Ensuring that a device runs only authorized and trusted software is crucial to end users, device manufacturers (OEMs), and carriers alike. OEMs may want to protect their devices from running unauthorized software. Software that is not authentic could degrade carrier network or device performance. Malicious software can potentially compromise anything from a user’s private or financial data to irreparably damaging the physical device itself. There are many risks and potential consequences in executing untrusted software — more than we can enumerate here.
Consider an attacker who attempts maliciously inject or modify the software images in storage. The earlier in the chain of loaded software that an attacker can compromise an image, the more control they gain. Device software is usually loaded in stages where each software image is often configured to have less authority and control than the previous image in the chain. Specifically, the first software image which is loaded has nearly complete control of the device. These first images to be loaded are called bootloader images.
If an attacker can replace the first software image to execute with their own malicious image, then they control the rest of the device’s execution. This makes the integrity of the boot chain critical. Replacing a bootloader image in storage with a malicious image could result in a persistent exploit that would control execution in that software image and any image to be run after it.
Implementing a “secure boot” chain is designed to ensure that each of these images are unmodified, and is one way of deterring malicious or dangerous software from executing. Qualcomm Technologies products offer a secure boot implementation and have for many years.
Secure boot is defined as a boot sequence in which each executable software image is authenticated by previously verified software. This sequence is engineered to prevent unauthorized or modified code from running. We build our chain of trust according to this definition, starting with the first piece of immutable software running out of read-only-memory (ROM). This first ROM bootloader cryptographically verifies the signature of the next bootloader in the chain, then that bootloader cryptographically verifies the signature of the next software image or images, and so on.
The diagram above depicts an example of a secure boot sequence. The three images verified by the operating system have been authenticated by a chain of trust that leads back to the first ROM bootloader in hardware. Each image in this chain has been cryptographically verified by a certificate chain anchored to the root certificate, which is also anchored in hardware. Any attempt to inject potentially harmful code into the image will be thwarted.
For more information on the Qualcomm Technologies secure boot and image authentication process, download our Qualcomm Technologies Secure Boot whitepaper. This whitepaper provides an in-depth look at our signed ELF images format, the process of loading and authenticating those images, certificate chain contents, and supported signature algorithms.