We have designed AEGIS, a secure bootstrap process. AEGIS increases the security of the boot process by ensuring the integrity of bootstrap code. It does this by constructing a chain of integrity checks, beginning at power-on and continuing until the final transfer of control from the bootstrap components to the operating system itself. The integrity checks compare a computed cryptographic hash value with a stored digital signature associated with each component.
The AEGIS architecture includes a recovery mechanism for repairing integrity failures which protects against some classes of denial of service attacks. From the start, AEGIS has been targeted for commercial operating systems on commodity hardware, making it a practical ``real-world'' system.
In AEGIS, the boot process is guaranteed to end up in a secure state, even in the event of integrity failures outside of a minimal section of trusted code. We define a guaranteed secure boot process in two parts. The first is that no code is executed unless it is either explicitly trusted or its integrity is verified prior to its use. The second is that when an integrity failure is detected a process can recover a suitable verified replacement module.