UEFI Secure Boot is based on message digests (hashes) and public key cryptography technologies. Instead, the basic logic under UEFI Secure Boot will be outlined here. Since there are a variety of articles about UEFI Secure Boot on websites, for example, we will not dive into technical details. It is not intended to supersede U-Boot original, it’s up to the user’s choice based on system requirements. On the other hand, UEFI Secure Boot provides a more flexible manner for key management in addition to compatibility with existing third party software (including linux distributions). There are always pro’s and con’s For example, the original secure boot can sign and verify not only binaries but also other type of data like device tree blob and initrd, and UEFI Secure Boot can only deal with PE (Portable Executable) executables (at least, for now). In fact, U-Boot already has its own secure boot framework, dubbed FIT Signature Verification. It is, as the name suggests, a security framework in boot sequence which is designed to protect the system from malware being executed by ensuring that only trusted software, EFI applications and OS kernels, are loaded and executed in the middle of transferring the control from the firmware to the OS. (At the time of writing, the status is in -rc5.) Secure Boot: How it works?Īmong others, UEFI Secure Boot is a new feature introduced in the latest U-Boot release, v2020.10. This allows us to evaluate to what extent the current implementation is compliant with the UEFI specification and has contributed to the enhancement in conformity. Furthermore, UEFI SCT (Self Certification Tests) can also be executed directly on U-Boot. While the primary target OS is linux, other OSs like BSD variants are also confirmed to work with UEFI U-Boot. There is still plenty of missing features and restrictions, but the functionality is now mature enough to run software like:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |