Description
The System Boot and Security Microconference has been a critical platform for enthusiasts and professionals working on firmware, bootloaders, system boot, and security. This year, the conference focuses on the challenges that arise when upstreaming boot process improvements to Linux kernel. Cryptography, which is an ever evolving field, poses unique demands on secure elements and TPMs as newer algorithms are introduced and older ones are deprecated. Additionally, new hardware architectures with DRTM capabilities, such as ARM's D-RTM specification, and the increased use of fTPMs in innovative applications, add to the complexity of the task. This is the fifth time in the last six years that the conference is being held.
Trusted Platform Modules (TPMs) for encrypting disks have become widespread across various distributions. This highlights the vital role that TPMs play in ensuring platform security. As the field of confidential computing continues to grow, virtual machine firmware must evolve to meet end-users demands, and Linux would have to leverage exposed capabilities to provide relevant security properties. Mechanisms like UEFI Secure Boot that were once limited to OEMs now empower end-users. The System Boot and Security Microconference aims to address these challenges collaboratively and transparently. We welcome talks on the following technologies that can help achieve this goal.
- TPMs, HSMs, secure elements
- Roots of Trust: SRTM and DRTM
- Intel TXT, SGX, TDX
- AMD SKINIT, SEV
- ARM DRTM
- Growing Attestation ecosystem,
- IMA
- TrenchBoot, tboot
- TianoCore EDK II (UEFI), SeaBIOS, coreboot, U-Boot, LinuxBoot, hostboot
- Measured Boot, Verified Boot, UEFI Secure Boot, UEFI Secure Boot Advanced Targeting (SBAT)
- shim
- boot loaders: GRUB2, systemd-boot/sd-boot, network boot, PXE, iPXE,
- UKI
- u-root
- OpenBMC, u-bmc
- legal, organizational, and other similar issues relevant to people interested in system boot and security.
If you want to participate in this microconference and have ideas to share, please use the Call for Proposals (CFP) process. Your submissions should focus on new advancements, innovations, and solutions related to firmware, bootloader, and operating system development. It's essential to explain clearly what will be discussed, why and what outcomes you expect from the discussion.
P.S. We can only make it on September 18 because of conflict with other event.
-
Piotr Król (3mdeb)18/09/2024, 10:00
The presentation highlights five challenging areas and activities to address those in various communities over the last two years.
- Lack of OS awareness about hardware security capabilities leads to the inability to evaluate and improve system security posture.
Platform security and the challenges of closing System Management Mode (SMM) created a gap in an open-source way. - The...
- Lack of OS awareness about hardware security capabilities leads to the inability to evaluate and improve system security posture.
-
Nishanth Menon (Texas Instruments, Inc), Vignesh Raghavendra18/09/2024, 10:20
We would like to propose a new boot-firmware repository similar to the Linux-firmware repository under the aegis of U-Boot hosting.
In addition to TI [1], it looks like many SoCs (see NXP[2] and Rockchip[3] eg.:) platforms seem to require additional closed-source/open-source binaries to have a complete bootable image. Distribution rights and locations of these binaries are challenging, and...
Go to contribution page -
Saurabh Singh Sengar (Microsoft), Srivatsa Bhat (Microsoft)18/09/2024, 10:40
The Linux kernel has been observed to take several 10s of seconds to boot-up on machines with many CPUs (~1792 CPUs). This talk delves into the details of bottlenecks uncovered in the CPU online path when testing on large NUMA multi-core virtual machines and outlines some of the fixes that helped achieve up to 50% faster boot times on such VMs. These optimizations range from approaches such as...
Go to contribution page -
Aleksandr Burmashev (Oracle corporation)18/09/2024, 11:00
at first i want to give a brief description of what SBAT is, why it was implemented and what currently supports it ( grub2, shim, systemd-boot various EFI tools, like fwupdate and etc ).
Go to contribution page
And also cover that SBAT expects different downstream distros to adopt upstream SBAT values from the code base they consume, so that a proper revocation by SBAT is always ensured.
And explain why SBAT... -
Matthew Garrett (Google)18/09/2024, 11:20
U-boot is commonly used to provide a UEFI environment on embedded platforms, making it easier to run commodity operating systems. But what about the inverse case, where we want to make a commodity platform look more like an embedded one? U-boot has a less well known feature for being used as a UEFI payload, but it has poor support for generic hardware and doesn't interact well with runtime...
Go to contribution page -
Marta Lewandowska (Red Hat)18/09/2024, 12:00
We are working on a new scheme to replace the GRUB boot loader with a fast, secure, Linux-based, user-space solution: nmbl (for no more boot loader).
Go to contribution page
GRUB is a powerful, flexible, fully-featured boot loader used on multiple architectures, but its features create complexity that is difficult to maintain, and that both duplicate and lag behind the Linux kernel while also creating numerous... -
Mr George Wilson (Security Architect), Nayna Jain18/09/2024, 12:20
Given the present discussions around UKI and nmbl, Linux appears to be headed towards a future where it most commonly boots directly rather than via a separate bootloader. The IBM Linux on Power team agrees that this is a laudable direction: work need not be duplicated between the kernel and bootloaders and the entire class of bootloader-specific bugs - including vulnerabilities - would become...
Go to contribution page -
Lennart Poettering18/09/2024, 12:40
systemd has gained various TPM-related components in the recent past, to make measured boot on generic Linux reality.
In this talk I'd like to shed some light on recent developments in this area, and what comes next. Some of the topics touched will (probably) be:
- Additional PCRs via nvindexes
- Measurement logs
- An API for quotes of system state, and remote attestation
*...
-
Daniel Smith (Apertus Solutions, LLC), Mr Ross Philipson (Oracle)18/09/2024, 13:00
TrenchBoot is an OSS project that is used to establish the integrity of the loaded software. The previous work was focused on Intel and AMD implementations of their dynamic root of trust mechanisms. Arm, in consultation with members of the TrenchBoot community, designed a DRTM implementation for their platform. This presentation focuses on the initial design work to bring Arm support to the...
Go to contribution page
