Verified Boot on Chrome OS and How to do it yourself
Venue
Embedded Linux Conference Europe, Linux Foundation, 660 York Street, Suite 102, San Francisco, CA 94110, USA (2013)
Publication Year
2013
Authors
BibTeX
Abstract
Chrome OS uses a first stage read-only firmware and second-stage updatable
firmware. The updatable firmware is signed and contains kernel keys and a dm-verify
hash, so that the firmware, Linux kernel and root filesystem are all protected
against corruption and attack. This system is described and discussed. As part of
Google's upstream efforts in U-Boot, a generalized secure boot system has been
developed and released with U-Boot 2013.07. This implementation uses the FIT
format, which collects together images, such as kernels, device tree, RAM disks.
Support is provided for TPMs (Trust Platform Module), RSA-based signing and
verificaiton, and hashing with hardware acceleration. This system is also described
and discussed, along with the specific steps needed to implement it in your
designs.