© 2019 Nokia 1 What does it mean to trust your boot process? Gabriela Limonta code::dive 2019 21.11.2019
© 2019 Nokia1
What does it mean to trust your boot process?
Gabriela Limonta
code::dive 2019
21.11.2019
© 2019 Nokia2
Computer/Communications Engineer
~3 years working at Nokia
Researcher in the Cybersecurity Research Team at Nokia Bell Labs
Trusted Computing and Root Cause Analysis in Trusted Systems
I like knitting, running and calligraphy
(pretty bad at portraits, though :( )
Me
© 2019 Nokia3
Boot process
© 2019 Nokia4
Boot process
© 2019 Nokia5
Boot process
© 2019 Nokia7
• HW init and abstractions
• Interface to start OS
• Restrict access to privileged
resources
Hardware
Firmware
Hypervisor/Applications
Virtual Workload
Data/Information
Operating System/Kernel
© 2019 Nokia8Source: https://www.infoworld.com/artic le/2608141/in ternet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html
© 2019 Nokia9Source: https://www.infoworld.com/artic le/2608141/in ternet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html
Source: https://arstechnica.com/tech-policy/2014/05/photos -of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
© 2019 Nokia10
So, how does the boot process actually work?
© 2019 Nokia12
x86 BIOS Boot
© 2019 Nokia13
x86 BIOS Boot
© 2019 Nokia14
x86 BIOS Boot
SPI
Load BIOS
© 2019 Nokia15
x86 BIOS Boot
SPI
Load BIOS
POST
© 2019 Nokia16
x86 BIOS Boot
SPI
Load BIOS
POST
Load BIOS
parameters from
CMOS
© 2019 Nokia17
x86 BIOS Boot
SPI
Load BIOS
POST
Load BIOS
parameters from
CMOS
Select Boot
Device (MBR)
© 2019 Nokia18
x86 BIOS Boot
SPI
Load BIOS
POST
Load BIOS
parameters from
CMOS
512 MB
Bootloader
Select Boot
Device (MBR)
© 2019 Nokia19
x86 BIOS Boot
SPI
Load BIOS
POST
Load BIOS
parameters from
CMOS
512 MB
Bootloader
Select Boot
Device (MBR)
Bootloader
(e.g. grub)
© 2019 Nokia20
x86 BIOS Boot
SPI
Load BIOS
POST
Load BIOS
parameters from
CMOS
512 MB
Bootloader
Select Boot
Device (MBR)
Bootloader
(e.g. grub)
© 2019 Nokia21
BIOS vs. UEFI
• MBR vs GPT
• Actual standard for booting
• Secure Boot
• More addressable space -> Mouse and pretty graphics support
© 2019 Nokia23
UEFI Boot
© 2019 Nokia24
UEFI Boot
(SEC)
Secure
boot up
© 2019 Nokia25
UEFI Boot
(SEC)
Secure
boot up
(PEI)
Pre-EFI Init
phase
© 2019 Nokia26
UEFI Boot
(SEC)
Secure
boot up
(PEI)
Pre-EFI Init
phase
(DXE)
Driver
Execution
Engine
© 2019 Nokia27
UEFI Boot
(SEC)
Secure
boot up
(PEI)
Pre-EFI Init
phase
(DXE)
Driver
Execution
Engine
(BDS)
Boot device
selection
© 2019 Nokia28
UEFI Boot
(SEC)
Secure
boot up
(PEI)
Pre-EFI Init
phase
(DXE)
Driver
Execution
Engine
(BDS)
Boot device
selection
(TSL)
Transient
System Load
and final
bootloader
© 2019 Nokia29
UEFI Boot
(SEC)
Secure
boot up
(PEI)
Pre-EFI Init
phase
(DXE)
Driver
Execution
Engine
(BDS)
Boot device
selection
(TSL)
Transient
System Load
and final
bootloader
(RT)
OS Runtime
Services
© 2019 Nokia30
Trusting x86: Secure and Measured Boot
© 2019 Nokia31
Secure Boot
© 2019 Nokia32
Secure Boot
Firmware
© 2019 Nokia33
Secure Boot
Firmware
© 2019 Nokia34
Secure Boot
Firmware Bootloader
© 2019 Nokia35
Secure Boot
Firmware Bootloader
© 2019 Nokia36
Secure Boot
Firmware Bootloader Kernel
© 2019 Nokia37
Secure Boot
Firmware Bootloader Kernel
© 2019 Nokia38
Secure Boot
Firmware Bootloader KernelKernel
Modules
© 2019 Nokia39
Secure Boot
Firmware Bootloader KernelKernel
Modules
© 2019 Nokia41
Secure Boot Key Databases PK
db
KEK
dbx
© 2019 Nokia42
Secure Boot Key Databases PK
db
KEK
dbx
© 2019 Nokia44
Secure Boot Key Databases PK
db
KEK
dbx
© 2019 Nokia45
© 2019 Nokia46
Secure Boot Key Databases PK
db
KEK
dbx
© 2019 Nokia47
© 2019 Nokia48
Secure Boot Key Databases PK
db
KEK
dbx
© 2019 Nokia49
© 2019 Nokia50
But wait, what about Linux?
© 2019 Nokia52
Still don’t like this?Take control and use your own keys....YMMV
© 2019 Nokia53
Verifying signatures is not enough
Source: https://arstechnica.com/information-technology/2019/03 /hijacked-asus-software-updates-installed-backdoor-on-at-least-0-5-million-pcs/
© 2019 Nokia56 Nokia internal use
If verifying is not enough, what do we do now?
© 2019 Nokia57
Enabler: TPM
© 2019 Nokia58
TPM comes in different flavors
© 2019 Nokia59
TPM comes in different flavors
https://security.googleblog.com/2019/11/opentitan-
open-sourcing-transparent.html
© 2019 Nokia60
TPM comes in different flavors
https://security.googleblog.com/2019/11/opentitan-
open-sourcing-transparent.html
https://www.youtube.com/watch?v=oUvKEw8OchI
© 2019 Nokia61
TPM comes in different flavors
https://security.googleblog.com/2019/11/opentitan-
open-sourcing-transparent.html
https://www.youtube.com/watch?v=oUvKEw8OchI
https://youtu.be/e8DVmwj3OEs
© 2019 Nokia62
TPM comes in different flavors
https://security.googleblog.com/2019/11/opentitan-
open-sourcing-transparent.html
https://www.youtube.com/watch?v=oUvKEw8OchI
https://youtu.be/e8DVmwj3OEs
Image Source: Fixit
© 2019 Nokia63
Measured Boot
© 2019 Nokia64
Measured Boot
CRTM
© 2019 Nokia65
Measured Boot
CRTM
© 2019 Nokia66
Measured Boot
CRTM Firmware
© 2019 Nokia67
Measured Boot
CRTM Firmware
© 2019 Nokia68
Measured Boot
CRTM Firmware
© 2019 Nokia69
Measured Boot
CRTM Firmware Bootloader
© 2019 Nokia70
Measured Boot
CRTM Firmware Bootloader
© 2019 Nokia71
Measured Boot
CRTM Firmware Bootloader
© 2019 Nokia72
Measured Boot
CRTM Firmware Bootloader Kernel
© 2019 Nokia73
Measured Boot
CRTM Firmware Bootloader Kernel
© 2019 Nokia74
Measured Boot
CRTM Firmware Bootloader Kernel
© 2019 Nokia75
Measured Boot
CRTM Firmware Bootloader Kernel
PCR Extend (PCR, new_value) = hash(PCRold || new_value)
© 2019 Nokia77
Boot time measurement logs
Source: https://trustedcomputinggroup.org/resource/pc-client-specif ic-platform-firmware-profile-specification/
© 2019 Nokia80
Remote Attestation
AIs A trusted?Requestmeasurements
Return measurements
Compare measurements
against known
values
Attestation
Server
A is trusted ☺
Challenger
© 2019 Nokia81
Guarantees and LimitationsSecure and Measured Boot
• Stopping vs. Detecting (unauthorized components)
• Hashing vs. Signing
• Trust but verify
© 2019 Nokia82 Nokia internal use
A different perspective…
© 2019 Nokia83
Raspberry Pi Boot sequence
© 2019 Nokia84
© 2019 Nokia85
Raspberry Pi Boot sequence
First Stage
Bootloader
(programmed in
ROM during
manufacture time)
Second Stage
Bootloader
(bootcode.bin)
GPU Firmware
(start.efl)
User code
(kernel.img, Linux
kernel)
Execution transferred to the CPU
© 2019 Nokia86
ARM
Cortex A Cortex M
© 2019 Nokia87
Non-Trusted World
Virtual Machine
Trusted World
User application
Rich OS
Hypervisor
Firmware
Secure Monitor
Trusted Execution
Environment
Trusted Apps
Trusted OS Kernel
© 2019 Nokia88
Non-Trusted World
Virtual Machine
Trusted World
User application
Rich OS
Hypervisor
Firmware
Secure Monitor
Trusted Execution
Environment
Trusted Apps
Trusted OS Kernel
© 2019 Nokia90
Still one problem…
© 2019 Nokia91
Still one problem… Where does firmware come from?
© 2019 Nokia92 Nokia internal use
Still one problem… Where does firmware come from?
1Firmware Supplier
2OEM / Additional Firmware
3Customer
© 2019 Nokia93
sha1 :
0 : 0367be7a28f6c53f05584111e652b7d19323ae4c
1 : c775a358a3391252426820a28abe7c46db24e6a5
2 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
3 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
4 : bfb572ec31ddd577f2fea5829583356a17f5cfcc
5 : 659f635966504c8afbd9e1e54d19c4aeda19d9d8
6 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
7 : 22c44c57537a3013be601046910cd91c04b11856
8 : 1d9dd06ae7d28286d26d9e140d63c4ce5b00bc4f
9 : 712e0de9c98c969117623df2e5cd4b068a93d5fc
10 : 5ec16885a8897c02b3cda67805e6fa9eabf88fea
11 : 0000000000000000000000000000000000000000
12 : 0000000000000000000000000000000000000000
13 : 0000000000000000000000000000000000000000
14 : 0000000000000000000000000000000000000000
15 : 0000000000000000000000000000000000000000
16 : 0000000000000000000000000000000000000000
17 : ffffffffffffffffffffffffffffffffffffffff
18 : ffffffffffffffffffffffffffffffffffffffff
19 : ffffffffffffffffffffffffffffffffffffffff
20 : ffffffffffffffffffffffffffffffffffffffff
21 : ffffffffffffffffffffffffffffffffffffffff
22 : ffffffffffffffffffffffffffffffffffffffff
23 : 0000000000000000000000000000000000000000
© 2019 Nokia94
sha1 :
0 : 0367be7a28f6c53f05584111e652b7d19323ae4c
1 : c775a358a3391252426820a28abe7c46db24e6a5
2 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
3 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
4 : bfb572ec31ddd577f2fea5829583356a17f5cfcc
5 : 659f635966504c8afbd9e1e54d19c4aeda19d9d8
6 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
7 : 22c44c57537a3013be601046910cd91c04b11856
8 : 1d9dd06ae7d28286d26d9e140d63c4ce5b00bc4f
9 : 712e0de9c98c969117623df2e5cd4b068a93d5fc
10 : 5ec16885a8897c02b3cda67805e6fa9eabf88fea
11 : 0000000000000000000000000000000000000000
12 : 0000000000000000000000000000000000000000
13 : 0000000000000000000000000000000000000000
14 : 0000000000000000000000000000000000000000
15 : 0000000000000000000000000000000000000000
16 : 0000000000000000000000000000000000000000
17 : ffffffffffffffffffffffffffffffffffffffff
18 : ffffffffffffffffffffffffffffffffffffffff
19 : ffffffffffffffffffffffffffffffffffffffff
20 : ffffffffffffffffffffffffffffffffffffffff
21 : ffffffffffffffffffffffffffffffffffffffff
22 : ffffffffffffffffffffffffffffffffffffffff
23 : 0000000000000000000000000000000000000000
© 2019 Nokia95
sha1 :
0 : 0367be7a28f6c53f05584111e652b7d19323ae4c
1 : c775a358a3391252426820a28abe7c46db24e6a5
2 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
3 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
4 : bfb572ec31ddd577f2fea5829583356a17f5cfcc
5 : 659f635966504c8afbd9e1e54d19c4aeda19d9d8
6 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
7 : 22c44c57537a3013be601046910cd91c04b11856
8 : 1d9dd06ae7d28286d26d9e140d63c4ce5b00bc4f
9 : 712e0de9c98c969117623df2e5cd4b068a93d5fc
10 : 5ec16885a8897c02b3cda67805e6fa9eabf88fea
11 : 0000000000000000000000000000000000000000
12 : 0000000000000000000000000000000000000000
13 : 0000000000000000000000000000000000000000
14 : 0000000000000000000000000000000000000000
15 : 0000000000000000000000000000000000000000
16 : 0000000000000000000000000000000000000000
17 : ffffffffffffffffffffffffffffffffffffffff
18 : ffffffffffffffffffffffffffffffffffffffff
19 : ffffffffffffffffffffffffffffffffffffffff
20 : ffffffffffffffffffffffffffffffffffffffff
21 : ffffffffffffffffffffffffffffffffffffffff
22 : ffffffffffffffffffffffffffffffffffffffff
23 : 0000000000000000000000000000000000000000
PCR: 2
Events:
Event number: 12
PCR Index: 2
Event type: 0x00000004 - EV_SEPARATOR
Digests: [
{
'hash_alg': 'SHA1’,
'digest': '9069ca78e7450a285173431b3e52c5c25299e473’
},
{
'hash_alg': 'SHA256’,
'digest': 'df3f619804a92fdb40571…524c014b81119’
}
]
Event size: 4
Event data: b'\x00\x00\x00\x00'
© 2019 Nokia96
Moving towards open source firmware… (?)
© 2019 Nokia97 Nokia internal use
Thanks! [email protected]@nokia-bell-labs.com