New mobile bootloaders play an important role in both the function and the security of the device. They help assure the Chain of Trust (CoT), where each step of the boot process validates the integrity and origin of the following stage before executing it. This process, in theory, should be impervious even to attackers getting full control over the operating system and should limit persistent compromise of a device’s CoT.
But, not only do these bootloaders necessarily require to accept untrusted input from an attacker in control of the operating system in the process of performing their function, however also several of their confirmation measures can be disabled or unlocked to provide for the development and user customization.
With the significant importance of the integrity of today’s mobile and embedded devices, vendors have performed a string of inter-dependent mechanisms intended at eliminating the probability of persistent compromise from the device.
Known as “Trusted Boot” or “Verified Boot”, these mechanisms depend on the idea of a CoT (Chain of Trust) to validate each element the system loads as it starts executing code. This method can check cryptographically that each stage, from a Device Root of Trust through the device’s file system, is both unchanged and allowed by the device’s manufacturer. Any unverified change of the different bootloader elements, system kernel, or file system image should result in the device being rendered unusable until a valid one can be restored.