System Execution Sequence

System Execution Sequence – Part 1: BIOS/UEFI and Bootloader

Posted by Kulani Mahadewa on July 6, 2020
Posted in: System Execution Sequence. Tagged: , , , . Leave a comment

Execution Environment

Computing is about running algorithms. It is achieved by executing code. So, what is the order of executing codes in a computer?

Different kinds of computers (e.g., desktops/server platforms, mobile, and embedded devices) may organize the system execution order slightly differently. In general, on top of hardware is the kernel space, and on top of the kernel is the user-space software. However, in simple embedded software like in IoT devices, the firmware code can be on top of the hardware. The kernel provides system calls, for the user libraries to access system functionalities, and the libraries provide library calls for the applications to access the functionalities of libraries. Despite this organization, the CPU receives the data as a flat instruction stream.

Is it possible to run the binaries of different architecture on another architecture? For example, Linux binary on Windows.

Yes. In particular, there are compatibility layers that facilitate the execution of binary belongs to a different architecture. Wine is such a compatibility layer, which supports the execution of Windows binaries on Unix-like OSs. Windows Subsystem for Linux  (WSL) is another compatibility layer, which facilitates the execution of Linux native binaries on top of Windows OS.

Virtual machines (VM) are a way to provide an isolated execution environment. It can provide the same or different execution environment as the underlying architecture. Such as Linux VM provides the Linux execution environment on Windows OS. A VM provides both kernel space and userspace. Hence, the end-users can work without worrying about the underlying architecture.

Docker is another way to provide an isolated execution environment. However, docker provides isolation for application through containers, whereas VM provides isolation for the OS environment. The VM’s userspace is similar to the container of Docker.

Firmware Booting Code

When the PC is power on, firmware booting code is the first thing to run. When this booting code runs, you will see the logos on the screen. During this time, in the backend, it probes all the hardware devices, to check whether they work well. Only the keyboard is enough to communicate with this code.

BIOS (Basic I/O System) and UEFI (Unified Extensible Firmware Interface) are two types of booting codes or booting firmware. It comes pre-installed on the PC board.

BIOS vs UEFI:

  • BIOS is legacy booting firmware. It only supports up to 4 partitions of Hard Disk.
  • UEFI is a new booting firmware. It supports more than 4 partitions of HD, and additionally provide a secure mode and network support during booting to download missing codes.

Another main function of booting code is, it requires to find the next code to be executed and put it in the memory. What is the next code to execute? Bootloader.

Bootloader

It is a small program to load other OS programs and data in memory and executes them. It can be automatic or ask for manual options. With bootloader can load single or multiple kernels. It becomes the main application running on the microprocessor during normal operation.

Is it required to have a bootloader on a computer system? No. Simple embedded systems may not come with bootloader to save space.

Can you replace the existing bootloader? Yes. You can use U-boot to replace the bootloader.

Different bootloaders:

  • Linux: GRUB bootloader
  • Windows: BCD bootloader
  • Android: Fastboot (to load recovery image)
  • iOS: iboot
  • Embedded systems: Uboot (a general bootloader tool)

A main function of the bootloader is to find where the kernel image resides, and put it in the memory and execute it.

What if the bootloader cannot find the kernel or the kernel image is missing? PXE (Preboot Execution Environment) comes to the scene. An advantage of UEFI booting firmware is that it supports PXE. Hence, if the kernel image is not found, it can download it from a remote server.

The general procedure of PXE:

  • The host requests the IP for a network adapter from the DHCP server. The DHCP server replies with a temporary IP and TFTP Server address.
  • Next, the host requests a network bootloader from the TFTP server. TFTP server replies with reboot and support files.
  • Next, the host requests for kernel from the Web or TFTP server, and receives the kernel.
  • Finally, it acquires an IP for the kernel from the DHCP server.

Bootloader Security

Archived through TPM

What is TPM?

Trusted Platform Module (TPM) is a hardware component (comes on-chip of the motherboard ) that guarantees the integrity of the booting process.

Threat Model: A malicious code that replaces bootloader or kernel.

With TPM it can check the integrity of code and prevent the attacker from modifying the code at the initial stages of booting the OS. It uses simple cryptographic techniques and supports saving some sensitive data. The advantage is that it can hash a large amount of data.  The hash value is stored at PCR (Platform Configuration Register).

Chain of Trust

  • First, check whether the root of trust (BIOS/UEFI) is secure by checking the signature of the bootloader.
  • Next, transfers the control to the bootloader. At the bootloader, check the integrity of the hash value.
  • Next, transfers the control to the kernel. Check the integrity of the kernel.

UEFI Secure Mode

First, the signature of the kernel bootloader has to be generated. This is done by the manufacture. Next, when it loads check for its signature for integrity.

This adds trouble if you have to add a customized bootloader.

In fact, the UEFI secure boot + TPM is recommended for preserving security.

Unlock Bootloader

  • PC’s supports both BIOS and UEFI as booting methods. It is possible to switch between the two types. However, data loss and compatibility issues could happen.
  • In Android, the bootloader is locked by default. The fastboot tool can be used to unlock. When the bootloader is unlocked it is possible to changes the OS. (Whereas rooting will only allow the control of the whole OS. It provides access to the system partition, while bootloader unlocking provides boot or recovery partitions access).
  • In Iphones and MacOS, iboot is the bootloader.  DFU is required to downgrade iOS OS.

Booting Disk Creation and Disk Management

  • Etcher: can be used to locally generate a bootable USB with 3 steps. Select image, select drive with USE, and flash.
  • Unetbootin: Universal Netboot installer.
  • dd: direct dump, is a Unix utility. It can securely erase all files block by block.
  • Clonezilla

Online Resources that can be referred:

 TPM overview: https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Overview.pdf (optional)