Verified Boot for Embedded Systems

Authors: sjg
Self Link: go/cros-vbe

Visibility: Public
Originally Proposed: 2021-03-26 / Last Updated: 2023-09-20

Objective

Define a full-featured, verified-boot flow for Embedded Systems that uses and encourages Open Source firmware.

Requirements

Lightweight, fast and as simple as possible
Updatable from the earliest possible point (e.g. before RAM init)
Updates can happen entirely in the background without user intervention, taking effect on restart
Fully defined boot flow and communication mechanisms between firmware, kernel and user space
Focus on the U-Boot ecosystem and related projects
Provide a full set of secure-boot features, including vendor- and user- signing
Full recovery mechanism in the event of corruption / bricking
Support Chromium OS use cases (link) so Chromium OS could potentially use it for general hardware
Where permitted by vendors, ensure users are in control, e.g. to rebuild / replace firmware and disable security features
Verified by a full set of unit tests and functional tests built around U-Boot and fwupd

Out of scope

Mandating use of UEFI specifications, Tianocore, ACPI

Background

For some years ARM-based embedded systems have happily used U-Boot to initialise hardware, load a FIT (Flat Image Tree) containing Linux with a devicetree and boot it. Many of these are custom-built and fully integrated (e.g. using Buildroot or Yocto) with their own update mechanisms.

But for several reasons this era is drawing to an end:

As these systems have become more powerful, they are often running standard distributions (e.g. Raspberry Pi with Debian) which have a strong desire to use a standard flow on all platforms
Related, firmware is now expected to provide information and services to the operating system, such as devicetree and UEFI callbacks, so that the vanilla distribution can run on any device, similar to UEFI on traditional desktop computers
As these systems become trusted with more capabilities and user data, they attract criminals and require a high level of security. This is resulting in new firmware components such as hypervisors and separate, secure operating systems (e.g. OP-TEE, ARM's TF-A)
As SoCs become more complex, vendors are requiring new firmware components to support some features (e.g. Intel's Converged Security Engine)
As these systems become more complex, regular updates are needed to fix bugs and vulnerabilities throughout the software stack, including firmware

ARM's Embedded Base Boot Requirements (EBBR) aims to address these issues using the UEFI specification, with various U-Boot extensions to handle the various verification and update requirements. This document suggests an alternative approach. A discussion of the benefits is at the end.

Note: This document is based almost entirely on existing work, e.g. U-Boot, FIT, Chromium OS verified boot.

Sel also

Design ideas

The diagram below shows the VBE flow, starting with the boot ROM and ending with Fwupd (link).

^[1]

Briefly, the non-obvious components are as follows:

TPL - U-Boot Tertiary Program Loader performs enough init to be able to load VPL into SRAM
VPL - U-Boot Verified Program Loader performs the main verified-boot logic and decides which of the available firmware flows to take (e.g. A/B or recovery). It loads the appropriate SPL binary
SPL - U-Boot Secondary Program Loader sets up SDRAM and loads all secure firmware components as well as U-Boot. If an FPGA image or binary blobs are needed here, they are loaded too.
U-Boot - 'U-Boot proper' reads the bootflow instructions and decides which kernel / devicetree / rootdisk / FPGA to use, then boots these (including recovery kernel if enabled). If it provides a menu, the user can choose between bootflows. There is no need for grub^[2] unless desired, since it adds more complexity. If nothing can be booted, U-Boot can show a UI and guide the user through recovery.
Bloblist - a simple data structure for passing information through the boot flow, including what flow was chosen, console log, firmware information
NV data - approx. 64 bytes of non-volatile data used by verified boot, which survives a reboot. This can be accessed by Fwupd to request a particular flow on the next boot. It can be lost without ill effects. This may be stored on the disk, CMOS RAM, PMIC scratch space or some other convenient place
Sec. data - approx. 64 bytes of non-volatile secure data, used by verified boot. Records enterprise policy settings (e.g. can the device be wiped?) and critical user settings (e.g. whether to boot in non-verified mode, whether to allow adding keys). It should be stored in a TPM if available.
Bootflow - simple list of available boot flows: kernel, devicetree (or use firmware one), initrd, FPGA, etc. This is accessible to U-Boot proper and is updated by Fwupd as needed. This performs a similar role to grub.cfg but avoids control-flow constructs.
FIT - Flat Image Tree contains hashed images and signed configurations available for use. It is optionally itself signed to reduce the attack-surface area
Fwupd - user-space update daemon reads the update driver and parameters from devicetree and uses these to fetch and apply updates to firmware, FITs and bootflow list.
Root partitions / User partitions - provide filesystems for the system and user (possibly combined). dm-verity can be used to provide verification of the root partition.

Firmware structure

The overall firmware image is built by Binman, which includes a directory of available pieces for each flow, permits updates, supports compression and hashing, allows insertion of signatures, etc. This is used by Fwupd and can be used by developers to modify and replace firmware components. Firmware updates may replace parts of the firmware. The directory can be placed in the devicetree for use by fwupd.

Updatable parts of the firmware are signed with signatures embedded in the firmware image. These are checked by VPL when deciding which flow to take. If no valid SPL is available, recovery mode is selected.

Firmware may be in its own storage , such as SPI flash, with a read-only part containing the recovery firmware to prevent bricking. If stored on the disk, unbricking may require external action.

FIT

Flat Image Tree (spec) is an ideal format for storing images. It supports many useful features: multiple images along with 'configurations' that collect them together, hashing, compression, signing (including adding new signatures to an existing FIT) and is easily extensible. It is shipped as a single file, simplifying management of the contents. Adding FIT support to an existing codebase is fairly simple: perhaps 800 LOC when libfdt is used.

The extensibility of FIT is key to VBE, since we cannot imagine all possible future requirements for firmware and changing to a different format later would be very disruptive.

Firmware updates

Every platform potentially has its own method of updating the firmware. The method and the required parameters are encoded in the devicetree in /chosen/fwupd, for example:

        chosen {
                fwupd {
                        firmware {
                                compatible = "fwupd,a-b-rec";
                                storage = <&spiflash>;
                        };
                };
        };

The compatible string directly maps to a driver in fwupd which knows how to deal with that method. Vendor-specific methods or options can be implemented as needed, using a different compatible string. In an A/B update, only one side is updated, with the other being written after a successful boot. Signalling for this is handled via NV data.

If a firmware update fails, or does the wrong thing, or writes unsigned firmware, then the device may end up in recovery mode on the next boot. Nothing fwupd can do can compromise the system, however, since it cannot itself sign the firmware, only install pre-signed images^[3].

See VBE Firmware Update for more information.

OS update

Updates to the operation system are installed by fwupd in the form of new FITs. The place to install these is typically controlled by the 'bootflow' file, although the devicetree may also provide this.

Bootflow

The available boot flows are described in a bootflow file, accessible to U-Boot and fwupd. A boot flow record includes the FIT configuration to load (which in turn indicates kernel, devicetree, initrd, FPGA), base kernel command-line arguments and any other pieces defined by VBE. Each record in the file can be individually signed (according to firmware policy) and only records that can be verified will be accessible at boot time.

Firmware selection (in VPL) may adjust the use of bootflow in several ways, for example:

Indicate that only recovery flows may be selected
Request A or B FITs only
Used a predefined FIT unless in non-verified boot
Allow use of unsigned or self-signed flows

Typically the bootflow file is stored in a particular directory / file or block. In this example, the partition UUID is fixed in the factory:

        chosen {
                fwupd {
                        bootflow {
                                compatible = "fwupd,a-b-rec";
                                storage = <&ufs>;
                                filesystem = "ext4";
                                partition-uuid = "cd8a3a34-e2d0-4d0c-97d0-e2b1f14220a8";
                                directory = "/boot";
                        };
                };
        };

The format of the bootflow file is described in VBE Bootflow'. The menu is described in VBE UI.

Adding keys

The user can add new keys to the system, if permitted, using fwupd or an OS tool that uses it. This allows support for self-signed FITs. New keys can be placed in firmware like any other payload and are signature-checked by VPL on the next boot, before being installed for future use, perhaps after user-presence check. A U-Boot UI could provide a way to install keys also, although the security aspects of this need some thought.

Fixups

Since U-Boot loads the FIT it can perform any devicetree fix-ups that are needed for the memory layout, console selection, etc. This is a fairly simple process and already implemented. Should the fix-up algorithm itself need to change, it is possible to update U-Boot.

For the kernel command-line, U-Boot provides a way to replace ${var} expressions in the template provided by the bootflow record.

OS Requests

With VBE, Operating Systems publish their booting requirements as part of the FIT, where they can be easily read and acted on. Requests include random numbers and seeds and address-space layout randomisation (ASLR). U-Boot processes the requests and adds the resulting information to the /chosen node for use by the OS, using the 'fixup' mechanism. In the case of Linux, this renders the EFI stub (which on ARM reads information from tables and writes it into the DT) unnecessary.

Communication through phases

Each phase of boot needs to pass information to the next. VBE uses bloblist, a simple data structure which can be implemented with little code and does not require UUIDs. WIthin the bloblist, each blob can have a particular purpose, including one for the vboot state. Note that bloblist does not replace devicetree which is much more suitable for more comprehensive and extensible transfer of information to later boot stages or Linux.

Communication to firmware from Linux user space is through the NVdata. If larger chunks of information are needed (e.g. a new key), they are written to the read/write firmware space. Since the firmware is not required to be running once linux is fully booted, such information is considered on the next boot.

Migration path

Many of the pieces needed by VBE are already available. Some more design work is obviously needed, to flesh out the ideas presented here. At minimum, the following need to be implemented:

fwupd support for a basic firmware-update mechanism, e.g. A/B/Recovery
U-Boot and binman support for VPL (patches are available on the U-Boot mailing list)
Add the actual VBE logic to VPL and U-Boot proper
UI development, e.g. for recovery mode, non-verified boot
Integration into a suitable distribution as a proof of concept

Avoiding U-Boot and Linux

While U-Boot is used here and is intended to be the reference implementation, the interfaces do not mandate it, and other bootloaders could provide similar features. The TPL/VPL/SPL/U-Boot pieces can be replaced entirely with a different bootloader which provides the same functionality.

Similarly, while Linux is envisaged, VBE is capable of booting other operating systems, providing its full boot support (including verified boot, for example) regardless of which is chosen, since it does not require the OS to communicate with firmware in any way, although some features are lost. Since fwupd supports Windows, it would in fact be possible to perform firmware updates from Windows as well as Linux, if desired.

More complex firmware

U-Boot provides support for loading arbitrary binaries from a FIT ("loadables"), while still providing verified-boot support ("signed configurations"). As firmware becomes more complex, it should be possible to add these images and stitch them into the architecture without undue effort.

Devicetree location

At present it is common to package the devicetree with Linux for ease of update. VBE should enable easier and more pervasive firmware update so that it will become common for Linux to rely on the devicetree provided by the firmware, with an override if necessary, for particular situations.

SoC Boot ROMs

Many SoCs support signing of images using a key within the SoC, along and verification during boot. This feature can be used to load the initial TPL / VPL binaries along with any settings needed for the device. It provides a guarantee that unauthorised code cannot be run at boot. Once the system boots to VPL, the VBE process takes over to provide a standard boot flow across all SoCs, regardless of their particular implementation of SoC-signed images.

If the SoC does not support signing, then read-only flash can be used instead, programmed once at the factory (and perhaps later during refurbishment/ RMA) and protected against in-the-field updates.

ACPI

It is not expected that ARM systems would need to use ACPI with VBE, although it is possible. For Intel systems, U-Boot supports ACPI, including comprehensive runtime code-generation as needed. ACPI updates require a firmware update since these tables are not easily packaged with the OS.

Testing

VBE lends itself to robust testing due to its simplicity. Much of the flow exists within U-Boot and can be tested in sandbox, U-Boot's native test environment. This avoids any need for real hardware or qemu and can run in the CI environment. Test cases with different bootflow files can be implemented similarly to U-Boot's existing vboot tests, by updating the bootflow file, starting TPM/NVdata conditions and running the boot in sandbox. For firmware update, unit tests in fwupd can check that the correct data ends up in the firmware space. The loose contract between firmware and fwupd lends itself to separate testing, with perhaps just some hardware- or qemu-based 'happy-path' tests to cover the overall flow.

Development

VBE should be a very friendly architecture to develop within. U-Boot is already familiar to most embedded engineers and VBE makes use of existing U-Boot technologies which have been around for years. It uses the Linux coding style, Kconfig and has a powerful driver model / devicetree architecture. Commands are available to view, debug and adjust settings during development. While fwupd will be new to some, it is well-established in the area of peripheral-firmware update and is already in several distributions. It has wide OEM adoption.

Example boot and update

This describes the steps that a system goes through through to boot and update itself:

SoC boot-ROM loads TPL into SRAM, either from write-protected flash or using a signature check
TPL performs basic init such as clocks, cache, TPM and the like, then loads VPL into SRAM. It sets up an empty bloblist region for storing console output, vboot data, etc.
VPL checks the Sec. data and NV data, and decides which SPL to boot (e.g. A, B, recovery). Let's say it selects A. It adds vboot information to the bloblist and then loads SPL-A (say version 6) into SRAM.
SPL-A sets up SDRAM and boots into U-Boot. It could also load secure-firmware pieces if needed.
U-Boot checks the bootflow and the vboot information in the bloblist, then decides which configuration to boot. Let's say it chooses a configuration with kernel v5.10. It verifies the configuration, reads and verifies the images, sets up the command line, performs fix-ups on the devicetree and command line, then boots Linux
Linux starts up from the assigned root device using dm-verity and operates normally
Sometime later fwupd checks the firmware-update configuration, runs the appropriate driver which sees an update to firmware v7 available on the Internet. It downloads it, performs some checks and stores into the firmware area, partition B (since A is in use). The update is not yet applied but the NVdata is updated to indicate that firmware should try booting partition B.
A little later fwupd does the same for the kernel-update configuration, downloading and storing a new FIT with kernel v5.12 in it, along with a devicetree overlay. It adds a new record to the bootflow and marks a previous one for archiving if the new one works out OK.
Sometime later the user reboots the machine. This time, VPL sees that it should try firmware B. It does so and the signature checks out, so it loads SPL B (i.e. version 7), which loads U-Boot B and the 'B' version of any secure firmware, etc.
U-Boot B loads the bootflow records and sees the new one to try. It verifies the new configuration, then boots it.
Linux 5.12 starts up as normal
Sometime later fwupd checks the firmware-update configuration, runs the appropriate driver which sees that the B firmware booted OK, so it writes it to the 'A' partition as well, then marks the firmware update as completed. VPL will later update the rollback counters in Sec. data on a subsequent reboot.
A little later fwupd does the same for the kernel-update configuration, moving the old v5.10 configuration to the archive and making v5.12 the default configuration.

Alternatives considered

We could continue with the existing EBBR with a mandated UEFI approach. This has the benefit of seemingly unstoppable momentum. But:

It is more complex, since it must assume that grub (or similar) may be used for boot and that it does the kernel/initrd selection by whatever means it implements
It is therefore harder to test and likely to include more bugs
It is unlikely to achieve adoption with smaller embedded systems^[4] and vertically integrated systems (e.g. Chromium OS) since it adds complexity and rigidity without any obvious benefits
It requires firmware to undertake all updates^[5] (UEFI capsule updates are processed by UEFI), introducing user delay (must wait for update to take place), risk of failure (how do we know that the new firmware can be written?) and an inability to resolve the problem due to being done in the firmware context (cannot download new things or report the failure off the machine)^[6].
Optimising across the system is challenging, since it effectively relies on grub (or similar) and its behaviour is not well defined (e.g. the boot scripts can be arbitrarily complex)
As such EBBR is overly generic, since it envisages replacing things that most people would not care to replace. It seems to be motivated by trying to copy the existing x86 UEFI architecture, meeting the existing distros where they are today with as little deviations as possible.
It has rigid boundaries which cannot evolve over time to deal with new challenges as they arise. Doing everything through the little EFI boundary misses an opportunity to standardise the whole process from end to end. For example, if I want to load and update some of my firmware from user space, still with A/B update, I can do that with VBE, but with UEFI there is no connection between the firmware update in firmware and in user space. If I want to apply overlays and fixups, I can do that within the context of verified boot in U-Boot, much easier and more extensible than trying to patch it up later after the OS has started and the horse is half-way out of the stable.
It does not include a way for user space to communicate with the firmware other than by providing updates to be processed next time the firmware boots. The existing EFI variables mechanism is used to control the boot flow.
It is likely to result in a firmware industry that is entirely closed source, since it makes open-source firmware much harder to implement, and closed-source firmware much easier. Cementing UEFI's hold over firmware will then carry forward even if Windows and UEFI PCs fade away. The system designed for closed source, to enable companies to produce BIOS software with no industry collaboration, will become the standard.
Devicetree fix-ups are harder
Separating the bootloader into two pieces (U-Boot and grub or grub substitute), largely for legacy reasons, creates a substantial increase in complexity - UEFI capsules, variables, potentially run-time services, none of which are otherwise needed to solve the problem.

Benefits

Here with a brief summary of the benefits of VBE:

Clear path to adoption since it builds on what embedded people are already using
Doesn't mandate UEFI spec (it is optional)
Uses existing proven technology - U-Boot, devicetree, FIT, fwupd
Better security, since:

No more complex than it needs to be
Encourages open firmware and open-source firmware
More clearly-defined behaviour (e.g. bootpath file is straightforward)

Extensible in most areas