Enable Secure Boot on linux?

ashparth · March 20, 2017, 11:29am

Can secure boot be implemented in debian/snappy ubuntu core linux releases?

What kind of effort would be involved?

Thanks

danielt · March 20, 2017, 2:16pm

Secure boot requires a primary bootloader configured with signature checking and the current releases do not support this.

The next Debian-based release (currently hoped to be 17.04) is expected to ship with signature checking enabled and with LK set up appropriately and will therefore provide a fully worked example of how to perform a secure boot. However… these images serve only as an example. They will not achieve any meaningful secure boot because the keys used to sign the release will be well known “dummy” keys.

To the example sequence you will have to add an appropriate primary bootloader and resign the later components with your own key.

desmond · March 28, 2017, 3:14pm

PBL is readonly right?so we have to buy new MCU msm8969 once it be updated to support secure boot,is it?
really looking forward to the secure boot function.

anon91830841 · March 28, 2017, 3:36pm

well, the ‘primary bootloader’ mentioned by @danielt above is actually the ‘secondary bootoader’ in Qualcomm terminology. e.g.

PBL: ROM code
SBL: first stage bootloader
APPSBL : application bootloader (aka LK)

danielt · March 28, 2017, 6:22pm

Sorry for the lose use of terminology on my part…

desmond · March 29, 2017, 11:45am

ok… so probably there is no way to verify SBL(first stage bootloader)?

danielt · March 29, 2017, 3:34pm

Pretty much. On DB410C the secure boot is purely a demonstrator. However
other boards based on the same SoC (but with appropriate keys burned in
to signature check SBL) full secure boot can be implemented by copying
the demonstrator and replacing the keys.

skxo · March 30, 2017, 8:44am

Hello,

is the signature check a parameter set in the SBL code or is it set into the PBL during manufacturing process?
thanks

danielt · March 30, 2017, 9:18am

Hi skxo

Personally I suspect that the answer is both (as part of a chain of trust) but I’m only happy to say this publicly because I don’t know for sure.

At this level of detail we start reach the limit of what can be usefully discussed on the forums. Secure boot on DB410C will be a demonstrator with well known keys. If you want to develop a secure boot implementation for the SoC you need to start a conversation with Qualcomm. They control both manufacturing process and access to the SBL source code.

Daniel.