11/28 2024 505
Writer: Ring Bell
How is the development of the digital infrastructure-oriented operating system 'openEuler' progressing? This has been a topic of great concern among industry professionals and the general public alike.
Recently, the openEuler Summit 2024 was held, showcasing numerous achievements in the development of openEuler. Through the joint efforts of global developers in the openEuler community, an open, diverse, and architecturally inclusive software ecosystem has gradually flourished - in 2024, the number of new installations of openEuler-based operating systems exceeded 5 million, with a cumulative total of over 10 million installations in five years.
This is a milestone achievement. Meanwhile, the joint actions on security announced at the summit have further reassured the industry about the development of openEuler - the openEuler community has joined hands with China Financial Certification Authority (CFCA) to jointly launch a secure boot code signing service platform, aiming for in-depth cooperation in server security.
From a new digital security perspective, a sustainable secure boot system is being established, with further advancements in secure boot development. This enhances the comprehensive and in-depth security layout of the openEuler community, aligning with the needs of the new environment.
On the issue of security, the openEuler community is reinforcing its 'security genes.'
The security of operating systems is a recurring topic. In the past, people often focused on specific bugs and vulnerabilities, fearing the losses they might cause. However, the current security landscape has undergone some directional changes, and this year's situation is even more concerning. Especially after the global system paralysis caused by the Windows Blue Screen a few months ago, which was dubbed by some media as 'the worst IT failure ever,' exposing more complex security issues such as code review mechanisms.
More and more people are realizing that the security of operating systems requires comprehensive scrutiny and systematic defense.
In fact, if the Windows Blue Screen incident was merely a 'mistake' due to inadequate mechanisms, the injection or modification of malicious code by criminals almost anywhere in the software supply chain has become a severe security challenge. Ensuring the authenticity and integrity of code and establishing absolute trust between software developers and users have become urgent priorities.
After five years of openEuler's open-source development, it has achieved comprehensive growth in business, technology, and ecosystem. At the openEuler Summit 2024, it was evident that openEuler-based operating systems have achieved large-scale commercial deployment in core application scenarios across industries such as the internet, finance, and telecommunications, gradually moving towards the goal of covering all digital scenarios.
Years of accumulation, tens of millions of installations, and widespread application scenarios undoubtedly represent the achievements of openEuler's industrial ecosystem. However, the more remarkable these achievements are, the lower the 'fault tolerance' becomes regarding security issues, necessitating a more sustainable security system for support.
Fortunately, if openEuler-based operating systems are considered 'new species,' then industrial collaboration within the openEuler community represents a process of 'creation.' Various signs indicate that this 'creation' inherently focuses on shaping the various genes of these 'new species,' including 'security genes.' For a long time, openEuler has spared no effort in security construction, ensuring that openEuler-based operating systems inherently possess various security capabilities from the ground up, avoiding the path of development before governance (in the case of the Windows Blue Screen incident, preventive mechanisms for code review could have prevented the need for remedial actions after the incident).
Just as in nature's 'creation,' various genes also need to adapt to environmental changes, and openEuler is no exception. Amidst the increasingly severe and complex security situation, openEuler's collaboration with CFCA aims to build a stronger 'security moat,' driving the continuous enhancement of the operating system's security genes during its evolution to cope with future, more complex security situations.
Verifying application sources, reducing the risk of malware attacks, enhancing application credibility, and preventing application tampering...
The collaboration between the openEuler community and CFCA is bringing more tangible security guarantees.
Secure Boot Code Signing Service Platform: Accelerating the Infiltration of Security Genes
Taking a closer look, why did openEuler choose to collaborate with CFCA to build the 'Secure Boot Code Signing Service Platform'?
This question encompasses two aspects: why CFCA and what this platform specifically does.
Firstly, we must consider what partners openEuler urgently needs at present.
Public information indicates that openEuler has gradually established a suite of security technology stacks to ensure its resilience and security against cybersecurity threats, such as technological innovations and collaborations in confidential computing.
However, server security is the foundation of digital security, and secure boot, as the initial step in server operation, requires advanced security mechanisms for safeguarding. Against the backdrop mentioned earlier, openEuler now needs to strengthen the construction of its secure boot signing system.
This is precisely where CFCA excels.
As a leading third-party electronic certification service provider, CFCA has over 20 years of experience providing electronic certification services across multiple industries nationwide, dedicated to building a comprehensive network trust system with robust security operation and maintenance capabilities.
Relying on its deeply cultivated high-security cryptographic technology, CFCA is committed to building the infrastructure for secure boot signing systems. Specifically, CFCA has established a PKI-based secure boot signing system, providing server secure boot solutions, conducting code audits and electronic signatures for security-related parties such as operating systems and board card manufacturers, verifying loaded software and hardware, and ensuring that they are official versions from trusted providers, thereby building a security defense for servers.
Just as you need it, and I have it, the cooperation between the two parties to build a high-quality secure boot system comes naturally.
Regarding the specific construction method, a service platform becomes an appropriate choice.
As early as June this year, the openEuler 24.03 LTS version added CFCA secure boot configuration, becoming the first operating system secure boot to support domestic CA signatures, with simultaneous updates on 37 mirror sites globally.
This represents an important milestone in secure boot development. However, for the entire open-source project, more program development processes still require secure boot and trustworthiness, hence the lack of a community-based service mechanism.
The secure boot code signing service platform jointly launched by openEuler and CFCA provides efficient and secure code signing services to the community by offering comprehensive CA operation services, convenient certificate download channels, rigorous code review mechanisms, and reliable code signing services, realizing an entirely online process. Currently, the platform has successfully provided professional code audit and secure boot code signing services for openEuler and several leading enterprises.
More community programs can obtain a 'digital driver's license' through the platform, accelerating the infiltration of openEuler's security genes and shaping a more successful and powerful new species for the times.
The establishment of this service platform mechanism also signifies that the openEuler community has further achieved full security technology coverage, joint development of security standards, and full-process basic security coverage in technological innovation, process systems, and industrial cooperation, moving closer to the goal of building a healthy and sustainably developing open-source operating system root community.
Strengthening security capabilities requires collective efforts
Secure boot is not just a concern for operating system open-source projects; it directly affects the vital interests of every developer and vendor.
Code signing certificates ensure that software code is not easily tampered with illegally, protecting code integrity. On the one hand, they enhance end-user trust and help enhance a company's brand image. On the other hand, similar to the responsibilities of program development enterprises regarding user privacy outlined in the Cybersecurity Law, vendors have a responsibility to prevent software code from malicious attacks and tampering, ensuring user data and privacy security.
Therefore, actively embracing secure boot is essential for all industry entities involved in the collaborative development of operating systems.
It is worth mentioning that signature and verification services often become 'better with use.' Service providers can accumulate stronger code review capabilities through extensive practice. Currently, CFCA has successfully provided professional code audit and signing services to industry leader Zhejiang Dahua Technology Co., Ltd., possessing a solid foundation in practical capabilities.
This time, the deep collaboration between the openEuler community and CFCA will further deepen open-source code review capabilities, potentially enhancing service quality. Therefore, for more industry entities, especially leading users in the industry, using the secure boot code signing platform announced at this conference becomes a necessary and capable choice for security assurance.
This will create a phenomenon: as more leading users in various industries adopt the secure boot code signing platform, the platform will become better and stronger, ultimately benefiting the entire ecosystem, achieving a positive feedback loop for community security, and ultimately ensuring the security of the system itself and the entire lifecycle of data running on the system.
With the joint efforts of standards organizations, security assessment agencies, partners, and customers, during the 'creation' process of this operating system, advantageous security genes are being continuously strengthened, naturally leading to sustainable development.
*All images in this article are sourced from the internet