Secure Execution Environments

AEGIS

Assuming that host hardware is valid, the integrity of a higher layer can be guaranteed if

  • The integrity of the lower layers is checked.

  • Transitions to higher layers occur only after integrity checks on them are complete.

The resulting integrity “chain” inductively guarantees system integrity.

Goal

Without a secure bootstrap, the operating system kernel cannot be trusted:

  • Since it is launched by an untrusted process.

  • Designers of trusted systems often avoid the problem by including boot components in the TCB.

AEGIS was a secure bootstrap process.

  • Ensuring the integrity of bootstrap code

Approach

It constructs a chain of integrity checks.

  • Beginning at power-on.

  • Continuing until the final transfer of control from the bootstrap process to the operating system.

Integrity checks are hard to circumvent.

  • Match of a computed cryptographic hash value with a stored digital signature associated with each component.

AEGIS secure boot process guaranty

Two mechanisms guarantee the boot process ends up in a secure state.

  • Even in the event of integrity failures outside of a minimal section of trusted code.

  1. No code is executed unless it is either explicitly trusted or its integrity is verified before its use.

  2. Upon an integrity failure, a process can recover a suitable, verified replacement module.

Boot process

PreviousAuthorization rolesNextTrusted computing

Last updated