Secure Boot Encryption with Linux: Implementation for Embedded Developers
暫譯: Linux 安全啟動加密:嵌入式開發者的實作指南

Giometti, Rodolfo

  • 出版商: Apress
  • 出版日期: 2026-07-01
  • 售價: $1,230
  • 貴賓價: 9.5$1,168
  • 語言: 英文
  • 頁數: 236
  • 裝訂: Quality Paper - also called trade paper
  • ISBN: 9798868828171
  • ISBN-13: 9798868828171
  • 相關分類: Linux
  • 海外代購書籍(需單獨結帳)

相關主題

商品描述

Secure Boot Encryption with Linux serves as a quick guide to building and maintaining a secure, embedded Linux system by establishing a verifiable Chain-of-Trust from the moment power is applied until the first user space application takes control. It meticulously breaks down what the Secure Boot implementation is, and critically, what it is not by providing the technical knowledge necessary to guard against sophisticated bootkits and unauthorized code execution.

We begin by dissecting the Linux Cryptographic Subsystem and the core mechanism for secret protection: the Linux Key-Management Facility (Keyring). It provides an in-depth, practical guide to implementing Trusted Keys and Encrypted Keys, detailing how these secrets are secured by tying them to specialized hardware like the Trusted Platform Module (TPM). This unique focus ensures that critical encryption and signing keys are never exposed to user spaces, neutralizing the impact of successful root-level exploits. Next, we explore the implementation of a full Secure Boot Chain-of-Trust. Readers will learn how the Chain-of-Trust works from the initial pre-bootloader (e.g., U-Boot SPL or the Arm Trusted Firmware), through the main bootloader, up to the kernel and the root filesystem. This process guarantees that only code signed by a trusted authority is executed, providing unparalleled protection against firmware injection and persistent bootkits. we finish by looking at a blue print for Secure System Lifecycle Management, integrating the kernel's key-management with Transparent Encryption (dm-crypt) for the root filesystem and detailing the procedures for maintaining security over time.

By focusing on root-proof key management and end-to-end integrity enforcement, this pocket guide is essential reading for developers and security archtects who need to build resilient Linux products that meet the highest standards of modern cybersecurity.

You Will Learn:

  • How to implement and manage cryptographic secrets using the Linux Key-Management Facility (Keyring)
  • Understand how to use the Linux Crypto API for secure hashing, signing, and encryption operations
  • How to establish an unbreakable Chain-of-Trust that verifies the integrity and authenticity of every system component, from the initial hardware Root-of-Trust and the pre-bootloader to the final Linux kernel load.
  • How to achieve Transparent Full Disk Encryption by integrating the secure Keyring with key technologies for data confidentiality for OS and Kernel levels

This Book is for:

Experienced embedded Linux developers and security architects

商品描述(中文翻譯)

Linux 的安全啟動加密》是一本快速指南,旨在通過建立可驗證的信任鏈,從通電的那一刻起,直到第一個用戶空間應用程序接管控制,來構建和維護安全的嵌入式 Linux 系統。它詳細解析了安全啟動的實現是什麼,以及更重要的是,它不是什麼,並提供了必要的技術知識,以防範複雜的啟動工具和未經授權的代碼執行。

我們首先剖析 Linux 加密子系統及其保護秘密的核心機制:Linux 密鑰管理設施(Keyring)。本書提供了實施受信任密鑰和加密密鑰的深入實用指南,詳細說明了如何通過將這些秘密與專用硬體(如受信任的平台模組 TPM)綁定來保護它們。這一獨特的重點確保了關鍵的加密和簽名密鑰永遠不會暴露於用戶空間,從而中和成功的根級漏洞攻擊的影響。接下來,我們探討完整的安全啟動信任鏈的實現。讀者將學習信任鏈如何從初始的預啟動加載程序(例如 U-Boot SPL 或 Arm 受信任固件)開始,經過主啟動加載程序,直到內核和根文件系統。這一過程保證只有由受信任的權威簽名的代碼被執行,提供了對固件注入和持久啟動工具的無與倫比的保護。我們最後將探討安全系統生命週期管理的藍圖,將內核的密鑰管理與透明加密(dm-crypt)集成,用於根文件系統,並詳細說明維護安全的程序。

通過專注於根證明的密鑰管理和端到端的完整性執行,這本口袋指南是開發人員和安全架構師必讀的資料,他們需要構建符合現代網絡安全最高標準的韌性 Linux 產品。

您將學到:


  • 如何使用 Linux 密鑰管理設施(Keyring)實施和管理加密秘密

  • 了解如何使用 Linux Crypto API 進行安全的哈希、簽名和加密操作

  • 如何建立一個不可破壞的信任鏈,以驗證每個系統組件的完整性和真實性,從初始硬體信任根和預啟動加載程序到最終的 Linux 內核加載。

  • 如何通過將安全的 Keyring 與操作系統和內核層級的數據保密關鍵技術集成來實現透明的全磁碟加密。


本書適合:

經驗豐富的嵌入式 Linux 開發人員和安全架構師

作者簡介

Rodolfo Giometti is an Engineer, IT specialist, embedded GNU/Linux expert and Software Libre evangelist. He has over twenty years of experience with GNU/Linux Embedded on x86, ARM, MIPS & PowerPC based platforms, and he is the maintainer of the LinuxPPS projects (the Linux's Pulse Per Second subsystem). Rodolfo still actively contributes to the Linux source code contributing several patches and new device drivers for industrial applications devices.

作者簡介(中文翻譯)

Rodolfo Giometti 是一位工程師、IT 專家、嵌入式 GNU/Linux 專家以及自由軟體的推廣者。他在基於 x86、ARM、MIPS 和 PowerPC 平台的 GNU/Linux 嵌入式系統方面擁有超過二十年的經驗,並且是 LinuxPPS 專案(Linux 的每秒脈衝子系統)的維護者。Rodolfo 仍然積極貢獻於 Linux 原始碼,為工業應用設備提供多個補丁和新的設備驅動程式。