From 2ca356ec244890a1b4cd58486c2cd93612fd3ddf Mon Sep 17 00:00:00 2001 From: River Date: Thu, 10 Apr 2025 10:51:21 -0400 Subject: [PATCH] Update Full Verified Boot --- Full-Verified-Boot.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Full-Verified-Boot.md b/Full-Verified-Boot.md index a01e9c5..b5b19ef 100644 --- a/Full-Verified-Boot.md +++ b/Full-Verified-Boot.md @@ -1,11 +1,15 @@ # What is Full Verified Boot? +## Overview + Full verified boot is a means by which all the resources involved in system bring-up are known to be valid, working, and secure. This works by performing cryptographic signatures at each step of the boot process to verify the next step's resources. A typical chain of trust will look like this: - Security processor verifies system firmware - System firmware verifies bootloader and kernel images - Kernel verifies system partition hash +## HalogenOS's implementation + In HalogenOS, the root partition containing volatile data is encrypted, and the encryption key is released automatically by the TPM (Trusted Platform Module) when it verifies that the system firmware, bootloader, and kernel are all correct. Additionally, user data is encrypted separately per-user, so it is impossible to modify any data on the root partition without knowing the user's password or sniffing the TPM for the encryption key. So what does the chain look like for HalogenOS?