What is the difference between Secure Boot and Verified Boot?

As I understand it, both "Secure Boot" and "Verified Boot" work in the same way. In particular:

  • on boot, the first thing that runs is code found in ROM. This ensures that it can be "trusted"
  • the ROM code verifies the signature of the next piece of boot software, only running it if the signature is valid
  • this process of verifying code continues all the way up into user space

Does that high level overview miss out on some key difference? Or are they the same, and we just call it "Secure Boot" if the rest of the boot process meets the UEFI spec?

2

2 Answers

Verified Boot

Verified Boot strives to ensure all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or corruption. It establishes a full chain of trust, starting from a hardware-protected root of trust to the bootloader, to the boot partition and other verified partitions including system, vendor, and optionally oem partitions. During device boot up, each stage verifies the integrity and authenticity of the next stage before handing over execution. In addition to ensuring that devices are running a safe version of Android, Verified Boot check for the correct version of Android with rollback protection. Rollback protection helps to prevent a possible exploit from becoming persistent by ensuring devices only update to newer versions of Android. In addition to verifying the OS, Verified Boot also allows Android devices to communicate their state of integrity to the user.

Secure boot

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in the PC firmware. When you add UEFI drivers, you'll also need to make sure these are signed and included in the Secure Boot database.

For details we can refer to the articles Secure boot and Verified Boot.

3

Secure Boot and Verified Boot are largely the same thing and describe software authentication frameworks that often require some hardware support to implement properly. "Verified Boot" is more specific to Android platforms whereas "Secure Boot" is a more general term used for many platforms. Despite Microsoft documentation claiming "Secure Boot" is a PC specific standard, one finds this term used by many other platform vendors (NXP, Qualcomm, others) to describe their security frameworks for firmware authentication.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like