GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jiazhang0 → meta-secure-core

jiazhang0 / meta-secure-core

Licence: MIT license
OpenEmbedded layer for the use cases on secure boot, integrity and encryption

Programming Languages

BitBake
79 projects
shell
77523 projects
C++
36643 projects - #6 most used programming language
BlitzBasic
18 projects
clojure
4091 projects
pascal
1382 projects

Labels

securityencryptionuefisigning-keysintegritysgxtpmtpm2imaefisecure-bootmodsign

Projects that are alternatives of or similar to meta-secure-core

SELoader
Secure EFI Loader designed to authenticate the non-PE files
Stars: ✭ 38 (-52.5%)
Mutual labels:  integrity, efi, secure-boot
sicherboot
Unmaintained systemd-boot integration with secure boot support; consider https://github.com/Foxboron/sbctl instead.
Stars: ✭ 31 (-61.25%)
Mutual labels:  uefi, efi, secure-boot
go-uefi
Linux UEFI library written in pure Go.
Stars: ✭ 78 (-2.5%)
Mutual labels:  uefi, secure-boot
efi
efi headers
Stars: ✭ 24 (-70%)
Mutual labels:  uefi, efi
Efifs
EFI FileSystem drivers
Stars: ✭ 272 (+240%)
Mutual labels:  uefi, efi
UefiToolsPkg
Various useful utilities for UEFI
Stars: ✭ 87 (+8.75%)
Mutual labels:  uefi, efi
uefi-elf-bootloader
UEFI ELF Bootloader example
Stars: ✭ 40 (-50%)
Mutual labels:  uefi, efi
edk2-nightly
Unofficial EDK2 nightly build
Stars: ✭ 20 (-75%)
Mutual labels:  uefi, efi
Rust Uefi Runtime Driver
Template for UEFI runtime drivers written in Rust with serial logging and debugging support.
Stars: ✭ 21 (-73.75%)
Mutual labels:  uefi, efi
Minimal
Minimal Linux Live (MLL) is a tiny educational Linux distribution, which is designed to be built from scratch by using a collection of automated shell scripts. Minimal Linux Live offers a core environment with just the Linux kernel, GNU C library, and Busybox userland utilities.
Stars: ✭ 1,014 (+1167.5%)
Mutual labels:  uefi, efi
Ventoy
A new bootable USB solution.
Stars: ✭ 29,413 (+36666.25%)
Mutual labels:  uefi, secure-boot
arch-secure-boot
UEFI Secure Boot for Arch Linux + btrfs snapshot recovery
Stars: ✭ 60 (-25%)
Mutual labels:  uefi, secure-boot
Veracrypt Dcs
VeraCrypt EFI Bootloader for EFI Windows system encryption (LGPL)
Stars: ✭ 81 (+1.25%)
Mutual labels:  uefi, efi
rename-efi-entry
A Bash script to rename EFI boot entries
Stars: ✭ 45 (-43.75%)
Mutual labels:  uefi, efi
efi
Ergonomic Rust framework for writing UEFI applications.
Stars: ✭ 44 (-45%)
Mutual labels:  uefi, efi
efi-clang
Build UEFI applications with the Clang compiler and LLD linker.
Stars: ✭ 40 (-50%)
Mutual labels:  uefi, efi
AttestationSamples
A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the system properties from the sample as supplementary information.
Stars: ✭ 25 (-68.75%)
Mutual labels:  integrity, secure-boot
AttestationServer
Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email alerts to go along with the local implementation based on QR code scanning in the app.
Stars: ✭ 64 (-20%)
Mutual labels:  integrity, secure-boot
Efiguard
Disable PatchGuard and DSE at boot time
Stars: ✭ 601 (+651.25%)
Mutual labels:  uefi, efi
Multibootusb
Create multiboot live Linux on a USB disk...
Stars: ✭ 1,042 (+1202.5%)
Mutual labels:  uefi, efi
View All Similar Projects ➔

NOTE: The development and maintenance work of this project is formally transferred to https://github.com/Wind-River/meta-secure-core. Don't use this depreciated project.

meta-secure-core

This layer provides the following common and platform-specific security features:

UEFI Secure Boot

For x86 platform, UEFI secure boot is the industry standard defined in the UEFI spec, allowing images loaded by UEFI BIOS to be verified with the trusted key. Whenever this feature is enabled, the bootloader and kernel will be signed automatically during the build, implying the signed binaries are contained by the resulting RPM and rootfs image.

MOK Secure Boot

For x86 platform, MOK secure boot is based on the UEFI secure boot, adding the shim loader to chainloader the second-stage bootloader. Meanwhile, the shim will also install a protocol which permits the second-stage bootloader to perform similar binary validation, e.g, for linux kernel.

User key store

By default, the signing key used by UEFI/MOK secure boot is the sample key for the purposes of development and demonstration. It is not recommended that this sample key be used for a production device and should be replaced by a secret key owned by the user.

TPM 1.x

This feature enables Trusted Platform Module 1.x support, including kernel option changes to enable tpm drivers, and picking up TPM 1.x packages.

TPM 2.0

This feature enables Trusted Platform Module 2.0 support, including kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages.

Trusted Platform Module (TPM 2.0) is a microcontroller that stores keys, passwords, and digital certificates. A discrete TPM 2.0 offers the capabilities as part of the overall platform security requirements.

Encrypted storage

This feature gives 2 types of granularity for storage encryption. Data volume encryption allows the user to create encryption partition with a passphrase typed by the end user. Root filesystem encryption enables the data encryption on the entire rootfs except the boot partition.

Both types of storage encryption are based on device-mapper crypt target, which provides transparent encryption of block devices using the kernel crypto API. Additionally, the utility cryptsetup is used to conveniently setup disk encryption based on device-mapper crypt target.

IMA

The Linux IMA subsystem introduces hooks within the Linux kernel to support measuring the integrity of files that are loaded (including application code) before it is executed or mmap()ed to memory. The measured value (hash) is then registered in a log that can be consulted by administrators.

To support proven integrity of the files, the IMA subsystem can interact with the TPM chip within the system to protect the registered hashes from tampering by a rogue administrator or application. The IMA subsystem, as already supported by the Linux kernel, supports reporting on the hashes of files and commands ran by privileged accounts (and more if you create your own measurement policies).

In addition, IMA appraisal can even register the measured value as an extended attribute, and after subsequent measurement(s) validate this extended attribute against the measured value and refuse to load the file (or execute the application) if the hash does not match. In that case, the IMA subsystem allows files and applications to be loaded if the hashes match (and will save the updated hash if the file is modified) but refuse to load it if it doesn't. This provides some protection against offline tampering of the files.

MODSIGN

This feature provides the signature check for loading a kernel module. The signing key must be authenticated by a system trusted key already imported to the system trusted keyring.

If the kernel module is not signed, or signed by a signing key not matching up an imported system trusted key, kernel would refuse to load such a kernel module.

RPM signing

This feature provides the integrity verification for the RPM package.

Building the meta-secure-core layer

This layer should be added to the bblayers.conf file. To enable certain feature provided by this layer, add the feature to the local.conf file.

A reference implementation based on this layer is available.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].