

## **Armed to Boot**

A Novel Enhancement to Arm's Secure Boot Chain

Derek Chamorro Ryan Chow

### Derek

- Staff Security Engineer



### Ryan

- HW Security Engineer







- Cloudflare and Secure Boot Journey
- Hardware Root of Trust
- Background on Arm Secure Boot/Chain of Trust
- Single Domain Secure Boot
- Demo
- BMC
- Future



# What is Cloudflare?

### **Network Map**



**Internet Properties** 

#### Lots of cities = Lots of servers









#### **Secure Boot Chain**









- Authenticates first block of BIOS/UEFI code before releasing x86 CPU from reset.
- Enabled at boot time with PSB-ready FW image.
- PSB is configured using a region of one-time programmable (OTP) fuses, specified for the customer.





### **Updated Secure Boot Chain**



### **Updated Secure Boot Chain**



### **Updated Secure Boot Chain**





# **ARM Secure Boot**



Arm Trusted Board Boot Requirements aka "ATF Secure Boot".

How to build a "Chain of Trust" from the first ROM executed (BL1) to "Normal World" firmware (BL33)

System on a Chip (SOC) manufacturer heavily involved in secure boot chain

- Requires unique SOC stock keeping unit (SKU) per customer
- SOC manufacturer has end-to-end signing responsibility
- Complicated infrastructure
- Doesn't scale





- 128+ core ARM M1 core processor
- ARM V8.2+ extensions
- High memory, I/O, network bandwidth
- Lower TDP than x86



#### **Arm (Ampere) Secure Boot**



#### **Chain of Trust Revision - Single Domain Secure Boot**



#### Single Domain Secure Boot (SDSB) Provisioning



SIGNED SECPROV. SLIM

#### **SRP Customization**



#### **Signed UEFI Firmware**



#### **Security Provisioning Firmware**



SIGNED SECPROV. SLIM

#### eFuse Key Provisioning



#### **Final Manufacturing Flow**



#### Validation



#### **UEFI** Authentication





### Demo



# **BMC** Protection



#### **CPU-based Root of Trust**





- Highly privileged access to host
- Network accessible
- Connected to both host and management network
- Persistence independent from host
- Poor firmware security history
  - <u>https://blog.cloudflare.com/bmc-vuln/</u>





# Future

#### **Security Co-Processors**





### blog.cloudflare.com



# Thank you



|        |       |         |       | Invasive Debug |            | Non-Invasive Debug |            |
|--------|-------|---------|-------|----------------|------------|--------------------|------------|
| SPIDEN | DBGEN | SPNIDEN | NIDEN | Secure         | Not Secure | Secure             | Not Secure |
| 0      | 0     | 0       | 0     | N              | N          | Ν                  | N          |
| 0      | 0     | 0       | 1     | N              | N          | Ν                  | Y          |
| 0      | 0     | 1       | 1     | N              | N          | Y                  | Y          |
| 0      | 1     | 0       | 1     | N              | Y          | Ν                  | Y          |
| 0      | 1     | 1       | 1     | N              | Y          | Y                  | Y          |
| 1      | 1     | 1       | 1     | Y              | Y          | Y                  | Y          |