lolo859/vystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vystem/docs/blastproof/sbfie.md
lolo859 e15daed8c0 First commit, Vystem v0.1
2026-03-31 22:15:00 +02:00

3.4 KiB
Raw Permalink Blame History

SBFIE

Introduction

Secure Boot Files Integrity Enforcement (SBFIE) is a compoment of Blastproof in charge of verifying the integrity of Blastproof's files. This allow for cryptographic immutability of boot files.

Limitations

SBFIE has been conceived with the following limitations in mind:

  • it doesn't check integrity of the entire bootloader itself
  • it doesn't replace UEFI Secure Boot but make it impossible to use without customised certificates generated at each compilation (not supported for the moment)
  • due to the will of it being compatible with a large variety of devices, it doesn't integrate TPM utilization (but support in an eventual future is planned)
  • any user of a non-QWERTY keyboard will have a hard time typing a password in an UEFI console
  • it use the EFI console as input (support of self-made input methods and protocol will be implemented in a near future)
  • any missing file that is supposed to be protected by SPFIE will cause the boot process to fail

How it work

For details on how to setup SBFIE, see the doc on the keygen utility.

Initial parameters and variables

The following explenations assume that the bootloader has been compiled with a specially generated header key.h, generated by the keygen utility, for protecting N number of files.

The key.h header contain the following datas:

  • bp_key_mainsig: an array of bytes containing the main signature generated with Sphincs+
  • bp_key_pkblob: an array of 64*N bytes containing N Sphincs+ public keys, one for each file
  • bp_key_pwdsalt: an array of 32 bytes containing the salt to use for hashing the boot password
  • bp_key_files: an array of N strings indicating the order in which boot files should be verified for each public key from sh_key_pkblob to correspond with each file

We assume that all files are in the \EFI\BlastProofFiles folder with their corresponding names as specified in bp_key_files and that their Sphincs+ signatures are stored as <file name>.sig inside of the \EFI\BlastProofSign folder.

Detailled steps

The steps in which SPFIE check the files is as follow:

  1. The user enter the boot password
  2. The boot password is hashed using Argon2 using 262144 of memory cost and 3 of time cost. The salt is stored inside bp_key_pwdsaltThe output is a 96 digest.
  3. The digest is used as seed for generating a Sphincs+ keypair, immediately erasing the private key and keeping only the public key.
  4. The generated public key is used to verify the signature inside bp_key_mainsig with the message being bp_key_pkblob
  5. If the verification is successfull, the boot process continue. If not, the boot process is halted.
  6. Each file indicated inside bp_key_files is opened in order, their signature file is also opened and their public key is extracted from bp_key_pkblob. Each file is verified.
  7. If any verification fail, the boot process is halted.

Note: all the signatures verifications mecanisms use Sphincs+ and Argon2 for password hashing. The boot password hash is never stored on disk. Their sources come directly from their official implementations in C, only adapted to use types and functions provided by EDK II. All non-deterministic/randomness generation happen at compile time.

Concerned files

To this date, the following files generated by build script are protected by SPFIE:

  • bp.conf
  • bitra-ascii-medium.fbm
  • initfs-footprint.bin
  • signsyst-hash.bin
Reference in New Issue View Git Blame Copy Permalink