23 : 0000000000000000000000000000000000000000

© 2019 Nokia95

sha1 :

0 : 0367be7a28f6c53f05584111e652b7d19323ae4c

1 : c775a358a3391252426820a28abe7c46db24e6a5






7 : 22c44c57537a3013be601046910cd91c04b11856




11 : 0000000000000000000000000000000000000000

12 : 0000000000000000000000000000000000000000

13 : 0000000000000000000000000000000000000000

14 : 0000000000000000000000000000000000000000

15 : 0000000000000000000000000000000000000000

16 : 0000000000000000000000000000000000000000







23 : 0000000000000000000000000000000000000000

PCR: 2

Events:

Event number: 12

PCR Index: 2

Event type: 0x00000004 - EV_SEPARATOR

Digests: [

{

'hash_alg': 'SHA1’,

'digest': '9069ca78e7450a285173431b3e52c5c25299e473’

},

{

'hash_alg': 'SHA256’,

'digest': 'df3f619804a92fdb40571…524c014b81119’

}

]

Event size: 4

Event data: b'\x00\x00\x00\x00'

© 2019 Nokia96

Moving towards open source firmware… (?)


Thanks! [email protected]@nokia-bell-labs.com

What does it mean to trust your boot process? di… · 1 © 2019 Nokia What does it mean to trust your boot process? Gabriela Limonta code::dive 2019 21.11.2019

Documents