Build Once, Trust Always: Single-Image Secure Boot with barebox

Name: Build Once, Trust Always: Single-Image Secure Boot with barebox
Start: 2026-01-31T11:00:00
End: 2026-01-31T11:00:00
Location: UD2.120 (Chavanne)

UD2.120 (Chavanne) | Day 2 | 11:00 - 11:25 | Speakers: Ahmad Fatoum

Copy link

Copy link

Open in browser

Notes

Abstract

Secure-boot projects often end up with a zoo of nearly-identical bootloader images for development, factory, and field use with each variant adding more risk.

This showcase illustrates how to avoid this entirely: one bootloader image that adapts securely to each lifecycle stage using fuse-based state transitions, device-bound unlock tokens, and policy-driven access control.

With barebox and OP-TEE, we’ll show how these mechanisms enforce secure operation while still allowing controlled debugging and recovery, without ever maintaining multiple images.

Attachments

Slides

Speakers

Ahmad Fatoum

Ahmad joined the kernel team at Pengutronix in 2018 to work full-time on furthering Linux world domination. He does so by helping automotive and industrial customers build embedded Linux systems based on the mainline Linux kernel. Having a knack for digging in low-level guts, his tasks include hardware enablement, Linux driver development and boot loader porting. Ahmad is a contributor to a number of open-source projects, including the Linux kernel and the barebox boot loader.

External Links

Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.