@@ -147,7 +147,7 @@ The scope covers components that participate in or manage the boot process, from
Products in scope include boot management software and firmware that controls or participates in the boot process from power-on until handover to the boot target, whether integrated into system firmware or provided as standalone components, regardless of their distribution model. This category includes but is not limited to:
- System firmware that performs hardware initialization and boot management
- Standalone bootloaders that manage operating system selection and loading
- Standalone bootloaders that manage boot target selection and loading
- Embedded boot firmware commonly used in embedded and IoT devices
- Network boot implementations that enable remote boot capabilities
- Platform initialization firmware that executes from power-on until boot manager control
@@ -281,16 +281,7 @@ The product context identifies the operational characteristics, deployment envir
## 4.2 Product overview
Boot managers include components that execute from power-on through boot target handover and establishing the platform's security posture for system operations.
Boot managers implement various architectural patterns based on platform requirements:
- Single-stage: Direct loading of boot target without intermediate stages
- Multi-stage: Sequential loading through intermediate stages with handoff between each
- Network-enabled: Loading from network sources
- Platform initialization: Pre-boot firmware that establishes initial trust before main boot
Boot managers may operate with or without cryptographic verification mechanisms, as detailed in the architectural descriptions in Section 4.3.1.
Boot managers include components that execute from power-on through boot target handover and establishing the platform's security posture for system operations. They may operate with or without cryptographic verification mechanisms, as detailed in the architectural descriptions in Section 4.3.1.
Boot managers typically reside in non-volatile storage (SPI flash, eMMC boot partitions, QSPI) and are loaded into memory for execution. The boot target may be an operating system, hypervisor, another bootloader, embedded application, or recovery environment, and may reside in the same or different storage media.
@@ -372,7 +363,6 @@ The architectural choices and functional extensions described in the previous se
- Configuration: User-modifiable settings or fixed configuration
- Recovery mechanisms: Recovery mode available or not
- Boot target selection: Multiple boot targets or single target
- Update granularity: None / Config-only / Partial / Full
The presence or absence of these capabilities determines which requirement profiles apply as defined in Section 6.
@@ -450,6 +440,13 @@ Legitimate actors with direct system access include:
These interactions represent points where boot manager security can be modified, backdoored or bypassed, requiring appropriate access controls and authentication mechanisms.
Interactions requiring special attention:
- Device resale or transfer
- Return for service/warranty
- Employee termination (enterprise devices)
- End-of-life disposal
## 4.5 Use cases
### 4.5.1 Deployment context
@@ -479,295 +476,295 @@ The following use cases provide a high-level overview how boot managers operate
-device has no user interface for boot configuration
-cannot be updated independently from main firmware
-operates on battery or low power
-no network connectivity during boot
-if compromised, entire device must be replaced
-may be placed in private spaces (bedrooms, bathrooms)
-may be purchased second-hand without factory reset
-firmware may outlive vendor support by years
-Device has no user interface for boot configuration
-Cannot be updated independently from main firmware
-Operates on battery or low power
-No network connectivity during boot
-If compromised, entire device must be replaced
-May be placed in private spaces (bedrooms, bathrooms)
-May be purchased second-hand without factory reset
-Firmware may outlive vendor support by years
**UC-HOME-2** Consumer home entertainment device (ie. smart TV)
-no keyboard, remote control interface only
-accepts USB media
-may access online content
-ability so send local (potentially private) data to remote servers via internet connection
-may automatically download updates from vendor servers
-children may attempt to bypass parental controls
-disposed with personal viewing history intact
-service technicians may need diagnostic boot modes
-integrated cameras/microphones with storage of private media
-No keyboard, remote control interface only
-Accepts USB media
-May access online content
-Ability so send local (potentially private) data to remote servers via internet connection
-May automatically download updates from vendor servers
-Children may attempt to bypass parental controls
-Disposed with personal viewing history intact
-Service technicians may need diagnostic boot modes
-Integrated cameras/microphones with storage of private media
**UC-HOME-3** Consumer home router
-exposed to untrusted network
-device stores credentials (ISP, WiFi)
-provides factory reset via physical button
-may automatically download firmware from vendor servers
-always-on device, rarely rebooted
-may be accessible to guests and visitors in physical space
-may have vendor backdoor for ISP support
-may cascade failures to connected devices
-can influence all connected devices
-can access private data on the internal network
-Exposed to untrusted network
-Device stores credentials (ISP, WiFi)
-Provides factory reset via physical button
-May automatically download firmware from vendor servers
-Always-on device, rarely rebooted
-May be accessible to guests and visitors in physical space
-May have vendor backdoor for ISP support
-May cascade failures to connected devices
-Can influence all connected devices
-Can access private data on the internal network
**UC-STAT-1** Personal desktop computer
-allows user to select boot device
-permits disabling verified boot for compatibility
-stores arbitrary personal files and credentials
-may store multiple OS entries
-may be modified with hardware additions
-update capability of security certificates by an OS vendor
-gaming users may disable security for performance
-enthusiasts may overclock requiring custom settings
-dual-boot configurations complicate secure boot
-Allows user to select boot device
-Permits disabling verified boot for compatibility
-Stores arbitrary personal files and credentials
-May store multiple OS entries
-May be modified with hardware additions
-Update capability of security certificates by an OS vendor
-Gaming users may disable security for performance
-Enthusiasts may overclock requiring custom settings
-Dual-boot configurations complicate secure boot
**UC-STAT-2** Enterprise-managed workstation
-device owned by organization, not user
-stores configured boot policies
-enforces secure boot without override
-measured boot state for disk encryption
-requires admin credentials for changes
-reports attestation to corporate network
-must survive employee termination procedures
-regulatory compliance may require specific configurations
-Device owned by organization, not user
-Stores configured boot policies
-Enforces secure boot without override
-Measured boot state for disk encryption
-Requires admin credentials for changes
-Reports attestation to corporate network
-Must survive employee termination procedures
-Regulatory compliance may require specific configurations
**UC-STAT-3** Thin client terminal
-stores only network boot configuration
-downloads OS image from server
-has no local OS storage
-resets to clean state on reboot
-may be used in public spaces (libraries, hotels)
-network outage leaves device unusable
-server compromise affects all terminals connected
-Stores only network boot configuration
-Downloads OS image from server
-Has no local OS storage
-Resets to clean state on reboot
-May be used in public spaces (libraries, hotels)
-Network outage leaves device unusable
-Server compromise affects all terminals connected
**UC-MOB-1** Smartphone
-stores device-unique cryptographic keys in hardware
-collects personal data including biometrics for unlock
-frequently travels through untrusted environments
-target of theft, carried through borders
-integrates with payment and banking systems via apps
-enforces manufacturer boot policy by default
-user may wipe data on the device remotely
-law enforcement may attempt forced unlock
-repair shops need diagnostic access without data exposure
-trade-in require verifiable secure wipe
-screen damage may prevent user interaction for recovery
-usually receives over the air updates on a regular basis
-effort by user to keep updated is lower compared to servers or workstations (can be done by children)
-Stores device-unique cryptographic keys in hardware
-Collects personal data including biometrics for unlock
-Frequently travels through untrusted environments
-Target of theft, carried through borders
-Integrates with payment and banking systems via apps
-Enforces manufacturer boot policy by default
-User may wipe data on the device remotely
-Law enforcement may attempt forced unlock
-Repair shops need diagnostic access without data exposure
-Trade-in require verifiable secure wipe
-Screen damage may prevent user interaction for recovery
-Usually receives over the air updates on a regular basis
-Effort by user to keep updated is lower compared to servers or workstations (can be done by children)
**UC-MOB-2** Tablet
-similar to UC-MOB-1
-may be shared in the household or with guests
-may be shared with children
-used for point-of-sale in businesses
-Similar to UC-MOB-1
-May be shared in the household or with guests
-May be shared with children
-Used for point-of-sale in businesses
**UC-MOB-3** Personal laptop
-similar to UC-STAT-1
-target of theft, carried through borders
-exposed to untrusted network
-lid-close doesn't mean powered-off
-Similar to UC-STAT-1
-Target of theft, carried through borders
-Exposed to untrusted network
-Lid-close doesn't mean powered-off
- Powered-off may be doesn't mean really off-state
- "evil maid" attacks
-customs/border inspection scenarios
-coffee shop shoulder-surfing during boot
- "Evil maid" attacks
-Customs/border inspection scenarios
-Coffee shop shoulder-surfing during boot
**UC-MOB-4** Enterprise-managed corporate laptop
-similar to UC-STAT-2
-travels with employee
-may be remotely wiped or bricked if reported stolen
-crossing international borders with encrypted data
-temporary contractor access requirements
-devices by employees may be targeted specifically due to corporate function
-Similar to UC-STAT-2
-Travels with employee
-May be remotely wiped or bricked if reported stolen
-Crossing international borders with encrypted data
-Temporary contractor access requirements
-Devices by employees may be targeted specifically due to corporate function
**UC-INFRA-1** Datacenter server
-physical access to systems restricted
-configured via remote management interface
-stores network boot parameters
-not accessible to end users
-must boot headless without user intervention
-decommissioning requires verifiable secure wipe
-Physical access to systems restricted
-Configured via remote management interface
-Stores network boot parameters
-Not accessible to end users
-Must boot headless without user intervention
-Decommissioning requires verifiable secure wipe
**UC-INFRA-2** Cloud service machine
-loads hypervisor instead of OS
-stores VM boot configurations
-validates hypervisor integrity
-manages nested boot processes
-virtual machine boot images
-no physical security boundary
-customer VM images may contain malware
-multi-tenant isolation requirements
-multiple different users at a time
-no control of the type of user (normal user, enterprise user, state actor)
-Loads hypervisor instead of OS
-Stores VM boot configurations
-Validates hypervisor integrity
-Manages nested boot processes
-Virtual machine boot images
-No physical security boundary
-Customer VM images may contain malware
-Multi-tenant isolation requirements
-Multiple different users at a time
-No control of the type of user (normal user, enterprise user, state actor)
**UC-INFRA-3** Edge computing device
-deployed in remote locations
-limited physical security compared to UC-INFRA-1 and UC-INFRA-2
-must operate autonomously
-network connectivity may be intermittent
-environmental extremes (temperature, humidity)
-wildlife or weather damage possible
-maintenance visits expensive/rare
-cellular backup connectivity for recovery
-Deployed in remote locations
-Limited physical security compared to UC-INFRA-1 and UC-INFRA-2
-Must operate autonomously
-Network connectivity may be intermittent
-Environmental extremes (temperature, humidity)
-Wildlife or weather damage possible
-Maintenance visits expensive/rare
-Cellular backup connectivity for recovery
**UC-INFRA-4** Network infrastructure device
-router, switch, firewall
-always-on operation
-exposed to hostile network traffic
-critical to network operation
-configuration errors affect entire network
-targeted by nation-state actors
-backdoor concerns from manufacturer
-operates 24/7 with rare reboots
-Router, switch, firewall
-Always-on operation
-Exposed to hostile network traffic
-Critical to network operation
-Configuration errors affect entire network
-Targeted by nation-state actors
-Backdoor concerns from manufacturer
-Operates 24/7 with rare reboots
**UC-IND-1** Industrial control system
-critical infrastructure
-controls physical processes
-safety-critical operation
-Critical infrastructure
-Controls physical processes
-Safety-critical operation
- 15-20 year lifecycle
-may be air-gapped but USB can be used
-may require support for legacy protocols
-May be air-gapped but USB can be used
-May require support for legacy protocols
**UC-IND-2** Building automation controller
- HVAC, lighting, access control
-integration with legacy systems
-Integration with legacy systems
- 15-20 year lifecycle
-contractors need temporary access
-energy efficiency monitoring
-fire/safety system integration
-Contractors need temporary access
-Energy efficiency monitoring
-Fire/safety system integration
**UC-MED-1** Diagnostic equipment
- MRI, CT scanner, X-ray
-patient data protection
-scheduled maintenance windows
-Patient data protection
-Scheduled maintenance windows
**UC-MED-2** Patient monitoring device
-continuous operation required
-patient safety critical
-visitor tampering
-fluid ingress risks
-Continuous operation required
-Patient safety critical
-Visitor tampering
-Fluid ingress risks
**UC-MED-3** Medical IT infrastructure
-hospital information systems
-electronic health records
-ransomware recovery critical
-Hospital information systems
-Electronic health records
-Ransomware recovery critical
**UC-REG-1** Payment terminal or ATM
-public physical exposure
-stores tamper detection state
-halts boot if security check fails
-regulatory compliance
-cash cassette access controls
-surveillance camera present
-transaction during network outages
-Public physical exposure
-Stores tamper detection state
-Halts boot if security check fails
-Regulatory compliance
-Cash cassette access controls
-Surveillance camera present
-Transaction during network outages
**UC-REG-2** Voting machine
-public verifiability required
-sealed between elections
-comprehensive audit trail
-storage between elections in uncontrolled environments
-Public verifiability required
-Sealed between elections
-Comprehensive audit trail
-Storage between elections in uncontrolled environments
**UC-REG-3** Gaming/gambling terminal
-anti-tampering required
-detailed logging for disputes
-random number generator certification
-payout percentage verification
-proper gambler lockout systems
-cash handling integration
-surveillance systems
-tournament mode configurations
-Anti-tampering required
-Detailed logging for disputes
-Random number generator certification
-Payout percentage verification
-Proper gambler lockout systems
-Cash handling integration
-Surveillance systems
-Tournament mode configurations
**UC-REG-4** Government/military system
-classified information processing
-strict access controls
-hardware supply chain verification
-electromagnetic emanation controls
-Classified information processing
-Strict access controls
-Hardware supply chain verification
-Electromagnetic emanation controls
**UC-DEV-1** Development board
-frequent reflashing
-debug access
-security features often disabled
-experimental code execution
-power supply instabilities
-Frequent reflashing
-Debug access
-Security features often disabled
-Experimental code execution
-Power supply instabilities
**UC-DEV-2** Continuous integration system
-automated testing
-frequent boot cycles
-multiple configurations tested
-rollback capability essential
-test image library management
-malware in test suites
-container/VM hybrid environments
-Automated testing
-Frequent boot cycles
-Multiple configurations tested
-Rollback capability essential
-Test image library management
-Malware in test suites
-Container/VM hybrid environments
**UC-DEV-3** Security research platform
-intentional vulnerability testing
-forensic analysis capability
-extensive logging
-isolation from production
-exploit development workspace
-Intentional vulnerability testing
-Forensic analysis capability
-Extensive logging
-Isolation from production
-Exploit development workspace
<mark>FIXME Add more use cases from below?</mark>
-smart watches
-fitness tracker
-vehicle infotainment system
-vehicle control unit
-fleet management device
-digital signage/billboard
-Smart watches
-Fitness tracker
-Vehicle infotainment system
-Vehicle control unit
-Fleet management device
-Digital signage/billboard
- LED lighting controller
-scientific instrument controller
-satellite/spacecraft systems
-broadcasting equipment
-drone/UAV controller
-retail self-checkout kiosk
-smart meter
-elevator control system
-prison/detention facility systems
-agricultural equipment
-mining/drilling equipment
-food service equipment
-fitness/gym equipment
-parking systems
-emergency communication systems
-vending machines
-Scientific instrument controller
-Satellite/spacecraft systems
-Broadcasting equipment
-Drone/UAV controller
-Retail self-checkout kiosk
-Smart meter
-Elevator control system
-Prison/detention facility systems
-Agricultural equipment
-Mining/drilling equipment
-Food service equipment
-Fitness/gym equipment
-Parking systems
-Emergency communication systems
-Vending machines
- 3D printer
-logic analyzer
-solar inverter
-electric vehicle charger
-cryptocurrency hardware wallet
-bluetooth/WiFi module
-storage controller (RAID/HBA)
-network card
-Logic analyzer
-Solar inverter
-Electric vehicle charger
-Cryptocurrency hardware wallet
-Bluetooth/WiFi module
-Storage controller (RAID/HBA)
-Network card
- KVM switch
- UPS (Uninterruptible Power Supply)
-access card reader
-Access card reader
- GPS tracker
-weather station
-Weather station
## 4.6 Threat considerations
@@ -786,6 +783,8 @@ For devices with a long lifetime, the following considerations should been taken
- Keys get compromised over time
- Hardware is aging and cause faults
<mark>FIXME Add longterm use considerations</mark>
# 5 Requirements
<mark>FIXME Change requirements to include unique identifiers (REQ-BM-xxx) and test methods, current lists only indicate requirement areas to be addressed.</mark>
@@ -886,7 +885,6 @@ For devices with a long lifetime, the following considerations should been taken
### 5.2.13 Specific functional requirements
- Special hardware provisions
- Provisions for immutable components
- Network boot security requirements
@@ -912,13 +910,6 @@ For secure lifecycle:
- Clear sensitive data from memory after use
- Document any data that cannot be erased
Use cases requiring special attention:
- Device resale or transfer
- Employee termination (enterprise devices)
- End-of-life disposal
- Return for service/warranty
NOTE: Configuration systems shall distinguish between user data and system configuration, allowing selective erasure of user data while maintaining device function.
<mark>FIXME Owner control? User-enrollable keys, alternative boot paths, support for multiple certificate authorities</mark>
@@ -937,9 +928,9 @@ NOTE: Configuration systems shall distinguish between user data and system confi
When configuration is supported, it needs:
-certificate update mechanisms
-key enrollment procedures
-signature database management
-Certificate update mechanisms
-Key enrollment procedures
-Signature database management
## 6.3 SP-MEASURED: Measured boot profile
@@ -950,9 +941,7 @@ When configuration is supported, it needs:
NOTE: SP-UPDATE and SP-IMMUTABLE are mutually exclusive profiles. A boot manager implements either SP-UPDATE (if any components can be updated) or SP-IMMUTABLE (if no updates are possible).
Applies when any boot manager component can be updated post-manufacture
Update capability levels:
Applies when any boot manager component can be updated post-manufacture.
### 6.4.1 Fully updatable
@@ -1079,9 +1068,12 @@ Once the present document is cited in the Official Journal of the European Union
