Skip to content

theopolis/sboot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
common
common
 
 
drivers
drivers
 
 
include
include
 
 
lib
lib
 
 
patches
patches
 
 
INSTALL
INSTALL
 
 
README
README
 
 

Repository files navigation

libSboot -- Standalone

These libraries (libSboot, libTLCL) and TPM drivers provide a Secure Boot
example for U-boot. A source tree with libSboot built into mainline U-Boot
is available at https://github.com/theopolis/u-boot-sboot.

Overview:
=========

libSboot provides an example 'Secured Boot' for U-Boot and a U-Boot Second
Phase Loader (SPL). libSboot attempts to define an example of how a platform
can measure a pre-OS boot environment, thus providing a capability to
ensure that a libSboot-enforced OS is only loaded in an owner-authorized 
fashion. A 'Secure Boot' concept is a common means to ensure platform security
and integrity; understand that there are many implementations of a 'Secure
Boot'. 

The pre-boot environment is defined as:
- The U-Boot binary loaded by a SPL
- EEPROM defining platform identification and configuration
- Environment data read from an initial external source
- Environment variables set via the U-Boot console
- Commands interpreted via the U-Boot console
- Flat Device Tree files 
- Initial Ram Disks and Ram Disks
- An OS Kernel

Currently libSboot does not require augmentation (signatures or keys) to
data or configuration options for boot. It only requires patching U-Boot
and SPL boot routines to measure and check platform state. This does not 
provide the user with much robustness. A change to the pre-boot environment 
will require interaction on the U-Boot console to 'reseal' the configuration. 
A more robust implementation would apply signature checking to data and options
to provide flexible updates to the pre-boot environment.

Understanding the implementation of libSboot:

libSboot uses a TPM v1.2 to implement a secure boot using a static root
of trust measurement (SRTM). The static adjective implies a 'read-only' 
attribute, meaning libSboot expects its initialization to occur from ROM code. 
During this initialization libSboot performs a TPM_Start, TPM_SelfTest and 
checks that the TPM is neither deactivated nor disabled. The TPM must have its
NVRAM locked, meaning access control is enforced. Initialization then checks 
each PCR used to measure the pre-boot environment and verifies they are reset.
Finally Physical Presence is asserted to satisfy NVRAM read/write permissions.

The sealed data for a securely measured pre-boot environment is stored in TPM
NVRAM with a Physical Presence requirement for read and write. Note: the sealed 
data is an encrypted blob, thus a Physical Presence requirement for reading is 
not required. Though the Physical Presence requirement for writing is very 
important! If arbitrary sealed data can be written, then an attacker can measure 
and store from a compromised OS state. Because of this, libSboot must de-assert 
Physical Presence and extend the PCRs with random data when libSboot finishes 
measuring or encounters an error. 
  
libSboot uses two sealed blobs stored in TPM NVRAM, one measured for the 
pre-execution of U-Boot, the other for the OS. This enables flexibility within 
U-Boot to seal modifications to the pre-boot environment for the U-Boot environment, 
U-Boot console usage, OS kernel, etc. Modifications to U-Boot are more difficult, 
U-Boot can issue a re-seal of a new U-Boot binary, but first the PCR which 
measured the running U-Boot must be reset. This requires an authenticated TPM_Reset 
command. 

libSboot will report to the console if an unseal fails, if libSboot is in 'enforce' 
(see below) mode then a failed unseal will halt execution. This implementation does 
not depend on the sealed and unsealed data (meaning we can seal well-known data), 
it only depends on the TPM response (success/failure) of an unseal. Since libSboot 
does not require authentication during initialization, subsequent initializations 
will normally fail. There are several ways to assure successful subsequent 
initializations: (1) build a method for authenticating a TPM owner within the SRTM; 
(2) require hardware Physical Presence; (3) issue a TPM Reset before the OS reboots. 

Setup:
======

1. A working TPM.
2. Ownership of TPM; libSboot uses the Storage Root Key (SRK) for sealing 
measurements; the TPM must be protected against a reset.
3. TPM NVRAM locked.
4. Two NVRAM defined indexes with Physical Presence required for Read/Write.
5. Hardware write protection for the location of the SRTM (SPL).

Configuration Options:
======================

- TPM Drivers

  CONFIG_TPM

  This will build libtpm, a TPM device will also need to be configured.

  CONFIG_TPM_I2C_ATMEL

  This selects a TPM device (Atmel's AT97SC3204T I2C TPM). A device on an
  I2C bus also needs to know it's bus ID and address. By default the first (0)
  I2C bus will be used.

  CONFIG_TPM_I2C_BUS

  For boards with multiple I2C buses, you may configure the bus number the
  TPM device is connected on.

  CONFIG_TPM_I2C_ADDR

  The address of the TPM on the I2C bus, usually specific to the device.

  CONFIG_CMD_TPM

  Enable the 'tpm' command within the U-Boot shell. The command accepts
  space-delimited characters to send to the TPM.

- libTLCL (TPM Lite Library)
  This library provide the necessary TPM 1.2 Commands required for libSboot.
  
  CONFIG_TLCL_SEAL

  Adds TlclSeal, TlclUnseal and related methods to libTLCL.

  CONFIG_CMD_TPM_TLCL

  Enable the 'tpm_tlcl' command within the U-Boot shell. This command
  includes methods for testing the TPM. Warning! Some commands set permanent
  configuration options on the TPM.

- libSboot

  CONFIG_SBOOT

  Adds libSboot to U-Boot.

  CONFIG_SPL_SBOOT_SUPPORT

  Adds libSboot to SPL.

  CONFIG_SBOOT_UBOOT_SEAL_INDEX

  Sets the NVRAM index to Seal/Unseal well-known blob data bound to the PCR
  values for a known-secure state before executing U-Boot. This option
  value is only used if CONFIG_SPL_SBOOT_SUPPORT is enabled.

  CONFIG_SBOOT_IMAGE_SEAL_INDEX

  Same as above, but for the state within U-Boot before executing an
  OS (kernel or otherwise).

  CONFIG_SBOOT_DISABLE_CONSOLE_EXTEND

  Prevent libSboot from measuring U-Boot console commands.
  (Not Recommended!)

  CONFIG_SBOOT_DISABLE_ENV_EXTEND

  Prevent libSboot from measuring U-Boot environments.
  This includes an external environment store, uEnv.txt, and environment
  variables set via the U-Boot shell (or other commands).
  (Not Recommended!)

  CONFIG_SBOOT_ENFORCE

  This will cause libSboot to halt execution if it fails to unseal for 
  U-Boot or the OS.

Notes:
======

This documentation is a work-in-progress.

About

Standalone libSboot for U-boot

Resources

Readme
Activity

Stars

22 stars

Watchers

10 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages