A comprehensive implementation of secure boot concepts for educational purposes, demonstrating protection against boot-level and kernel-level attacks.
This project implements a Chain of Trust that verifies kernel integrity before allowing boot. It uses industry-standard cryptographic techniques (SHA-256 + RSA-2048) aligned with real-world secure boot implementations.
Traditional boot processes often load the operating system kernel without strong integrity checks. If an attacker installs a rootkit/bootkit or modifies the kernel image, the system may boot a compromised OS without any warning.
This project solves the problem of unauthorized or tampered kernels being loaded during boot, by enforcing a cryptographic verification step before boot is allowed.
- Design an educational Secure Boot model using SHA-256 and RSA-2048
- Verify kernel integrity before boot authorization
- Detect and block tampered or malicious kernel images
- Provide clear attack simulations and logs for teaching and demos
- Offer a Kali Linux–friendly implementation for security students
- ✅ SHA-256 Kernel Hashing - Creates unique fingerprint of kernel image
- ✅ RSA-2048 Digital Signatures - Authenticates kernel origin
- ✅ Tamper Detection - Blocks modified/compromised kernels
- ✅ Security Logging - Auditable record of all verification attempts
- ✅ Attack Simulation - Demonstrates rootkit/bootkit detection
- ✅ Key Revocation - Block compromised signing keys
- ✅ Timestamp Verification - Anti-replay protection
- ✅ Performance Benchmarks - Measure cryptographic speeds
- ✅ Recovery Mode - Safe boot options when verification fails
- ✅ HTML Reports - Professional test result documentation
- Operating System: Linux (tested on Kali Linux)
- Compiler: GCC
- Libraries: OpenSSL development libraries
- Tools: Make, Bash
# Clone the repository
git clone https://github.com/Ayushkumar418/SecBootKIVS.git
# Navigate to project directory
cd SecBootKIVSsudo apt update
sudo apt install build-essential libssl-devsudo dnf install gcc make openssl-develsudo pacman -S base-devel openssl# 1. Build the project
make all
# 2. Generate RSA key pair
make genkeys
# 3. Run interactive demonstration
make demo
# 4. Run automated tests
make testSecBootKIVS/
├── src/
│ ├── crypto/ # SHA-256 and RSA implementation
│ ├── signing/ # Kernel signing tool
│ ├── bootloader/ # Boot verification module
│ ├── logger/ # Security event logging
│ ├── security/ # Key revocation, timestamps
│ └── benchmark/ # Performance measurement
├── scripts/ # Automation scripts
├── tests/ # Test suite and attack simulations
├── grub/ # GRUB integration configuration
├── keys/ # Generated cryptographic keys
├── reports/ # Generated HTML reports
├── docs/ # Additional documentation
└── Makefile
| Command | Description |
|---|---|
make all |
Build all components |
make clean |
Remove build artifacts |
make genkeys |
Generate RSA key pair |
make demo |
Run interactive demonstration |
make test |
Run automated test suite (12 tests) |
make attack |
Run attack simulation (6 attacks) |
make benchmark |
Run performance benchmarks |
make report |
Generate HTML test report |
make recovery |
Start recovery mode |
make help |
Show all available commands |
./bin/kernel_signer sign /path/to/vmlinuz keys/private_key.pem vmlinuz.sig./bin/boot_verifier /path/to/vmlinuz vmlinuz.sig keys/public_key.pemmake report
# Opens reports/test_report.html┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Private Key │───>│ Sign Kernel │───>│ Signature │
│ (Keep Secret!) │ │ (SHA-256+RSA) │ │ (.sig file) │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│
┌──────────────────────────────────────────────┘
v
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Public Key │───>│ Verify Kernel │───>│ Boot Decision │
│ (In Loader) │ │ (At Boot) │ │ Allow/Deny │
└─────────────────┘ └─────────────────┘ └─────────────────┘
- ARCHITECTURE.md - System design and boot flow diagrams
- TESTING.md - Testing procedures and Kali Linux setup
- TECH.md - Technologies and concepts used
- This is a simulation, not a full UEFI Secure Boot implementation
- The boot verification runs in user space, not in firmware
- It does not use a hardware root of trust (TPM, HSM, Secure Element)
- Private key storage is file-based, not hardware-protected
- Kernel is simulated as a file, not the actual
/boot/vmlinuzof the host OS
This project is meant for learning and demonstration, not for production use.
This project models the same core ideas used in real-world Secure Boot:
-
UEFI Secure Boot
- Firmware holds trusted public keys
- Only signed bootloaders/kernels are executed
-
Our Project
keys/public_key.pemrepresents firmware-trusted public keybin/boot_verifierrepresents the verification logic in firmware/bootloader- Signed kernel +
.sigfile represent trusted boot artifacts
By understanding this project, students can better understand how Secure Boot, kernel integrity, and chain of trust work on real systems.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is for educational purposes only. Not for production deployment.
Ayush Kumar
OS Security Project - Academic Demonstration
- OpenSSL Project for cryptographic libraries
- UEFI Forum for Secure Boot specification reference
- Kali Linux for testing environment