© 2021 Arm

Javier Almansa SobrinoSenior Software Engineer

Arm Ltd.

Measured Boot Support in Trusted Firmware A class (TF-A) project

Linaro Virtual Connect 2021

2 © 2021 Arm

Agenda• Introduction• Rationale for Measured Boot on TF-A• Bootflow• Implementation details• Testing

3 © 2021 Arm

Introduction

• Measured Boot is a boot flow that computes and securely records hashes of code and other critical data at each stage in the boot chain.

• A TPM is (typically) used to hold the measurements.• These measurements (records) can be used later for attestation or to

enforce security policies.

Measured Boot

4 © 2021 Arm

IntroductionTPM

• A TPM is a module that can securely store artifacts used to authenticate a computing platform1.

• It provides attestation, crypto services and Key Management.• Typically implemented as a discrete silicon.

• It can also be implemented in firmware (e.g. in TrustZone).

• Keeps measurements (e.g. hashes) of all code and data loaded.• Information is recorded (extended) into the Platform Configuration Registers (PCRs).

1 https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/

5 © 2021 Arm

Rationale for Measured Boot on TF-A

• Arm Servers commonly implement or include a TPM service for attestation and secure boot.

• In some cases, the TPM service can only be accessed from the Secure World.

• This is normally accomplished by a Secure Partition (or similar), which is available relatively late on the boot process.

6 © 2021 Arm

Suggested bootflow (example)

7 © 2021 Arm

Implementation detailsDriver

• TF-A includes a Measured Boot driver used by the BL2 stage.• BL1 measures BL2 and pases the measurement via TB_FW_CONFIG

DTB.• BL2 measures the rest of the images and data and records all the

measurements on the event log in Secure Memory.• Supports a number of cryptographic hash functions.

• In the current implementation, algorithms are provided by the Mbed TLS library.

8 © 2021 Arm

BindingsDriver

• Measured Boot driver expects a tpm_event_log node in nt_fw_config and tsp_fw_config DTS files.

9 © 2021 Arm

EnablementDriver

• Measured Boot is now fully integrated into TF-A since version 2.3.• MEASURED_BOOT=1 flag in the build command line to enable it.• TPM_HASH_ALG flag to select the hashing algoritm.

• TRUSTED_BOARD_BOOT must be enabled for Measured Boot.

• EVENT_LOG_LEVEL can be used to set up the log level at which the event log is going to be dumped.

10 © 2021 Arm

Testing

• To validate Measured Boot functionality we need to• Be able to pass the Event Log to a TPM service (or any other attestation service).

• The TPM service must be able to process and extend the records.

• We do not validate the output of the hash algorithms.

• We do not validate the output of an attestation mechanism.

11 © 2021 Arm

TestingTest flow and components

12 © 2021 Arm

TestingOPTEE/fTPM Service Initialization

13 © 2021 Arm

TestingPass criteria

• The fTPM prints the event log as it processes it, using the same output format as the TF-A logs.

• Debug dumps from TF-A and from fTPM must match.

• After requesting the content of PCR0, this cannot be all 0x0.

• All other PCRs must be all 0x0.

© 2021 Arm

Thank YouDanke

Gracias谢谢ありがとうAsante

Merci감사합니다धन्यवादKiitosشكرًا

ধন্য�বা�দתודה

The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm

Limited (or its subsidiaries) in the US and/or elsewhere.  All rights reserved.  All other marks featured may be trademarks of their respective

owners.

www.arm.com/company/policies/trademarks

© 2021 Arm