Yocto Project Summit 2024.12

Secure boot all the way to userspace and upstream
2024-12-04 , kirkstone

Intrduces Linaro Trusted Substrate (TS) Arm SystemReady/UEFI firmware and Trusted Reference Stack (TRS) kernel, initramfs and rootfs prototype for secure boot with TPM for secure storage. Discusses upstreaming status, problems and solutions.


Linaro has implemented an Arm SystemReady IR (embedded) and UEFI compatible firmware for multiple devices in the Trusted Substrate (TS) project. This firmware has been used with Trusted Reference Stack (TRS) kernel, initramfs and rootfs which extends UEFI secure boot to userspace. These create a secure boot chain of trust where HW verifies UEFI firmware, UEFI firmware verifies kernel and initramfs as Unified Kernel Image (UKI) binary, uki binary embeds dm-verity hash to detect and verify the rootfs, TPM device is used to measure UEFI firmware and all boot related SW components, TPM device is used with systemd to create an encrypted writable filesystem tied to the secure and measured system on first boot. This talk describes the TS and TRS architectures and status of upstreaming the solutions to oe-core/poky, meta-arm, meta-security/meta-tpm, meta-secure-core etc.

See also: Presentation slides (599.6 KB)

Senior SW Engeer at Linaro, long time yocto user and contributor