Loading…
Back To Schedule
Wednesday, May 13 • 12:30pm - 1:00pm
Enabling Secure Boot in ONIE

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Platform resiliency is a necessity in systems that are manufactured today, be it for networking devices, servers or IOT devices. Systems should be built in a way that allows the authenticity of the entire software stack to be verified. This is only possible by starting with a Root of Trust that is immutable and thereafter each subsequent stage verified by the previous stage. All possible boot options on the system should be authenticated. ONIE is used to install Network Operating Systems and is inherently present on most networking devices that use ONIE for installation. This presentation will show how ONIE secure boot can be enabled while also showing all the other secure boot components in the chain of trust. What already exists in open source ONIE is enabling Shim for verification of Grub and Kernel. However, Shim cannot be used to verify grub.cfg or initial ramdisk. Grub however has the option to verify Linux Kernel, initial ramdisk and grub.cfg. Using this concept, BIOS is used to verify Grub and Grub to verify the next stage it loads. Grub installation in ONIE installer scripts cannot use existing Grub installation methods because of the necessity to use signed standalone Grub. Also, Key enrollment scripts in ONIE will be used to add or revoke keys in UEFI key database. It can be run before calling NOS installer or ONIE updater. This concept of enabling Secure Boot in ONIE can also be used as an example to enable Secure Boot in any NOS.


Speakers
avatar for Hannah Williams

Hannah Williams

Software Senior Principal Engineer, Dell Technologies
Hannah is currently working on Dell Networking platforms with primary focus in BIOS. The last few years she worked on enabling both UEFI BIOS and Coreboot for platforms running on Intel SOCs.https://www.linkedin.com/in/hannah-williams-219849/


Wednesday May 13, 2020 12:30pm - 1:00pm
EW: Networking Hardware