Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32159
Change subject: Documentation/security/vboot: Add logic to verify stage/blob using VBOOT 2.1 library ......................................................................
Documentation/security/vboot: Add logic to verify stage/blob using VBOOT 2.1 library
Added documentation to explain the logic that makes use of VBOOT 2.1 library to verify Coreboot stages/blobs.
Signed-off-by: Sukerkar, Amol N amol.n.sukerkar@intel.com Change-Id: I1eb174bb4f4d84eb8f6befdce18421b6b85ccc02 --- M Documentation/security/index.md A Documentation/security/vboot/flash_partition.png A Documentation/security/vboot/vboot_21_logic.png A Documentation/security/vboot/vboot_flow_20.png A Documentation/security/vboot/vboot_flow_21.png A Documentation/security/vboot/verified_boot_21.md 6 files changed, 115 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/59/32159/1
diff --git a/Documentation/security/index.md b/Documentation/security/index.md index 89db42e..aebfc82 100644 --- a/Documentation/security/index.md +++ b/Documentation/security/index.md @@ -5,3 +5,4 @@ ## Vendor
- [Measured Boot](vboot/measured_boot.md) +- [Verified Boot with VBOOT 2.1](vboot/verified_boot_21.md) diff --git a/Documentation/security/vboot/flash_partition.png b/Documentation/security/vboot/flash_partition.png new file mode 100644 index 0000000..91e459b --- /dev/null +++ b/Documentation/security/vboot/flash_partition.png Binary files differ diff --git a/Documentation/security/vboot/vboot_21_logic.png b/Documentation/security/vboot/vboot_21_logic.png new file mode 100644 index 0000000..d32e99e --- /dev/null +++ b/Documentation/security/vboot/vboot_21_logic.png Binary files differ diff --git a/Documentation/security/vboot/vboot_flow_20.png b/Documentation/security/vboot/vboot_flow_20.png new file mode 100644 index 0000000..fce4c5d --- /dev/null +++ b/Documentation/security/vboot/vboot_flow_20.png Binary files differ diff --git a/Documentation/security/vboot/vboot_flow_21.png b/Documentation/security/vboot/vboot_flow_21.png new file mode 100644 index 0000000..24859fe --- /dev/null +++ b/Documentation/security/vboot/vboot_flow_21.png Binary files differ diff --git a/Documentation/security/vboot/verified_boot_21.md b/Documentation/security/vboot/verified_boot_21.md new file mode 100644 index 0000000..15253b3 --- /dev/null +++ b/Documentation/security/vboot/verified_boot_21.md @@ -0,0 +1,114 @@ +# Enabling Intel BootGuard Support in Coreboot + +## Introduction + +One of the primary and key requirement for Intel customers is to enable Secure +Boot in their platform where root of trust resides in the hardware and is +immutable. While the obvious choice when it comes to hardware root of trust is +Intel Bootguard for IA platforms, the mechanism that extends the chain +of trust from hardware to bootloader, to payload/OS loader and eventually to the +OS is currently not implemented in Coreboot mainly due to licensing constraints. +This document describes the mechanism implemented in Coreboot using Google VBOOT +libraries version 2.1 that makes use of Intel BootGuard technology as Root of +Trust and extends the chain of trust to Coreboot which in turn extends it to the +payload. Note: UEFI payload will use secure boot mechanism to verify and launch +OS but that is beyond the scope of this document and will not be covered here. +More details about VBOOT support in Coreboot are available at +https://www.coreboot.org/git-docs/Intel/vboot.html. + + +## Intel BootGuard Technology + +Intel BootGuard is a platform boot integrity +protection technology. It allows initial stage of bootloader to be verified (and +measured in TPM) by a piece of firmware (ACM) which itself is verified by Intel +CPU microcode. A high level summary of the steps required to enable Intel +BootGuard are: 1. Use Intel FSP-T with Coreboot bootloader. It contains the +logic of correctly handling BtGuard enabled state. 2. Integrate ACM +(Authenticated Code module) binary in bootloader image. 3. Generate BtGuard Key +Manifest(BtG KM) and BtGuard Boot PolicyManifest(BtG BPM) and embed them in +bootloader image. a. BtG KM contains the hash of the key used for signing BtG +BPM. BtG KM is signed by the key whose hash is embedded in field-programmable +fuses. b. BtG BPM contains the hash of initial stage of boot loader. It also +stores other policies related to Intel TXT, BtG DMA protection etc. 4. Add +entries for CPU microcode patch, ACM, BtG KM and BtG BPM in FIT table. 5. +Update BootGuard related field-programmable fuses on the test platform. + + +## VBOOT in Coreboot + +The current implementation of VBOOT tool support and logic +in Coreboot is at version 2.0. The architecture, design and usage of this +feature has been described here, +https://www.coreboot.org/git-docs/Intel/vboot.html. + +### VBOOT 2.0 in Coreboot (Currently available) + +As described in the location mentioned above, the VBOOT 2.0 verified boot logic +flow works as follows. Upon boot, verstage attempts to verify the read-write +section A. It gets the public root key from GBB area and verifies the VBLOCK +area in read-write section A. If the verification is successful, then verstage +instructs Coreboot to boot rest of the firmware in read-write section A +(romstage, postcar, ramstage and payload). If the verification fails, then, +VBOOT falls back on read-only area to boot. +The flow chart below shows this flow: + +**VBOOT 2.0 Verification Flow in Coreboot** +![VBOOT_20_Flow_in_Coreboot][VBOOT_Flow_20] + +[VBOOT_Flow_20]: vboot_flow_20.png + +While this design implements verified boot to a certain extent, it does not take +into account a few use-cases and concerns some Intel customers run into. A +couple of them are as listed below, +- Some hardware designs cannot support ‘read-only’ flash region as Root of Trust + and therefore prefer Intel BootGuard technology as RoT for verified boot +mechanism. +- In some use-cases, some of the firmware components may come from different + media, for instance, customer could boot payload from USB thumb drive instead +of SPI flash. In that case, the entire read-write section will not have all the +firmware components. There needs to be a mechanism to verify payload along with +other components. +- In exisiting implementation, all the firmware components in the boot chain are + verified in verstage. This may result in a TOCTOU attack where right after the +verification phase, some firmware stages/components (such as payload, FSP, etc.) +can be swapped with malware. To extend the vboot security model, the mechanism +described below is proposed where the root of trust Bootguard begins by +verifying the IBB and the chain of trust is extended only to the next +stage/component at every verification pass. For instance, once Bootguard +verifies IBB which contains verstage, romstage and postcar), postcar then uses +the VBOOT mechanism to verify ramstage. Once ramstage is loaded into DRAM, +ramstage in turn will verify FSP and payload. + +### Proposed Changes using VBOOT2.1 Libraries + +The proposed changes are described as follows. Upon power on of the device, +Intel Bootguard attempts to verify IBB. IBB in this case, replaces the read-only +portion of the flash map and contains bootblock, verstage, romstage and postcar +stage. If the verification is successful, Intel Bootguard launches IBB and the +system boots until postcar stage. In postcar stage, GBB is extracted and GBB +verified the VBLOCK. Once VBLOCK is verified, postcar stage extracts the +ramstage hash from VBLOCK and verifies the ramstage after it has been loaded +into DRAM. This is done to ensure maximum security. Once ramstage is verified, +ramstage is launched. At this point, ramstage extracts the hash of FSPS, DSDT +ACPI table and payload in that order, and verifies and launches them +sequentially. At any point, if the verification fails, the system boot will +halt. + +**Stage/Blob Verification using VBOOT2.1 Library** +![VBOOT_Stage_Blob_Verification][VBOOT_Flow_21] + +[VBOOT_Flow_21]: vboot_flow_21.png + +### Flash Partition and Code Flow in Coreboot + +**Flash Partition for Verification using VBOOT 2.1 Library** +![VBOOT_Verification_2_1_Flash][Flash_Partition] + +[Flash_Partition]: flash_partition.png + +**Verification Logic using VBOOT 2.1 Library** +![VBOOT_Verification_2_1_Logic][vboot_21_logic] + +[vboot_21_logic]: vboot_21_logic.png +