FerryBoot implements multiple layers of security to protect the boot process and ensure system integrity.
FerryBoot supports BIOS password protection:
- Master password for bootloader access
- User password for specific boot entries
- Password hashing with salted SHA-256
UEFI systems use the platform's built-in password features:
- Setup password for firmware settings
- Boot password for OS selection
- Integration with UEFI security protocols
FerryBoot supports UEFI Secure Boot:
- Signed bootloader binaries
- Verification of OS kernel signatures
- Integration with Microsoft UEFI CA
- Support for custom certificate authorities
For BIOS systems, FerryBoot implements its own secure boot mechanism:
- RSA signature verification
- SHA-256 hashing
- Certificate chain validation
- Revocation list support
FerryBoot can unlock LUKS-encrypted volumes:
- Prompt for passphrase
- Support for key files
- Integration with LUKS header parsing
- Support for multiple key slots
FerryBoot supports BitLocker-encrypted volumes:
- TPM integration
- Recovery key support
- Password/PIN authentication
- Compatible with Windows BitLocker
FerryBoot supports VeraCrypt-encrypted volumes:
- Password authentication
- Keyfile support
- Hidden volume detection
- System encryption support
FerryBoot verifies kernel signatures before loading:
- RSA signature checking
- SHA-256/SHA-512 hashing
- Certificate validation
- Certificate revocation checking
For unsigned kernels, FerryBoot can verify file hashes:
- SHA-256 kernel hash verification
- Configuration-stored hash values
- Automatic hash generation tool
FerryBoot implements stack protection:
- Stack canaries
- Stack overflow detection
- Secure stack initialization
Memory allocation protection:
- Bounds checking
- Double-free detection
- Use-after-free prevention
FerryBoot supports TPM for trusted boot:
- PCR extension
- Measured boot
- Attestation support
- Seal/unseal operations
Boot process integrity measurement:
- Component hashing
- Measurement log
- Remote attestation
- Integrity verification
For network boot operations:
- TLS/SSL support
- Certificate validation
- Encrypted PXE boot
- Secure configuration download
Protect bootloader from tampering:
- Self-checksum verification
- Read-only storage
- Hardware-based protection
- Tamper detection alerts
Secure configuration storage:
- Encrypted configuration
- Integrity verification
- Access control
- Audit logging
FerryBoot uses proven cryptographic implementations:
- RSA for asymmetric cryptography
- AES for symmetric encryption
- SHA-256/SHA-512 for hashing
- HMAC for message authentication
Secure key storage and management:
- Hardware key storage (TPM)
- Secure key derivation
- Key rotation support
- Certificate management
// Hash functions
int sha256_hash(const void* data, size_t len, uint8_t* hash);
int sha512_hash(const void* data, size_t len, uint8_t* hash);
// RSA operations
int rsa_verify(const uint8_t* signature, size_t sig_len,
const uint8_t* data, size_t data_len,
const rsa_public_key_t* pubkey);
// AES operations
int aes_decrypt(const uint8_t* ciphertext, size_t len,
const uint8_t* key, size_t key_len,
const uint8_t* iv, uint8_t* plaintext);// Security module interface
typedef struct {
int (*init)(void);
void (*cleanup)(void);
int (*verify_signature)(const uint8_t* sig, size_t sig_len,
const uint8_t* data, size_t data_len);
int (*decrypt_volume)(const char* device, const char* passphrase);
} security_module_t;Regular security testing:
- Static analysis
- Dynamic analysis
- Fuzz testing
- Penetration testing
Security standard compliance:
- NIST guidelines
- FIPS 140-2
- Common Criteria
- ISO 27001
Security-focused development practices:
- Secure coding guidelines
- Code review processes
- Threat modeling
- Security training
Secure deployment practices:
- Secure key management
- Regular updates
- Monitoring and logging
- Incident response