Linux Security 1 - Secured Embedded Linux Platform Build
The security of embedded systems is important today and even more in the future.
Linux is dominant as an operating system for embedded devices. Even if there is no great ‘attack’ interest in the device itself, the embedded device can be a gateway for malware to access other systems.
In this course, you will learn the various options for secure boot and installation, as well as cryptography. You will learn how to build and start Linux in different environments such as ARM but also on RISC-V and X86_64 platforms.
You learn to use the OP-TEE environment (Open Portable Trusted Execution Environment) in practical exercises. This course is a prerequisite for the Linux hardening course.
Objectives:
• Implementing secure boot
• Verifying the authenticity of system components before they are loaded and executed.
• Ensure the authenticity and integrity of the bootloader, kernel.
• Implements the Trusted Boot
• Provides a secure environment for the secure monitor firmware.
• Run OP-TEE on secure environment that runs alongside the main operating system.
Course Format:
• Online or onsite course, 2 days, 6 hours each (excluding break time) total 12 hours.
• From 40% to 50% of training time is devoted to practical activities.
• Labs are conducted on QEMU ARM-based board.
Prerequisites:
• C Language knowledge
• Embedded Linux Build knowledge
For in-house training the agenda can be adapted to your needs. Please ask!
Day One
Linux overview
Linux history
Linux architecture and modularity
Linux system components
The various licenses used by Linux (GPL, LGPL, etc)
Boot Chain
Low-level boot
Boot on NOR
Boot on NAND
Boot on SD/MMC/eMMC
Multistage Boot
Why do we need a trusted boot chain
Security Concerns
Confidentiality and Integrity
Tampering Prevention
Compliance and Certification
Secure Boot
Secure Boot concept
The chain of trust
Complete secure boot process
Key Management
Introduction to key management
Cryptographic algorithms and key types
Key storage options: Hardware-based and software-based
Key management processes: Generation and revocation of keys
ARM-based platforms hardware features overview
Secure Monitor
Secure World
Trusted Execution Environment
Secure Boot on RISCV and X86_64
Cryptographic Accelerators
Software Solutions
Open source
Proprietary
First and Second Stage Bootloaders
U-Boot
Capabilities and features
Configuration, customization, and compilation
U-Boot SPL as First-Stage Boot Loader (SSBL)
Role of u-boot in the trusted boot chain
How U-Boot verifies the authenticity of the images it loads
Configuration options for securing the boot process
Interaction with the secure world and Trusted Execution Environment
Signing U-boot
Arm Trusted Firmware (ATF)
Overview and features
ATF Boot flow
Services
Build and deploy
Other platform specific components
Secured Linux Image
Introduction to Linux kernel
Source code
Configuration
Compilation
FIT (Flattened Image Tree) Image
What is FIT and why is it used
Advantages of using FIT image
Configuration
Building a Secure FIT Image
Kernel Configuration for a Secure Linux Platform
Configuration options for secure boot in the Linux kernel
Access Control Configuration overview
Exercise: Boot the platform with the prebuilt image
Exercise: Generate keys that are going to be used for platform encryption
Exercise: Build and boot the platform with U-boot as FSBL and SSBL
Exercise: Build and Boot the platform with ATF as FSBL and U-boot as SSBL
Exercise: Create a secured FIT Linux image
Day Two
Nohau Training Partner
This course is provided by a Nohau Training Partner, a trusted provider of hands-on training for professionals in embedded systems, software development, and engineering.
