lolo859/vystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e15daed8c0b6fc2fb821bace0493925cdb9e30cd
vystem/docs/blastproof/sbfie.md
lolo859 e15daed8c0 First commit, Vystem v0.1
2026-03-31 22:15:00 +02:00

54 lines
3.4 KiB
Markdown
Raw Blame History

# SBFIE
## Introduction
Secure Boot Files Integrity Enforcement (SBFIE) is a compoment of Blastproof in charge of verifying the integrity of Blastproof's files. This allow for cryptographic immutability of boot files.
## Limitations
SBFIE has been conceived with the following limitations in mind:
- it doesn't check integrity of the entire bootloader itself
- it doesn't replace UEFI Secure Boot but make it impossible to use without customised certificates generated at each compilation (not supported for the moment)
- due to the will of it being compatible with a large variety of devices, it doesn't integrate TPM utilization (but support in an eventual future is planned)
- any user of a non-QWERTY keyboard will have a hard time typing a password in an UEFI console
- it use the EFI console as input (support of self-made input methods and protocol will be implemented in a near future)
- any missing file that is supposed to be protected by SPFIE will cause the boot process to fail
## How it work
For details on how to setup SBFIE, see the doc on the `keygen` utility.
### Initial parameters and variables
The following explenations assume that the bootloader has been compiled with a specially generated header `key.h`, generated by the `keygen` utility, for protecting `N` number of files.
The `key.h` header contain the following datas:
- `bp_key_mainsig`: an array of bytes containing the main signature generated with Sphincs+
- `bp_key_pkblob`: an array of `64*N` bytes containing `N` Sphincs+ public keys, one for each file
- `bp_key_pwdsalt`: an array of 32 bytes containing the salt to use for hashing the boot password
- `bp_key_files`: an array of `N` strings indicating the order in which boot files should be verified for each public key from `sh_key_pkblob` to correspond with each file
We assume that all files are in the `\EFI\BlastProofFiles` folder with their corresponding names as specified in `bp_key_files` and that their Sphincs+ signatures are stored as `<file name>.sig` inside of the `\EFI\BlastProofSign` folder.
### Detailled steps
The steps in which SPFIE check the files is as follow:
1. The user enter the boot password
2. The boot password is hashed using Argon2 using 262144 of memory cost and 3 of time cost. The salt is stored inside `bp_key_pwdsalt`The output is a 96 digest.
3. The digest is used as seed for generating a Sphincs+ keypair, immediately erasing the private key and keeping only the public key.
4. The generated public key is used to verify the signature inside `bp_key_mainsig` with the message being `bp_key_pkblob`
5. If the verification is successfull, the boot process continue. If not, the boot process is halted.
6. Each file indicated inside `bp_key_files` is opened in order, their signature file is also opened and their public key is extracted from `bp_key_pkblob`. Each file is verified.
7. If any verification fail, the boot process is halted.
**Note:** all the signatures verifications mecanisms use Sphincs+ and Argon2 for password hashing. The boot password hash is never stored on disk. Their sources come directly from their official implementations in C, only adapted to use types and functions provided by EDK II. All non-deterministic/randomness generation happen at compile time.
## Concerned files
To this date, the following files generated by build script are protected by SPFIE:
- `bp.conf`
- `bitra-ascii-medium.fbm`
- `initfs-footprint.bin`
- `signsyst-hash.bin`
Reference in New Issue View Git Blame Copy Permalink