Securely Booting a VxWorks 7 Intel Target
Table of Contents
- 1. Introduction
- 2. Prerequisites
- 3. Related Documentation
- 4. Create and Build the Secure VxWorks Source Build (VSB) Project
- 5. Create and Build the Secure VxWorks Image Project (VIP)
- 6. Configure the USB Flash Drive
- 7. Deploy the VSB Security Keys into the Target
- 8. Boot VxWorks on the Target
- 9. Take it Further
1 Introduction
VxWorks is a Real Time Operating System built by Wind River that supports booting from an Intel target with secure UEFI firmware.
Secure UEFI BIOS firmware prevents malware infected boot loader and operating system image files from running on the target board.
This blog describes how to configure VxWorks 7 for secure boot, and shows how to securely boot a typical Intel target.
2 Prerequisites
These instructions assume that you are using:
Wind River VxWorks 7, SR0620 installed on a Windows workstation
Intel target booting from Secure UEFI BIOS, e.g. Dell Latitude E6540 laptop
One USB flash drive
3 Related Documentation
For more information on these topics, refer to:
Wind River documentation:
VxWorks 7 Security Programmer’s Guide
Non-Wind River documentation:
Secure Boot, Microsoft, https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
Unified Extensible Firmware Interface, Wikipedia, https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
4 Create and Build the Secure VxWorks Source Build (VSB) Project
Open a DOS shell, configure the build environment and then build the project.
cd <WIND_HOME> // your installation directory wrenv -p vxworks-7 cd <YOUR_WORKSPACE> // your workspace vxprj vsb create secure_vsb -bsp itl_generic -smp -force -S cd secure_vsb // your VSB directory vxprj vsb add SECURE_LOADER // add the disk encryption layer to the VSB make -j 32 // build the VSB
5 Create and Build the Secure VxWorks Image Project (VIP)
Create the basic VxWorks image project (VIP) as follows.
cd .. vxprj create -smp itl_generic secure_vip -profile PROFILE_INTEL_GENERIC -vsb secure_vsb cd secure_vip vxprj vip component add INCLUDE_BOOT_LOADER vxprj vip component add DRV_CONSOLE_EFI vxprj build
Make sure you include the component DRV_CONSOLE_EFI as the kernel will not boot without it.
6 Configure the USB Flash Drive
6.1 Deploy the Security Keys
Navigate to <YOUR_WORKSPACE>\secure_vsb\secureLoader
Copy the files db.sig, KEK.sig, and PK.sig to the root of the USB flash drive.
6.2 Deploy the Boot Loader and VxWorks kernel
Navigate to <YOUR_WORKSPACE>\secure_vip\loader\obj\uefi_x86_64.
Copy and rename the file BOOTX64.EFI.signed to \EFI\BOOT\BOOTX64.EFI
Navigate to <YOUR_WORKSPACE>\secure_vip\default\
Copy and rename the file VxWorks.signed to \EFI\BOOT\bootapp.sys
After following these instructions you will find the following files on the USB flash drive:
\PK.sig
\KEK.sig
\db.sig
\ EFI \ BOOT
bootapp.sys
BOOTX64.EFI
7 Deploy the VSB Security Keys into the Target
7.1 Prepare the Intel Target
Eject the USB flash drive from the workstation and insert it into the Intel target.
Power on the Intel target and boot into the BIOS.
7.2 Update the UEFI BIOS Security Keys
These BIOS configuration steps are target specific.
On the Dell Latitude E6540, the steps are as follows:
Select General -> Boot Sequence -> UEFI.
Deselect General -> Advanced Boot Options -> Enable Legacy Option ROMs.
Enable Secure Boot -> Secure Boot Enable.
Enable Secure Boot -> Expert Key Management -> Enable Custom Mode.
In Secure Boot -> Expert Key Management:
Press Delete All Keys
Click PK, click Replace from File, and select PK.sig on root of USB flash drive.
Click KEK, click Replace from File, and select KEK.sig on root of USB flash drive.
Click db, click Replace from File, and select db.sig on root of USB flash drive.
Apply the BIOS updates and power down the target.
8 Boot VxWorks on the Target
Power up the target.
Select the USB flash drive as the target boot drive.
Once the target has booted, you will see the VxWorks banner and kernel shell prompt appear.
->
You have succeeded in securely booting VxWorks.
9 Take it Further
Enhance the securely booting target with:
- An encrypted file system. For details, refer to the blog “Creating an Encrypted VxWorks 7 File System Partition”,
https://harmonicss.co.uk/vxworks/creating-an-encrypted-vxworks-7-file-system-partition/
- User logon capability. For details, refer to the blog “Creating a VxWorks 7 System With Secure User Login”,
https://harmonicss.co.uk/vxworks/creating-a-vxworks-7-system-with-secure-user-login/
- Secure module loader capability. This will be a subject of a future blog. For details, refer to the
VxWorks 7 Security Programmer’s Guide.
