Secure Boot

Secure boot is a security mechanism that performs layer-by-layer integrity verification of each software component beginning from the RoT during the device startup. It ensures that each program loaded and executed on the device is not tampered with. Secure boot verifies that the firmware and software are not tampered with during the device startup, to ensure device integrity. During secure boot, a component verifies the digital signature of the next component. If the verification is successful, the next component runs. If the verification fails, the next component does not start.

Principles

1. The integrity and correctness of the software are verified before running. Only officially released software can pass the security check. Software released by any other unauthorized means cannot pass the security check. In this case, the system cannot start.
2. The core process is as follows: The digital signature is used to verify the signature of the software to be loaded. Only the software that passes the verification can be executed.
3. The system software integrity is protected.

Secure boot of Kunpeng servers is implemented in two ways: one anchored in the hardware RoT of the BMC chip, and the other anchored in the hardware RoT of the Kunpeng processors. As shown in the following figure, when the system is powered on, the BMC system powers up first. The Boot Read-Only Memory (BootROM) of the BMC chip uses the trusted root programmed into the eFUSE to verify the security core Daemon FW, and then performs layer-by-layer verification of the BIOS firmware and the system. In addition, the BIOS firmware is verified prior to powering on the service OS, which is only allowed to start after successful verification. After the Kunpeng processor is powered on, step-by-step verification of subsequent boot firmware begins from the BootROM. Each stage is loaded only after successful verification. This process ensures the integrity of the entire system.

The Kunpeng processor implements the secure boot process by deploying Huawei's root public key and a level-2 key system.

1. The BootROM within the CPU SoC verifies the BaseBIOS. If the verification succeeds, the BaseBIOS program is executed.
2. The BaseBIOS verifies the UEFI BIOS. Upon successful verification, the BIOS code is executed to initialize the hardware.
3. For UEFI secure boot, the BIOS verifies option ROM and OS loader. Upon successful verification, the OS is started.

During the startup, the BootROM (BSBC) reads the root public key from the BaseBIOS header, calculates the hash value, and compares the result with that stored in the eFuse. If the two hash values match, level-2 certificate signature verification is performed. Upon successful verification, the BaseBIOS can be used normally. The BaseBIOS uses the level-2 certificate to verify the signatures of UEFI and other boot firmware. Upon successful verification, the BIOS is started. And then, secure boot is enabled to verify binaries of option ROM and OS loader. Upon successful verification, these binaries are loaded or the OS loader is executed, and control is handed over to the OS.

Step-by-step integrity verification and signature authentication ensure the secure boot process. In the preceding figure, the secure boot verification for option ROM and OS loader can be enabled or disabled. Following industry practice, to ensure compatibility with different OSs, this verification is disabled by default. The verification for the BaseBIOS by the BootROM and the verification for the UEFI by the BaseBIOS are enabled by default and are mandatory during system startup.

The BIOS supports the import of Microsoft certificates or customer certificates. In this way, the BIOS can use the imported certificates to verify the signature files of Microsoft or customer certificates.