wolfBoot v2.0.0

Designed by @Noxifer81

The long awaited version 2.0.0 of our bootloader is finally out!

Here is a summary of some of the new key features, selected from the full changelog, available at github.

Post-Quantum secure boot

As previously announced in a recent blog post, wolfBoot 2.0.0 supports post-quantum secure boot.
wolfBoot 2.0.0 is, to our knowledge, the first secure bootloader supporting post-quantum stateful hash-based signature (HBS) schemes for firmware verification.Thanks to the support for LMS/HSS and XMSS/XMSS^MT recently added in wolfCrypt and the integration with third-party signing entities, such as HSM providers, we successfully added HBS schemes to the list of supported algorithms.

wolfBoot as TrustZone-M secure supervisor

The latest generation of ARM Cortex-M microcontroller has introduced a hardware-assisted Trusted Execution Environment (TEE), called TrustZone-M. By installing wolfBoot to secure the boot process on those devices, it is now possible to extend the cryptography library linked with the bootloader to cover multiple algorithms and key lengths beyond those required to implement the secure boot mechanism. An application or operating system running in non-secure mode has access to all those cryptographic operations provided by wolfBoot, through a non-secure-callable API, that is accessible through standard PKCS#11 function calls.
An extended description of this feature has been previewed in a blog post we have recently published.

Advanced TPM features

Since the early days of wolfBoot development, we have been researching the integration with wolfTPM and the unique opportunities it offers to communicate with TPM devices in the very early stages of the target’s boot up process. With wolfBoot 2.0, we expanded this integration to include some new powerful features. Among other things, TPM 2.0 devices can now be used as Root of Trust for the boot process. The extension of the PCRs can be customized according to the specific characteristic of the boot mechanism, to easily implement measured boot at different stages. Moreover, wolfBoot can now seal and unseal non-volatile memory slots in the TPM based both on the verification of externally signed PCR policy and/or password based sealing.

Full support for secure boot on Intel x86-64 bit targets

Adding support for x86-64 targets using Intel’s Firmware Support Packages (FSP) in wolfBoot 2.0.0 has paved the way to controlling the entire secure boot mechanism from the machine power-on. This gives a key advantage in keeping the entire boot process secure on x86-based Single-board Computer systems (SBC). wolfBoot 2.0 boot flow is divided into two stages. The first stage includes basic memory, silicon initialization, PCI enumeration and the interaction with hardware-assisted security mechanisms. The first stage will then verify the second stage and pass control to it. The second stage is responsible for AHCI initialization, SATA disk locking/unlocking, TPM interaction to unseal secrets, verification of entire disk partitions or images and finally staging the image. It supports different payloads: raw images, Linux kernel, or Multiboot2/ELF images.

Find out more about wolfBoot! Download the source code and documentation from download page, or clone the repository from github. If you have any questions about any of the above, comments or suggestions, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now