SlideShare une entreprise Scribd logo

ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot

Project ACRN
Project ACRN

Describe the ACRN boot process and how to implement secure boot

Logiciels
1  sur  19
Télécharger pour lire hors ligne
Boot process and Secure boot Sun Victor <victor.sun@intel.com> Huang Yonghua <yonghua.huang@intel.com> ACRN vMeet-Up Europe 2021
Agenda ▹Boot loader and Multiboot protocol ▹ACRN hypervisor and VMs boot ▹ACRN boot components ▹Secure boot
Boot loader and Multiboot protocol 5/28/2021 3
Boot loader ▹ A bootloader is software that is responsible for booting a computer. ▹ ACRN uses the multiboot/multiboot2 protocol to boot the hypervisor. ▹ Bootloaders supported by ACRN: ❑ GRUB 2.0x ❑ Intel Slim bootloader ❑ Self-designed UEFI-Stub ✓ under implementation for UEFI secure boot; ✓ The old version in ACRN release 2.0 only support sharing mode (industry scenario) 5/28/2021 4
Multiboot protocol ▹ Multiboot ▹ https://www.gnu.org/software/grub/manual/multiboot/multiboot.html ▹ Multiboot2 ▹ https://www.gnu.org/software/grub/manual/multiboot2/multiboot.html 5/28/2021 5
Multiboot (version 0.6.96) ▹ Support X86 only ▹ No UEFI support ▹ No kernel/module relocation support ▹ OS Image header: ❑ Magic value 0x1BADB002 in header; ❑ The header must be contained completely within the first 8192 bytes of the OS image, and must be longword (32-bit) aligned. ▹ Machine state: ❑ EAX: Must contain the magic value 0x2BADB002; ❑ EBX: 32-bit physical address of the Multiboot information structure; 5/28/2021 6
Multiboot2 (version 2.0) ▹ Support more ISA (Instruction Set Architecture) like x86, MIPS, etc. ▹ UEFI support ▹ Kernel support relocation (but not for modules) ▹ OS Image header: ❑ Magic value 0xE85250D6 in header; ❑ The Multiboot2 header must be contained completely within the first 32768 bytes of the OS image, and must be 64-bit aligned. ▹ Machine state(x86): ❑ EAX: Must contain the magic value 0x36d76289; ❑ EBX: 32-bit physical address of the Multiboot2 information structure; 5/28/2021 7
Multiboot support in bootloader ▹SBL support multiboot protocol only ▹GRUB 2.x support both multiboot / multiboot2 protocol ❑ “multiboot/module” command pair to support multiboot ❑ “multiboot2/module2” command pair to support multiboot2 ❑ “multiboot” command might fail to boot ACRN on UEFI platform because failed to find ACPI RSDP (it could be put anywhere per UEFI spec) 5/28/2021 8
Hypervisor and VMs Boot Sequence 5/28/2021 9
HV and Pre-launched VM boot sequence 5/28/2021 10 Native mbi Firmware bootloader ACRN boot init e820 init seed VM boot SBL/GRUB Parse & Save mbi Saved mbi VM Loader VM0 VM1 vm_config VM Power Management get_saved_mbi_cmdline() get_saved_mbi_mod(mod_id) mod_id boot_mode load_type
Post-launched User VM boot sequence 5/28/2021 11 SOS DM CSE SBL/UEFI ACRN HV Service VM DM OVMF: Initialization Post-launched VM OVMF: OS Loader
ACRN boot components 5/28/2021 12
ACRN boot components ▹ Multiboot kernel ❑ HV binary ▹ Multiboot modules ❑ VM kernel image ❑ VM ACPI binary (pre-launched VM only) ❑ VM ramdisk image 5/28/2021 13
GRUB config example menuentry 'ACRN Multiboot1 Zephyr + Linux' { load_video insmod gzio insmod part_gpt insmod ext2 multiboot --quirk-modules-after-kernel /boot/acrn.32.out module /boot/bzImage Linux_bzImage module /boot/zephyr.bin Zephyr_RawImage } 5/28/2021 14 menuentry 'ACRN Multiboot2 hybrid_rt' { load_video insmod gzio insmod part_gpt insmod ext2 multiboot2 /boot/acrn.bin module2 /boot/uos_bzImage RT_bzImage module2 /boot/ACPI_VM0.bin ACPI_VM0 module2 /boot/bzImage Linux_bzImage }
Secure Boot 5/28/2021 15
Verified Boot Sequence with SBL 5/28/2021 16 DM APP2 Android VM 2 CSE SBL ACRN Service VM Kernel Device Model APP1 OVMF: Initialization Guest OS Guest VM 1 OVMF: OS Loader Stitched as one image Safety OS Kernel multiboot • CSE verifies SBL • SBL verifies ACRN & Safety OS kernel (if there is) & Service VM Kernel • Service MV kernel verifies DM & OVMF thru dm-verity • OVMF starts the guest side verification process
Verified Boot Sequence with UEFI/GRUB 5/28/2021 17 - CSE verifies UEFI - UEFI verifies Shim/GRUB - GRUB verifies ACRN, Service VM kernel and pre-launched OS kernel - Service VM kernel verifies DM and User VM OVMF through DM-verity - User VM OVMF starts the guest side verified boot process UEFI Multiboot Device Model OVMF ….. CSE Service VM Kernel Safety OS Kernel Shim/ Grub ACRN Service VM DM-Verity
Boot Sequence w/o GRUB on UEFI (under development) 5/28/2021 18 - CSE verifies UEFI - UEFI verifies Shim - Shim verifies acrn.efi - acrn.efi run efi-stub code and unpack all ACRN components - Service VM kernel and pre-launched OS kernel - Service VM kernel verifies DM and User VM OVMF through DM-Verity - User VM OVMF starts the guest side verified boot process UEFI Device Model OVMF ….. CSE Service VM Kernel Safety OS Kernel Shim ACRN Service VM DM-Verity EFI- stub acrn.efi Packed ACRN compo nents
ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot

Recommandé

Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introductionACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introduction
Project ACRN
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
Project ACRN
 
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisorACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
Project ACRN
 
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
Project ACRN
 
Project ACRN system debug
Project ACRN system debugProject ACRN system debug
Project ACRN system debug
Project ACRN
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
Project ACRN
 

Recommandé

Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introductionACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introduction
Project ACRN
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
Project ACRN
 
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisorACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
Project ACRN
 
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
Project ACRN
 
Project ACRN system debug
Project ACRN system debugProject ACRN system debug
Project ACRN system debug
Project ACRN
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
Project ACRN
 
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look ForwardACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
Project ACRN
 
Project ACRN Device Passthrough Introduction
Project ACRN Device Passthrough IntroductionProject ACRN Device Passthrough Introduction
Project ACRN Device Passthrough Introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enablingACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
Project ACRN
 
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN CPU sharing BVT scheduler in ACRN hypervisorProject ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN
 
Project ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config tool
Project ACRN
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
Project ACRN
 
Project ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN Device Model architecture introduction
Project ACRN Device Model architecture introduction
Project ACRN
 
Project ACRN how to build a Yocto Project-based SOS
Project ACRN how to build a Yocto Project-based SOSProject ACRN how to build a Yocto Project-based SOS
Project ACRN how to build a Yocto Project-based SOS
Project ACRN
 
ACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
ACRN vMeet-Up EU 2021 - Real Time Management and Performance OptimizationACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
ACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
Project ACRN
 
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introductionProject ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN
 
Project ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorialProject ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorial
Project ACRN
 
Project ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementationProject ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementation
Geoffroy Van Cutsem
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
The Linux Foundation
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
The Linux Foundation
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
The Linux Foundation
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
The Linux Foundation
 
BSDCan 2015: How to Port BSD as a Xen on ARM Guest
BSDCan 2015: How to Port BSD as a Xen on ARM GuestBSDCan 2015: How to Port BSD as a Xen on ARM Guest
BSDCan 2015: How to Port BSD as a Xen on ARM Guest
The Linux Foundation
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
The Linux Foundation
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usage
vincentvdk
 
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, IntelXPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
The Linux Foundation
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
Denis Gundarev
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
Jonathan MICHEL-VILLAZ
 

Contenu connexe

Tendances

Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
The Linux Foundation
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
The Linux Foundation
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
The Linux Foundation
 
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, IntelXPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
The Linux Foundation
 

Tendances (20)

ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look ForwardACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
 
Project ACRN Device Passthrough Introduction
Project ACRN Device Passthrough IntroductionProject ACRN Device Passthrough Introduction
Project ACRN Device Passthrough Introduction
 
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enablingACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
 
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN CPU sharing BVT scheduler in ACRN hypervisorProject ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
 
Project ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config tool
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
Project ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN Device Model architecture introduction
Project ACRN Device Model architecture introduction
 
Project ACRN how to build a Yocto Project-based SOS
Project ACRN how to build a Yocto Project-based SOSProject ACRN how to build a Yocto Project-based SOS
Project ACRN how to build a Yocto Project-based SOS
 
ACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
ACRN vMeet-Up EU 2021 - Real Time Management and Performance OptimizationACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
ACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
 
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introductionProject ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introduction
 
Project ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorialProject ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorial
 
Project ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementationProject ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementation
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
 
BSDCan 2015: How to Port BSD as a Xen on ARM Guest
BSDCan 2015: How to Port BSD as a Xen on ARM GuestBSDCan 2015: How to Port BSD as a Xen on ARM Guest
BSDCan 2015: How to Port BSD as a Xen on ARM Guest
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usage
 
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, IntelXPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
 

Similaire à ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot

Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
Denis Gundarev
 
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019
Daniel Maslowski
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricks
a8us
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best Practices
Vinayak Tavargeri
 
EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...
EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...
EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...
Vinícius Zavam
 
Building your own Desktop Cloud Environment
Building your own Desktop Cloud EnvironmentBuilding your own Desktop Cloud Environment
Building your own Desktop Cloud Environment
Jnaapti
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Iago López Galeiras
 

Similaire à ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot (20)

Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
 
Beagleboard xm-setup
Beagleboard xm-setupBeagleboard xm-setup
Beagleboard xm-setup
 
Kvm setup
Kvm setupKvm setup
Kvm setup
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
2.2 install boot manager
2.2 install boot manager2.2 install boot manager
2.2 install boot manager
 
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep dive
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practice
 
k8s practice 2023.pptx
k8s practice 2023.pptxk8s practice 2023.pptx
k8s practice 2023.pptx
 
101 2.2 install boot manager
101 2.2 install boot manager101 2.2 install boot manager
101 2.2 install boot manager
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricks
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best Practices
 
1.2 boot the system v2
1.2 boot the system v21.2 boot the system v2
1.2 boot the system v2
 
Sling Applications - A DevOps perspective
Sling Applications - A DevOps perspectiveSling Applications - A DevOps perspective
Sling Applications - A DevOps perspective
 
EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...
EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...
EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...
 
Building your own Desktop Cloud Environment
Building your own Desktop Cloud EnvironmentBuilding your own Desktop Cloud Environment
Building your own Desktop Cloud Environment
 
5. boot process
5. boot process5. boot process
5. boot process
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
 

Plus de Project ACRN

Plus de Project ACRN (8)

ACRN vMeet-Up EU 2021 - community and development model
ACRN vMeet-Up EU 2021 - community and development modelACRN vMeet-Up EU 2021 - community and development model
ACRN vMeet-Up EU 2021 - community and development model
 
Project ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN USB mediator introduction
Project ACRN USB mediator introduction
 
Project ACRN I2C mediator introduction
Project ACRN I2C mediator introductionProject ACRN I2C mediator introduction
Project ACRN I2C mediator introduction
 
Project ACRN SR-IOV on ACRN
Project ACRN SR-IOV on ACRNProject ACRN SR-IOV on ACRN
Project ACRN SR-IOV on ACRN
 
Project ACRN EtherCAT 101
Project ACRN EtherCAT 101Project ACRN EtherCAT 101
Project ACRN EtherCAT 101
 
Project ACRN expose and pass through platform hidden PCIe devices to SOS
Project ACRN expose and pass through platform hidden PCIe devices to SOSProject ACRN expose and pass through platform hidden PCIe devices to SOS
Project ACRN expose and pass through platform hidden PCIe devices to SOS
 
Project ACRN GPIO mediator introduction
Project ACRN GPIO mediator introductionProject ACRN GPIO mediator introduction
Project ACRN GPIO mediator introduction
 
Project ACRN schedule framework introduction
Project ACRN schedule framework introductionProject ACRN schedule framework introduction
Project ACRN schedule framework introduction
 

Dernier

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 

Dernier (20)

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 

ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot

  • 1. Boot process and Secure boot Sun Victor <victor.sun@intel.com> Huang Yonghua <yonghua.huang@intel.com> ACRN vMeet-Up Europe 2021
  • 2. Agenda ▹Boot loader and Multiboot protocol ▹ACRN hypervisor and VMs boot ▹ACRN boot components ▹Secure boot
  • 3. Boot loader and Multiboot protocol 5/28/2021 3
  • 4. Boot loader ▹ A bootloader is software that is responsible for booting a computer. ▹ ACRN uses the multiboot/multiboot2 protocol to boot the hypervisor. ▹ Bootloaders supported by ACRN: ❑ GRUB 2.0x ❑ Intel Slim bootloader ❑ Self-designed UEFI-Stub ✓ under implementation for UEFI secure boot; ✓ The old version in ACRN release 2.0 only support sharing mode (industry scenario) 5/28/2021 4
  • 5. Multiboot protocol ▹ Multiboot ▹ https://www.gnu.org/software/grub/manual/multiboot/multiboot.html ▹ Multiboot2 ▹ https://www.gnu.org/software/grub/manual/multiboot2/multiboot.html 5/28/2021 5
  • 6. Multiboot (version 0.6.96) ▹ Support X86 only ▹ No UEFI support ▹ No kernel/module relocation support ▹ OS Image header: ❑ Magic value 0x1BADB002 in header; ❑ The header must be contained completely within the first 8192 bytes of the OS image, and must be longword (32-bit) aligned. ▹ Machine state: ❑ EAX: Must contain the magic value 0x2BADB002; ❑ EBX: 32-bit physical address of the Multiboot information structure; 5/28/2021 6
  • 7. Multiboot2 (version 2.0) ▹ Support more ISA (Instruction Set Architecture) like x86, MIPS, etc. ▹ UEFI support ▹ Kernel support relocation (but not for modules) ▹ OS Image header: ❑ Magic value 0xE85250D6 in header; ❑ The Multiboot2 header must be contained completely within the first 32768 bytes of the OS image, and must be 64-bit aligned. ▹ Machine state(x86): ❑ EAX: Must contain the magic value 0x36d76289; ❑ EBX: 32-bit physical address of the Multiboot2 information structure; 5/28/2021 7
  • 8. Multiboot support in bootloader ▹SBL support multiboot protocol only ▹GRUB 2.x support both multiboot / multiboot2 protocol ❑ “multiboot/module” command pair to support multiboot ❑ “multiboot2/module2” command pair to support multiboot2 ❑ “multiboot” command might fail to boot ACRN on UEFI platform because failed to find ACPI RSDP (it could be put anywhere per UEFI spec) 5/28/2021 8
  • 9. Hypervisor and VMs Boot Sequence 5/28/2021 9
  • 10. HV and Pre-launched VM boot sequence 5/28/2021 10 Native mbi Firmware bootloader ACRN boot init e820 init seed VM boot SBL/GRUB Parse & Save mbi Saved mbi VM Loader VM0 VM1 vm_config VM Power Management get_saved_mbi_cmdline() get_saved_mbi_mod(mod_id) mod_id boot_mode load_type
  • 11. Post-launched User VM boot sequence 5/28/2021 11 SOS DM CSE SBL/UEFI ACRN HV Service VM DM OVMF: Initialization Post-launched VM OVMF: OS Loader
  • 13. ACRN boot components ▹ Multiboot kernel ❑ HV binary ▹ Multiboot modules ❑ VM kernel image ❑ VM ACPI binary (pre-launched VM only) ❑ VM ramdisk image 5/28/2021 13
  • 14. GRUB config example menuentry 'ACRN Multiboot1 Zephyr + Linux' { load_video insmod gzio insmod part_gpt insmod ext2 multiboot --quirk-modules-after-kernel /boot/acrn.32.out module /boot/bzImage Linux_bzImage module /boot/zephyr.bin Zephyr_RawImage } 5/28/2021 14 menuentry 'ACRN Multiboot2 hybrid_rt' { load_video insmod gzio insmod part_gpt insmod ext2 multiboot2 /boot/acrn.bin module2 /boot/uos_bzImage RT_bzImage module2 /boot/ACPI_VM0.bin ACPI_VM0 module2 /boot/bzImage Linux_bzImage }
  • 16. Verified Boot Sequence with SBL 5/28/2021 16 DM APP2 Android VM 2 CSE SBL ACRN Service VM Kernel Device Model APP1 OVMF: Initialization Guest OS Guest VM 1 OVMF: OS Loader Stitched as one image Safety OS Kernel multiboot • CSE verifies SBL • SBL verifies ACRN & Safety OS kernel (if there is) & Service VM Kernel • Service MV kernel verifies DM & OVMF thru dm-verity • OVMF starts the guest side verification process
  • 17. Verified Boot Sequence with UEFI/GRUB 5/28/2021 17 - CSE verifies UEFI - UEFI verifies Shim/GRUB - GRUB verifies ACRN, Service VM kernel and pre-launched OS kernel - Service VM kernel verifies DM and User VM OVMF through DM-verity - User VM OVMF starts the guest side verified boot process UEFI Multiboot Device Model OVMF ….. CSE Service VM Kernel Safety OS Kernel Shim/ Grub ACRN Service VM DM-Verity
  • 18. Boot Sequence w/o GRUB on UEFI (under development) 5/28/2021 18 - CSE verifies UEFI - UEFI verifies Shim - Shim verifies acrn.efi - acrn.efi run efi-stub code and unpack all ACRN components - Service VM kernel and pre-launched OS kernel - Service VM kernel verifies DM and User VM OVMF through DM-Verity - User VM OVMF starts the guest side verified boot process UEFI Device Model OVMF ….. CSE Service VM Kernel Safety OS Kernel Shim ACRN Service VM DM-Verity EFI- stub acrn.efi Packed ACRN compo nents