VxWorks

Securely Booting a VxWorks-7 Intel Target

by | Aug 10, 2020 | VxWorks

1 Introduction

VxWorks is a Real Time Operating System built by Wind River that supports booting from an Intel target with secure UEFI firmware.
Secure UEFI BIOS firmware prevents malware infected boot loader and operating system image files from running on the target board.

This blog describes how to configure VxWorks 7 for secure boot, and shows how to securely boot a typical Intel target.

 

2 Prerequisites

These instructions assume that you are using:

Wind River VxWorks 7, SR0620 installed on a Windows workstation
Intel target booting from Secure UEFI BIOS, e.g. Dell Latitude E6540 laptop
One USB flash drive

 

3 Related Documentation

For more information on these topics, refer to:

Wind River documentation:
VxWorks 7 Security Programmer’s Guide

Non-Wind River documentation:
Secure Boot, Microsoft, https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
Unified Extensible Firmware Interface, Wikipedia, https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

 

4 Create and Build the Secure VxWorks Source Build (VSB) Project

Open a DOS shell, configure the build environment and then build the project.

cd <WIND_HOME>                  // your installation directory
wrenv -p vxworks-7
cd <YOUR_WORKSPACE>             // your workspace
vxprj vsb create secure_vsb -bsp itl_generic -smp -force
cd secure_vsb                   // your VSB directory
vxprj vsb add SECURE_LOADER     // add the disk encryption layer to the VSB
make -j 32                      // build the VSB

5 Create and Build the Secure VxWorks Image Project (VIP)

Create the basic VxWorks image project (VIP) as follows.

cd ..
vxprj create -smp itl_generic secure_vip -profile PROFILE_INTEL_GENERIC -vsb secure_vsb
cd secure_vip
vxprj vip component add INCLUDE_BOOT_LOADER
vxprj vip component add DRV_CONSOLE_EFI
vxprj build

Make sure you include the component DRV_CONSOLE_EFI as the kernel will not boot without it.

6 Configure the USB Flash Drive

6.1 Deploy the Security Keys

Navigate to <YOUR_WORKSPACE>\secure_vsb\secureLoader

Copy the files db.sig, KEK.sig, and PK.sig to the root of the USB flash drive.

6.2 Deploy the Boot Loader and VxWorks kernel

Navigate to <YOUR_WORKSPACE>\secure_vip\loader\obj\uefi_x86_64.

Copy and rename the file BOOTX64.EFI.signed to \EFI\BOOT\BOOTX64.EFI

Navigate to <YOUR_WORKSPACE>\secure_vip\default\

Copy and rename the file VxWorks.signed to \EFI\BOOT\bootapp.sys

After following these instructions you will find the following files on the USB flash drive:

\PK.sig
\KEK.sig
\db.sig

\ EFI \ BOOT
        bootapp.sys
        BOOTX64.EFI

7 Deploy the VSB Security Keys into the Target

7.1 Prepare the Intel Target

Eject the USB flash drive from the workstation and insert it into the Intel target.

Power on the Intel target and boot into the BIOS.

7.2 Update the UEFI BIOS Security Keys

These BIOS configuration steps are target specific.

On the Dell Latitude E6540, the steps are as follows:

Select General -> Boot Sequence -> UEFI.
Deselect General -> Advanced Boot Options -> Enable Legacy Option ROMs.
Enable Secure Boot -> Secure Boot Enable.
Enable Secure Boot -> Expert Key Management -> Enable Custom Mode.
In Secure Boot -> Expert Key Management:
Press Delete All Keys
Click PK, click Replace from File, and select PK.sig on root of USB flash drive.
Click KEK, click Replace from File, and select KEK.sig on root of USB flash drive.
Click db, click Replace from File, and select db.sig on root of USB flash drive.

Apply the BIOS updates and power down the target.

 

8 Boot VxWorks on the Target

Power up the target.
Select the USB flash drive as the target boot drive.
Once the target has booted, you will see the VxWorks banner and kernel shell prompt appear.

-> 

You have succeeded in securely booting VxWorks.

 

9 Take it Further

Enhance the securely booting target with:

  1. An encrypted file system. For details, refer to the blog “Creating an Encrypted VxWorks-7 File System Partition”,

https://harmonicss.co.uk/vxworks/creating-an-encrypted-vxworks-7-file-system-partition/

  1. User logon capability. For details, refer to the blog “Creating a VxWorks-7 System With Secure User Login”,

https://harmonicss.co.uk/vxworks/creating-a-vxworks-7-system-with-secure-user-login/

  1. Secure module loader capability. This will be a subject of a future blog. For details, refer to the

VxWorks 7 Security Programmer’s Guide.

Got A Project In Mind?

Our levels of professionalism and commitment to our clients results in a long waiting list for projects. Let us know in advance if you might need us.