Measured boot for embedded devices

Measured boot for embedded devices

• 1.
  Dmitry Eremin-Solenikov Ivan Nikolaenko MeasuredBoot for embedded devices Open Source Software Engineer DI SW December, 2019
• 2.
  Restricted © 2019Mentor Graphics Corporation Approaching authentic execution environment  Usually device manufacturer would like to be sure that deployed device executes authentic code: — Because it might be a medical device, — Or a safety-critcal device — Or just to insure generic platform integrity  We need to authenticate image contents! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,2
• 3.
  Restricted © 2019Mentor Graphics Corporation Traditional approaches  No authentication at all. – Oops  Verify image signature before flashing it. – Any intruder can still modify image contents after flashing  Or just verify whole image each boot. – So slooow.  We have to authenticate image contents in runtime! D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,3
• 4.
  Restricted © 2019Mentor Graphics Corporation Measured boot  Measured boot is a technique of securely calculating a log of all boot components  Measured boot is typically thought as related to x86 platform only  However nothing stops us from employing the same technique for embedded devices  TPM chip is a hardware component that assists Measured Boot process D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,4
• 5.
  Restricted © 2019Mentor Graphics Corporation Measured Boot for embedded devices D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,5 Boot time  Digest all boot components  Optionally use calculated boot state to unencrypt next stage Runtime  Digest selected set of files as they are accessed – E.g. digest all root-owned executable files – Or digest all root-owned files – Or anything you can come up with  Use digested information to unlock encryption keys  Use digested information to remotely verify device state
• 6.
  Restricted © 2019Mentor Graphics Corporation Measuring boot components  TPM provides at least 24 PCRs (platform configuration register) to store boot log information  These registers are reset only at board reset time  The only way to change them is to Extend: – PCR[i] = Hash ( PCR[i] || ExtendArgument )  The code to access TPM is less than 500 lines of code  Modify your bootloader to Extend PCRs with the digests of next boot image D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,6
• 7.
  Restricted © 2019Mentor Graphics Corporation Measuring inside Linux  Linux provides IMA (Integrity Measurement Architecture) and EVM (Extended Verification Module) subsystems  IMA maintains a runtime list of files measurements – Policy controlled – Can be anchored in TPM to provide aggregate integrity value  Steps to enable: – Enable in kernel – Mount filesystems with iversions option – Provide a signed policy – Load a policy at boot time D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,7
• 8.
  Restricted © 2019Mentor Graphics Corporation Measuring inside Linux: protecting from tampering  Linux EVM subsystem protects against filsystem tampering  It can use either HMAC or digital signature to verify security attributes: – security.ima (IMA's stored “good” hash for the file) – security.selinux (the selinux label/context on the file) – security.SMACK64 (Smack's label on the file) – security.capability (Capability's label on executables)  Steps to enable: – Enable in kernel – Load certificate or HMAC key – Enable in securityfs D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,8
• 9.
  Restricted © 2019Mentor Graphics Corporation Using measured state: local attestation  Use aggregated state to seal next state keys – Seal EVM HMAC key with bootloader data ● Attacker can not get HMAC key by tampering with bootloaders – Seal rootfs encryption key with bootloader and kernel data ● One can not access rootfs if any of boot components are changed! Your Initials, Presentation Title, Month Year9
• 10.
  Restricted © 2019Mentor Graphics Corporation Using measured state: remote attestation  Remote attestation is a method by which a host authenticates it's hardware and software configuration to a remote host (server)  Use TPM capability to cryptographically sign measurements log and provide such log to remote server Your Initials, Presentation Title, Month Year10
• 11.
  Restricted © 2019Mentor Graphics Corporation Deploying in embedded device  Patch your bootloader  Using MEL/Yocto/OE use one of 3 layers: – meta-secure-core (complex solution) – meta-measured (a bit outdated) – meta-security (optimal after receiving all our patches)  Use initramfs to load IMA policy and EVM certificate Your Initials, Presentation Title, Month Year11
• 12.
  Restricted © 2019Mentor Graphics Corporation Deploying in embedded device #2  Choose a solution for remote attestation – OpenAttestation is an SDK for developing custom complex solutions – We recommend using strongSwan’s TNC (trusted network connect) capability to maintain a DB of devices – We ourselves ended up with a set of scripts to provisioning keys, gathering data and verifying the log Your Initials, Presentation Title, Month Year12
• 13.
  Restricted © 2019Mentor Graphics Corporation What can we do without TPM TPM chips are cheap, but what if hardware is already finalized? Enable IMA/EVM! – Verifying all executable files to be signed by you – EPERM for all other binaries Your Initials, Presentation Title, Month Year13
• 14.
  Restricted © 2019Mentor Graphics Corporation QUESTIONS?
• 15.
  Restricted © 2019Mentor Graphics Corporation www.mentor.com