This is a follow-up from our Accessing the U-Boot environment from a C program blog post.

🌳Need to protect the environment

When you’re trying to harden an embedded Linux device to make it more resistant to attacks, one key part to secure is the bootloader, because that’s the part that boots the operating system. Even you implement a secure boot chain, if an attacker manages to interrupt the boot process and get access to the bootloader shell, this attacker would be able to load and run her/his own payload on the device.

This is another blog post about securing your Yocto built systems:

• Securing Yocto Built Systems overview presentation slides

• Yocto Security: Production and Development Images

• Yocto security: Kernel Hardening ⬅️

Introduction

The Linux kernel is the cornerstone and stronghold of a Linux based system. Unlike user-space applications which run with limited privileges, if it’s compromised, there is almost no limit to what an attacker can do.

While nothing is unbreakable, there are two types of settings you can change to make your kernel harder to compromise: