Collaborate Disseminate
I’ve been reading many research articles about RoT – Root of Trust – for establishing a chained root of trust going up from BIOS to the Kernel.
However, most of the article go briefly on how RoT works for different brands.
A good article o… Continue reading Root of Trust – The general Mechanism of how RoT Authenticates higher levels of software
Given how UEFI secure boot appears later than TPM, i had assumption that it provides advantages over TPM.
As i read into each, it appears to me that the TPM measurements to each stage would provide about the same level of integrity guarant… Continue reading Does (UEFI) secure boot provide security advantages over TPM measured boot?
SoC’s have begun integrating a hardware Root-of-Trust to mitigate attacks on Secure Boot. Examples include Google’s OpenTitan & Intel PFR. What are the threats addressed by discrete "Secure Enclave" type root-of-trust solutio… Continue reading What are the threats addressed by a Hardware Root-of-Trust?
I’ve been instructed to use the state of our system’s TPM’s PCR registers to prevent the system we’re working on from booting if one of the PCR registers is different from what we expect. In service of that goal, I’m reading over this arti… Continue reading What kind of "actions" can a TPM2 policy authorize?
It is often cited “to load from untrusted memory to a trusted system memory” when describing the secure boot process. I wonder, when can we consider a memory as “trusted”?
Can we consider the Integrity Check on power-on and the secure boot equal from security point of view?
Secure boot is about allowing only a trusted SW to boot on the processor. A chain of trust can be built as a result of sequence of a se… Continue reading Integrity Check on power on VS. Secure boot
I’m using BBB in my project. I need to prevent any changes to the software running on it. I’ve been reading about uBoot and TPM. But if I understand everything correctly, this can’t be implemented correctly, that is, in a really secure man… Continue reading BeagleBoneBlack, TPM and uBoot
At a high level the way secure boot functionality works is by embedding the hash of the company’s root cert in ROM. Then the OS image itself is signed with a key that chains up to the root cert embedded in the ROM. For exampl… Continue reading How to handle compromised certs in a secure boot flow?
After some research, my current understanding of Android’s boot sequence (at least on a Qualcomm device) is as follows:
PBL –> XBL (replaces SBL) –> Aboot –> Kernel
PBL:
Primary Boot Loader (sometimes called bootROM). … Continue reading Android boot sequence – verified boot security
I am trying to learn more about trusted boot / trusted platform modules and I understand about Platform Configuration Register (PCR) values being a measurement of a ‘good’ configuration signed by a key locked from access within the TPM chi… Continue reading With TPM how are the initial PCR values seeded with ‘good’ values?