Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
40 lines (27 sloc) 2.96 KB


Enabling Secure Boot, BitLocker and the ConfigCI

Introduction

Secure Boot enforces the verification of signatures of binaries before booting them. By enabling Secure Boot and checking for Microsoft signatures, we ensure that boot code has not been tampered with.

BitLocker is a full disk encryption feature of Windows, which also adds system integrity verification of early boot files. The documentation for BitLocker can be found here.

ConfigCI (Configurable Code Integrity) enforces signing of binaries to avoid execution of untrusted code.

To enable these security features, we will follow the instructions on this page. A supported board is required. The steps described here are valid for the DragonBoard 410c, which contains a Trusted Platform Module (TPM) chip. Devices without a TPM won't support all BitLocker features.

It is assumed that the device has been previously flashed with a Windows 10 IoT Core image, and the PC has the required Windows SDK (usually installed alongside Visual Studio) for Windows 8.1 or newer.

Enabling RPMB

A Replay Protected Memory Block (RPMB) is required to enable Secure Boot.

  • Hold the Vol-, Vol+ and Power button, then power up the board. The Boot Device Selection (BDS) screen should show up.
  • Move the cursor to Provision RPB and press Power. Confirm by pressing Vol+.

Resetting previous setup

If SecureBoot was enabled on the board previously, it is recommended to reset the board:

  • Hold the Vol-, Vol+ and Power button, then power up the board. The Boot Device Selection (BDS) screen should show up.
  • Navigate to UEFI menu and choose:
    • Clear UEFI BS Variables
    • Clear UEFI RT Variables and fTPM (Erase RPMB)

Getting certificates

Follow the instructions on this page to generate certificates and private keys.

Alternatively, for testing purposes, pre-generated certificates can be used; however, they are NOT secure for production deployments.

Enabling SecureBoot/BitLocker/ConfigCI

To enable these features, follow the instructions at this page.

You can’t perform that action at this time.