secure-boot

A new bootable USB solution.

Hardware-based attestation / intrusion detection app for Android devices. It provides both local verification with another Android device via QR codes and optional scheduled server-based verification with support for alert emails. It uses hardware-backed keys and attestation support as the foundation and chains trust to the app for software checks.

macOS on Huawei Matebook X Pro 2018

Generate and sign kernel images for UEFI Secure Boot on Arch Linux

Jo's Embedded Serial File System (for Standard Serial NOR-Flash)

Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI

Disabling kernel lockdown on Ubuntu without physical access

Linux UEFI library written in pure Go.

Tool for complete hardening of Linux boot chain with UEFI Secure Boot

Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email alerts to go along with the local implementation based on QR code scanning in the app.

OpenEmbedded layer for the use cases on secure boot, integrity and encryption

Windows 11 compability check with user friendly output

Punchboot

MultiZone® Security TEE is the quick and safe way to add security and separation to any RISC-V processors. The RISC-V standard ISA doesn't define TrustZone-like primitives to provide hardware separation. To shield critical functionality from untrusted third-party components, MultiZone provides hardware-enforced, software-defined separation of multiple equally secure worlds. Unlike antiquated hypervisor-like solutions, MultiZone is self-contained, presents an extremely small attack surface, and it is policy driven, meaning that no coding is required – and in fact even allowed. MultiZone works with any 32-bit or 64-bit RISC-V processors with standard Physical Memory Protection unit (PMP) and “U” mode.

Emulating Exynos 4210 BootROM in QEMU

UEFI Secure Boot for Arch Linux + btrfs snapshot recovery

Unsigned code loader for Exynos BootROM

Boot multiple systems from a single GRUB2-powered USB drive (just drop ISO or other modules to integrate into menu)

Secure EFI Loader designed to authenticate the non-PE files

systemd-boot integration with secure boot support

A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the system properties from the sample as supplementary information.

Unsigned code loader for Amlogic BootROM

The GRUB2 signing extension are some scripts which help you to verify, sign and unsign your GRUB2 bootloader files using GPG.

USB Format Tool - Make Bootable USB Drive with MBR and 2 Partitions

Script to sign external Linux kernel modules for UEFI Secure Boot.

Calculate future (next boot) TPM PCRs after a kernel upgrade

MultiZone® Security Enclave for Linux

An open source implementation of an AMD-V Secure Loader.

MultiZone® Trusted Firmware is the quick and safe way to build secure IoT applications with any RISC-V processor. It provides secure access to commercial and private IoT clouds, real-time monitoring, secure boot, and remote firmware updates. The built-in Trusted Execution Environment provides hardware-enforced separation to shield the execution of trusted applications from untrusted 3rd party libraries.

MultiZone® Security TEE for Arm® Cortex®-M is the quick and safe way to add security and separation to any Cortex-M based device. MultiZone® software can retrofit existing designs. If you don’t have TrustZone®, or if you require finer granularity than one secure world, you can take advantage of high security separation without the need for hardware and software redesign, eliminating the complexity associated with managing a hybrid hardware/software security scheme.