Verified Boot on Chrome OS and How to do it yourself - Simon Glass, Google

Chrome OS uses a first stage read-only firmware and second-stage updatable firmware. The updatable firmware is signed and contains kernel keys and a dm-verify hash, so that the firmware, Linux kernel and root filesystem are all protected against corruption and attack. This system is described and discussed. As part of Google_s upstream efforts in U-Boot, a generalized secure boot system has been developed and released with U-Boot 2013.07. This implementation uses the FIT format, which collects together images, such as kernels, device tree, RAM disks. Support is provided for TPMs (Trust Platform Module), RSA-based signing and verificaiton, and hashing with hardware acceleration. This system is also described and discussed, along with the specific steps needed to implement it in your designs. http://events.linuxfoundation.org/eve...