This list of features is intended to be used to keep track of the features that the current implementation of the OS supports, so that it's easier to identify areas where the OS can be improved. Note that these lists are not necessarily exhaustive - some features may be deliberately omitted or under-described ("trade secret").
2. Boot Code
2.1. Security Features
Features implemented in boot code to improve security include:
- Full TPM measurement in all BIOS boot loaders (where supported by BIOS) for authentication purposes (to allow "malcious/modified boot loader" to be detected)
- Simple BIOS security check to reduce the chance of malicious code installing BIOS rootkits (e.g. hooking the BIOS function used for TPM measurement)
- Physical Addresss Space Randomisation (PASR) starting from extremely early in all boot loaders, to guard against some kinds of (hardware based) attacks
- Digital signatures protecting all critical executable code throughout boot (for Boot Abstraction Layer, boot modules, kernels, etc), to guard against execution of unauthorised code
- Seperation of "owner", "infrastructure officer" and "security officer" roles (and no "all powerful admin") designed for the principle of least privilege and to minimise the risk of "disgruntled employee with special or unrestricted access"
- Opaque (potentially encrypted) file permissions, so file system code and Virtual File System can't tamper with file permissions
- Role based access control
2.2. Resilience Features
Features implemented in boot code to improve resilience include:
- "Redundant floppy" support (like a RAID mirror) in BIOS floppy boot loader, and support for auto-generating redundant floppies where possible in tools to create floppy boot images.
- (Optional) faulty RAM avoidance and testing starting from very early in all boot loaders (to guard against faulty RAM)
2.3. Other Features
Other features implemented in boot code (that don't improve security or reslience) include:
- Extensive sanity checks (with full "plain English" errors, etc) at every step, to assist users understand/solve/report problems and for developers (for debugging, etc)
- Exception handling (including dumping registers, etc) starting from extremely early in all boot loaders, to assist developers (for debugging, etc)
- Full event logging starting from the beginning of all boot loaders to assist, to assist users understand/solve/report problems and for developers (for debugging, performance profiling, etc)
- TFTP client code in PXE boot loader, to avoid bugs in firmware's TFTP client code, support features (block size, timeouts, file size) that firmware's TFTP client code might not and get more detailed/accurate event logging
- Boot Image compression/decompression (to improve boot times)
Generated at 05:44:17 on the 24th of April, 2017 (UTC)