Secure Boot is a procedure that prevents “unauthorized” operating systems and software from loading during the startup process. Firmware images (that is, operating systems and other system components) that are cryptographically signed by known, trusted authorities are considered as “authorized” firmware. Secure Boot is the first line of defense against malicious attacks on KNOX-based mobile devices.
Secure Boot requires the device boot loader, kernel, and system software to be cryptographically signed by a key verified by the hardware. Secure Boot uses X.509 certificates and public keys which are embedded into the boot loader of the device. A secure hash of the certificates is fused into hardware Read-Only Memory (ROM) at the time of manufacture. The Secure Boot loader will only continue if the authorized secure signed binaries are present. Next, Secure Boot verifies the cryptographic signature of the Linux kernel and system image before handing control to the OS.
