secure-boot

A new bootable USB solution.

macOS on Huawei Matebook X Pro 2018

Hardware-based attestation / intrusion detection app for Android devices. It provides both local verification with another Android device via QR codes and optional scheduled server-based verification with support for alert emails. It uses hardware-backed keys and attestation support as the foundation and chains trust to the app for software checks.

Generate and sign kernel images for UEFI Secure Boot on Arch Linux

Jo's Embedded Serial File System (for Standard Serial NOR-Flash)

Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI

Disabling kernel lockdown on Ubuntu without physical access

Tool for complete hardening of Linux boot chain with UEFI Secure Boot

Linux UEFI library written in pure Go.

Windows 11 compability check with user friendly output

OpenEmbedded layer for the use cases on secure boot, integrity and encryption

Punchboot

Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email alerts to go along with the local implementation based on QR code scanning in the app.

MultiZone® Security TEE is the quick and safe way to add security and separation to any RISC-V processors. The RISC-V standard ISA doesn't define TrustZone-like primitives to provide hardware separation. To shield critical functionality from untrusted third-party components, MultiZone provides hardware-enforced, software-defined separation of multiple equally secure worlds. Unlike antiquated hypervisor-like solutions, MultiZone is self-contained, presents an extremely small attack surface, and it is policy driven, meaning that no coding is required – and in fact even allowed. MultiZone works with any 32-bit or 64-bit RISC-V processors with standard Physical Memory Protection unit (PMP) and “U” mode.

Emulating Exynos 4210 BootROM in QEMU

Unsigned code loader for Exynos BootROM

Boot multiple systems from a single GRUB2-powered USB drive (just drop ISO or other modules to integrate into menu)

UEFI Secure Boot for Arch Linux + btrfs snapshot recovery

Secure EFI Loader designed to authenticate the non-PE files

systemd-boot integration with secure boot support

A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the system properties from the sample as supplementary information.

Unsigned code loader for Amlogic BootROM

USB Format Tool - Make Bootable USB Drive with MBR and 2 Partitions

The GRUB2 signing extension are some scripts which help you to verify, sign and unsign your GRUB2 bootloader files using GPG.

Script to sign external Linux kernel modules for UEFI Secure Boot.

MultiZone® Security Enclave for Linux

An open source implementation of an AMD-V Secure Loader.

MultiZone® Trusted Firmware is the quick and safe way to build secure IoT applications with any RISC-V processor. It provides secure access to commercial and private IoT clouds, real-time monitoring, secure boot, and remote firmware updates. The built-in Trusted Execution Environment provides hardware-enforced separation to shield the execution of trusted applications from untrusted 3rd party libraries.

MultiZone® Security TEE for Arm® Cortex®-M is the quick and safe way to add security and separation to any Cortex-M based device. MultiZone® software can retrofit existing designs. If you don’t have TrustZone®, or if you require finer granularity than one secure world, you can take advantage of high security separation without the need for hardware and software redesign, eliminating the complexity associated with managing a hybrid hardware/software security scheme.

OpenEmbedded/Poky-compatible reference implementation based on meta-secure-core