Journey to SystemReady compliance in U-Boot background image

Journey to SystemReady compliance in U-Boot

Ilias Apalodimas

Where it all started

In 2019, LEDGE and its members gathered in Bangkok for a Linaro Connect. We discussed an evolving standard called Embedded Base Boot Requirements, or in short EBBR.  

EBBR was written as a response to the lack of boot sequence standardization in the embedded system ecosystem and is focusing on specific UEFI interfaces, that should exist for the device firmware to be compliant. By doing so, it tries to reduce the amount of custom engineering required and make it possible for standard off-the-shelf and embedded distributions to just work. 

As we mentioned EBBR only focuses on UEFI interfaces and not specific implementations.  You are free to use or write any firmware that adheres to the specification.  Since LEDGE was mostly focused on embedded devices, we chose to work with U-Boot, the prevalent bootloader for embedded systems.

At the time U-Boot had several shortcomings yet to be addressed

  • Rudimentary UEFI support
  • Ability to read/store UEFI variables to/from the U-Boot environment
  • No UEFI secure boot
  • No UEFI measured boot
  • No capsule update support, even without authentication
  • UEFI Boot Manager was just merged with only basic features

In the meantime, Arm introduced the SystemReady-IR certification program (which used EBBR as its basis). That program offered an Architecture Compliance Suite (ACS), as well as Security Interface Extension (SIE) tests and the bootable prebuilt images which could be used to verify the proposed changes. 

Engaging hands-on work

In collaboration with Linaro members, maintainers from U-Boot, Linux, EDK2, and OP-TEE, we started enhancing open-source projects and driving the addition of new features ensuring compatibility with EBBR.  Apart from that, LEDGE started developing standards and documentation for features we believe are indispensable for secure and robust products and contributing those back to the community. The most notable features are the A/B firmware update support,  the Platform Security Firmware Update for the A-profile and the firmware handoff protocol.

In the past few years LEDGE has

  • Turned U-Boot into a SystemReady-IR compliant bootloader and since 2021.04 it’s also 2.0 compliant for the majority of the platforms it supports
  • Depending on the hardware characteristics, systems running U-Boot can also pass the SystemReady SIE ACS since 2021.10
  • UEFI Secure Boot
  • UEFI measured boot

    • Measured boot led to a wide TPM subsystem refactoring
  • UEFI variables are stored in a secure, rollback-protected device (e.g. RPMB) instead of the insecure U-Boot environment variables.  This was a complex set of patches that required coordination between U-Boot, EDK2 and OP-TEE

  • Authenticated Capsule Update 

    • Supports seamless integration with fwupd and LVFS
  • UEFI HTTP Boot (HTTPs in work in progress)
  • Replaced U-Boots’ default TCP/IP stack with LWIP (lightweight TCP/IP protocol, patches under review)
  • Dual A/B update support (SynQuacer and stm32mp1 supported upstream)
  • U-Boot console lockdown.  Users can configure UEFI keys and the booted OS only
  • Rich UEFI BootManager with grub-like capabilities
  • initramfs and DTB measurements on a TPM
  • SetVariable at runtime support (patches are under review)
  • UEFI random number generator support (mandatory for enabling KASLR in Arm systems)

Concluding our work

LEDGE has accomplished its initial mission of turning U-Boot into a SystemReady-IR compliant bootloader. Aside from that, we were able to coordinate and head the U-Boot development and add security-related features that were not originally planned.

The need for SystemReady-IR compliant firmware, along with the security enhancements proposed by LEDGE led to TrustedSubstrate, an OE layer geared toward security. It’s built from various open source projects, has an ‘upstream first’ mentality, is tested daily in our internal LAVA labs, and provides a SystemReady-IR compliant firmware with UEFI Secure boot and Measured boot enabled by default for all member hardware.  

Its aim is to guarantee that your device will run the software it was intended to run starting from powering up your device up to launching its OS.  You can find the documentation here.

Get involved

There are a few things we are still working on in order to complete our work

  • Replace the default U-Boot network stack with LWIP.  As we mentioned earlier, patches are under review 
  • Enable UEFI HTTPs using mbedTLS
  • Make sure U-Boot is compliant with SystemReady-IR 2.0

Contact us