Chromebooks take Chrome and its core values (simplicity, speed and security) and apply them to its own operating system infrastructure. The result is a multi-layered set of defenses which boosts the security of Chromebooks against malicious software that could compromise and linger on the system.
Let's take a quick look at some of the Chromebook security features:
- "Our security model is rooted in two pieces of hardware that ship with every Chromebook: a custom firmware chip and a Trusted Platform Module (TPM). The custom firmware chip consists of two parts: a read-only firmware and a read-write firmware that can be updated. When you press the power button, read-only firmware starts a process called Verified Boot. It uses an embedded 8192-bit RSA public key to verify the cryptographic signature on the read-write firmware.
After the read-only firmware verifies and runs the read-write firmware, the latter performs a similar verification operation on the operating system kernel before running it. The operating system kernel will then continue the verification process as it loads all of the system software, like Chrome.
The goal of Verified Boot is to provide cryptographic assurances that the system code hasn't been modified by an attacker on the Chromebook. Additionally, we use lockable, non-volatile memory (NVRAM) in the TPM to ensure that outdated signatures won't be accepted. To put this into perspective, the system does all this in about 8 seconds.
If you don't want to boot Google-verified software -- let's say you built your own version of Chromium OS -- no problem. You can flip the developer switch on your device and use the Chromebook however you'd like. It's yours, after all!
- Since no software offers perfect security, Chromebooks include an automated update system based on Chrome's auto-updater. The updater checks with the server securely and downloads updates when they become available. It keeps the system updated against emerging threats and allows for new features to be rolled out seamlessly. Since every Chromebook keeps two copies of the operating system, it's easy to update and then switch to the new version without interrupting your normal flow. In addition, it allows for the Chromebook to revert to the known working version if there're any problems during the update.
- Signing in, with confidence
First user of a Chromebook can determine who else is allowed to sign in or choose to keep machine open for anyone to sign in. In addition, every user has a private, encrypted store which means that, if you share your Chromebook, other users won't be given access to your data. The encrypted store is implemented using Linux kernel's eCryptfs with keys that're protected by the TPM.
- Or don't sign in at all
Chromebooks also offer Guest Mode -- in which Chrome runs with the usual privacy measures of incognito mode, but none of the browsing data, including downloads, will stick around. When you exit Guest Mode or reboot your Chromebook, the browsing data is deleted.
- A helping hand, even when things go wrong
The read-only firmware included in every Chromebook provides a "recovery mode", that lets you install a fresh, up-to-date version of the OS from a recovery device plugged into the USB port.
- Getting better over time
With Chromebooks and Chrome, we've made advances in the security infrastructure of the OS and the browser that should allow you to browse the web more comfortably," explains Will Drewry and Sumit Gwalani, Chromebook Security Team.
Below we've embedded some videos that explains Chromebooks security features.
[Source: Chrome blog]