Lessons learned from deploying boot security features on embedded systems

Verifying the integrity of the entire boot process is today mandatory for embedded systems. Secure Boot is typically a feature that ensures the integrity of loaded binaries (such as vendor firmware, bootloaders, initramfs and the Linux kernel) to unauthorized modifications of essential boot components. If the bootloader or the Linux kernel does not match with what's expected, the boot process will be halted. After securizing as possible the boot process, there are other methods to enforce the rootfs like using dm-crypt for encryption, dm-verity for integrity...

This presentation will explore these security features in the context of an embedded operating system called redpesk OS. How can they enhance system security? Can they be applied to specific embedded systems? These are some of the key topics we will cover, with general security features then we'll explain some difficulties we had by deploying boot security features in a restricted environment (old Linux kernel version, CPU & memory usage).