From Boot to Root: Identifying and Mitigating Security Issues in Bootloaders (glt25)

With the advent of verified/secure boot, bootloaders have become critical components in the chain of trust for embedded Linux systems. This talk will explore common security issues in verified boot implementations and provide an in-depth analysis of vulnerabilities found in popular bootloaders. Attendees will learn about the implications of these vulnerabilities and practical mitigation strategies to enhance device security. Over decades, the role of bootloaders has been rather straightforward, loading an operating system kernel and starting it, optionally with some configuration or visual enhancements. However, with the rise of verified, or secure boot, bootloaders now find themselves at the beginning of the chain of trust. Being a member of the chain of trust comes with significant responsibility. Bugs or misconfigurations are no longer just unpleasant; they now undermine the entire security concept of a device. In this talk, Richard will highlight common problems he has encountered in verified boot implementations of embedded Linux systems. He will also provide a deep dive into some vulnerabilities he has discovered in popular bootloaders and discuss how to mitigate them. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://pretalx.linuxtage.at/glt25/talk/JBLASG/