Implementing UEFI-based Secure Boot + OTA Update for Embedded ARM De... Jan Kiszka & Christian Storm
Вставка
- Опубліковано 27 жов 2024
- Implementing UEFI-based Secure Boot + OTA Update for Embedded ARM Devices - Jan Kiszka & Christian Storm, Siemens AG
At ELC 2020, we presented our concept of securing the boot phase of updatable embedded devices leveraging UEFI Secure Boot. Applying this concept to a real 64-bit ARM device revealed some surprising rough edges lurking around the corners. In this talk, we dive into these issues and present solutions found while the journey. We explain how to adopt the pre-integration of an Over-the-Air Update method combined with Secure Boot that has been upstreamed to the Civil Infrastructure Platform project. In particular UEFI-based Secure Boot via U-Boot, hardening U-Boot for that, building unified kernel images with device tree override options, and creating a read-only rootfs with persistent overlays plus their integrity protection is covered. Although the pre-integration is done with the Debian-based embedded system builder Isar, the concepts and solutions presented are generic and easily transferable to other (meta-)distributions.
