How does Trusted Boot work?
Basic Security Principals explained
Introduction
Trusted Boot is a mechanism that allows the user to boot his computer without an attacker being able to manipulate the boot process by injecting special software and thus gain control over the entire system. If a hacker has taken control of a PC in this way, all data is openly available to him. Therefore trusted boot is important for every user, especially if there is a lot of confidential data on the hard disk of the computer, like passwords, certificates, account data, etc.
How does it work?
To get a grasp of how Trusted Boot protects a system against malicious code being loaded and executed early in the boot process, we first have to understand the potential threat of being harmed by an attacker during booting procedure.
When you turn on your computer, the machine runs through the booting process which is characterized by the following steps:
After reseting the Central Processing Unit (CPU, the “brain” of a computer) and reading data relevant to the booting process from a readonly memory chip called boot-ROM, one of the first components that starts up is the so-called BIOS (Basic Input Output System), respectively UEFI (Unified Extensible Firmware Interface), which slowly replaces the aging BIOS. The main difference between them is that the UEFI generally provides more functionality, such as mouse input, more extensive disk partitioning and easier installation of updates. You can think of it as a mini operating system, whereas BIOS is just a piece of program code with special functionality. Physically, the code for both BIOS and UEFI is located in a non-volatile memory chip on the motherboard, the EPROM (Erasable Programmable Read-Only Memory). When starting up your computer, the UEFI (BIOS) ensures minimal hardware usage, like a very basic graphic output and the possibility to use the keyboard and mouse; for example to abort the boot process.
The UEFIs main task is to load a program from a certain memory address, which gradually initializes all hardware components, loads drivers and recognizes peripherals. This program is called bootloader and virtually forms the transition from minimal hardware to a proper operating system on which applications as we know them run.
At this point, an attacker can gain complete access to all security levels of the system using a so-called “rootkit”, sometimes also known as a “bootkit”, which is similar to a bootloader but configured to the attackers needs. To install such a rootkit, the intruder must ensure that the UEFI loads and executes the address of the rootkit that the attacker introduced instead of the address of the normal bootloader. If he succeeds in doing so, all security mechanisms of the system will be defeated and the hacker will have access to all data and hardware components.
To avoid this kind of software hijacking, today’s computers use Trusted Boot, which makes it impossible for an intruder to use a rootkit in the manner just described. To achieve this goal of implementing a secure booting process, the bootloader is signed with a cryptographical certificate from its manufacturer. This certificate is also stored in lists inside UEFI, among other allowed as well as non-permitted signatures. These lists are stored in non-volatile memory used by the UEFI firmware environment to store settings and configuration data. This way, prior to starting the bootloader, the UEFI can check if each binary of the bootloader has a valid signature by the manufacturer and is not inserted by a third person. In detail, this is done by comparing the keys stored in the signature. Another important security factor in this procedure is the so-called root of trust. This means that the root of the boot chain, in this case the UEFI, comes from a trusted manufacturer. For this purpose, a verification key of the manufacturer (e.g. Intel) is hard coded in the UEFI. This enables the bootloader to find out whether the UEFI is trustworthy.
It is possible to disable Trusted Boot on a computer by switching to the UEFI options immediately after switching on the machine. Usually this is done by pressing F1, F2 or F12. It is often necessary to deactivate Trusted Boot if you want to install other operating systems, such as Linux, because their certificates are not stored in the list of allowed signatures in the UEFI. Otherwise you should always leave Trusted Boot enabled on your computer.
Summary
Trusted boot guarantees a security mechanism against attacks during the booting process of a computer by using cryptographic signatures on the individual components of the booting process. Nowadays this feature is implemented in almost every new computer.
