始于终于_安全性始于固件

始于终于

I am a pretty frequent user of LinkedIn — as I do like the style of the network much more than for example Xing, and I feel like it has a much more active community. And I get spammed a lot with advertisements about security appliance, firewall, identify management systems, and so on. But what most people do not know: Security, no matter if it is a firewall, VPN appliance or ballot system — it always starts at the firmware level. Let’s learn how to build such a system — and why security always starts in the firmware.

我经常使用LinkedIn ，因为我确实比Xing更喜欢网络的风格，而且我觉得它的社区活跃得多。 而且，关于安全设备，防火墙，识别管理系统等的广告使我非常困惑。 但是大多数人不知道的是：安全性，无论是防火墙，VPN设备还是投票系统-它始终从固件级别启动。 让我们学习如何构建这样的系统-以及为什么安全总是始于固件。

Security Engineers tend to speak about the chain of trust. This means that a system which has various components need to build the security on top of each other, chaining the trustworthiness through the complete system. And this chain always has a so called trust anchor, the root of trust. The root of trust is the one code block, binary or hardware part in your system you need to trust, in order to build up a chain of trust. Let’s do an example here:

安全工程师倾向于谈论信任链。 这意味着具有各种组件的系统需要在彼此之上构建安全性，从而将可信度链接到整个系统。 而且该链始终具有所谓的信任锚，即信任的根源。 信任的根源是您需要信任的系统中的一个代码块，二进制或硬件部分，以便建立信任链。 让我们在这里做一个例子：

一个“安全”系统 (One “Secure” System)

First of all — there is no secure system. Security is measured in: How much effort does it take to break it. Anyways, imagine you want to build a VPN appliance. So what do wee need for this

首先-没有安全系统。 安全性的度量标准是：花费多少精力才能破坏它。 无论如何，请想象您要构建一个VPN设备。 那么我们需要什么

• The bare metal platform i.e. Hardware

  裸机平台，即硬件

• Some operating system — might probably be Linux

  某些操作系统-可能是Linux

• VPN Server — because you are a fan of open-source just like me, let’s go for OpenVPN
  VPN Server —因为您和我一样都是开源的狂热者，所以我们选择OpenVPN

Most people now throw these parts together, do some nice configuration in Linux so that it does only allow specific ports to pass through, no root login and your VPN appliance is good to go. But what does actually happen, from the point where the system starts booting until the application has been loaded?

现在，大多数人将这些部分放在一起，在Linux中进行一些不错的配置，以便它仅允许通过特定端口，没有root登录，您的VPN设备也可以使用。 但是，从系统开始启动到加载应用程序，实际上发生了什么？

引导流程 (Bootflow)

Every computer always starts at the reset vector. The reset vector is a System-on-Chip specific address which points to a position with the storage, most of the time this could be a SPI flash chip, of the initial code that runs on the system, so called firmware.

每台计算机始终以复位向量启动。 复位向量是片上系统特定的地址，该地址指向系统上运行的初始代码(通常称为固件)的存储位置，通常在大多数情况下可能是SPI闪存芯片。

The firmware will initialize most of the hardware running on your system and will jump to a bootloader, which then loads your operating system. Once your operating system has been loaded, in our scenario, the OpenVPN server will start up and provide the needed services to our clients.

该固件将初始化系统上运行的大多数硬件，并将跳转到引导加载程序，然后加载操作系统。 一旦加载了操作系统，在我们的方案中，OpenVPN服务器将启动并向我们的客户端提供所需的服务。

So clearly the root, the beginning of the whole system is the firmware. And within the firmware we can even be more specific. The firmware consists of multiple parts. As my main area of expertise is x86 firmware, we can divide this into several stages. The first part of the code is called bootblock or security phase in UEFI. The security phase does not contain security at all, the name has been chosen unfortunate. The security phase does initialize the CPU and brings up the CPU cache as RAM, as no RAM is available yet.

显然，整个系统的根本是固件。 在固件中，我们甚至可以更具体。 固件由多个部分组成。 因为我的主要专长是x86固件，所以我们可以将其分为几个阶段。 该代码的第一部分在UEFI中称为引导块或安全阶段。 安全阶段根本不包含安全性，不幸的是选择了该名称。 安全阶段确实会初始化CPU并以RAM形式打开CPU缓存，因为还没有可用的RAM。

The next phase is the Pre-Efi Init (PEI) or romstage. The romstage has mainly two purposes. Do additional hardware initialization and most important: bring up the RAM.

下一阶段是Pre-Efi Init(PEI)或romstage。 romstage主要有两个目的。 做额外的硬件初始化，最重要的是：启动RAM。

Next is the ramstage or Driver Execution (DXE) phase. The DXE phase does everything your system needs. Bring up hardware, talk to our devices in your system like the Baseboard Management Controller. Loads USB drivers if necessary and so on. We do not need to go into full detail here. After all drivers have been initialized the bootloader pops up, and start executing your operating system kernel (Yes — Windows does also have a Kernel).

接下来是精简阶段或驱动程序执行(DXE)阶段。 DXE阶段完成了系统所需的一切。 调高硬件，与系统中的我们的设备进行对话，例如“基板管理控制器”。 必要时加载USB驱动程序，依此类推。 我们不需要在这里详细介绍。 初始化所有驱动程序后，会弹出引导加载程序，并开始执行操作系统内核(是的-Windows也有一个内核)。

The kernel basically does a lot of these steps that happened in the firmware again — especially the DXE part. Once the user-space has been loaded, the application starts up and we are good to go.

内核基本上执行了许多这些步骤，这些步骤再次发生在固件中-尤其是DXE部分。 加载用户空间后，应用程序将启动，我们一切顺利。

信任的根源 (The Root of Trust)

Within most systems the root of trust is just the complete firmware. As we do not really know what is happening down there, as most of it is closed source, we just have to take the firmware as one big blob which acts as our root of trust. From there where can build up a chain of trust using known techniques like UEFI Secure Boot.

在大多数系统中，信任的根源只是完整的固件。 由于我们真的不知道那里发生了什么，因为它大部分是封闭源，所以我们只需要将固件视为一个大问题，就可以成为我们信任的基础。 从那里可以使用UEFI安全启动等已知技术建立信任链。

UEFI Secure Boot states that the integrity of the system is correct, from the root of trust on, and that the firmware only loaded a signed bootloader, which loaded a signed operating system, which only loads signed kernel drivers. So the chain here would be

UEFI安全启动指出，从信任根开始，系统的完整性是正确的，并且固件仅加载了签名的引导加载程序，后者加载了签名的操作系统，而加载的操作系统仅加载了签名的内核驱动程序。 所以这里的链条是

Classical UEFI Secure Boot

经典UEFI安全启动

The whole system relies on that the firmware has not been compromised. As this is completely closed-source, we have to take the whole firmware as the RoT — which are roughly 16MB.

整个系统依赖于固件未受到破坏。 由于这是完全开源的，因此我们必须将整个固件作为RoT来使用-大约为16MB。

我们可以做得更好吗？ (Can we do better?)

Yes. Open-Source Firmware can be one tool to gain more control and security over your Root-of-Trust and minimize the RoT. Let’s take coreboot as an example. coreboot has multiple stages which get executed before the bootloader will be loaded. This would be

是。 开源固件可以是一种工具，可以使您对信任根有更多的控制权和安全性，并使RoT最小化。 让我们以coreboot为例。 coreboot有多个阶段，需要在加载引导加载程序之前执行这些阶段。 这将是

coreboot bootflow with measured/verified boot

带有已测量/已验证引导的coreboot引导流

coreboot follows a minimal trusting computing base approach — the bootblock is a very small part of the whole firmware which is only needed to bring up the stack and head so that firmware can work and we do not have to use assembly anymore. After the bootblock, the Trusted Platform Module will be initialized and our chain of trust starts.

coreboot遵循最小信任计算基础方法-引导块仅占整个固件的很小一部分，只需要启动堆栈和头部，以便固件可以正常工作，而我们不再需要使用汇编。 引导块之后，将初始化Trusted Platform Module，并开始我们的信任链。

So instead of taking the complete firmware as the root of trust — we only take a small potion within the firmware, the bootblock and verstage, which act as our root of trust and we do start the chain of trust form there on. So all following stages will be measured and verified from the bootblock and verstage on. This heavily increases the security as we do need to trust a smaller portion of the code — and that is even open-source.

因此，不是将完整的固件作为信任的基础，而是仅在固件中的一小部分，即引导块和Verstage，它们充当了我们的信任根，我们确实从那里开始了信任链形式。 因此，将从引导块开始并随后进行所有后续阶段的测量和验证。 由于我们确实需要信任一小部分代码，因此这极大地提高了安全性-甚至是开源的。

TL; DR (TL;DR)

If you are designing a secure system, the firmware should be the ground on which your security stands on — and ideally it should be open and minimal.

如果您要设计一个安全的系统，则固件应作为安全性的基础，并且理想情况下，固件应开放且最小。

Thanks for reading — if you want to know more about open-source firmware, check this out:

感谢您的阅读-如果您想进一步了解开源固件，请查看以下内容：

翻译自: https://itnext.io/security-starts-in-the-firmware-19e0fc75afd9

始于终于