© 2021 Arm
Javier Almansa SobrinoSenior Software Engineer
Arm Ltd.
Measured Boot Support in Trusted Firmware A class (TF-A) project
Linaro Virtual Connect 2021
2 © 2021 Arm
Agenda• Introduction• Rationale for Measured Boot on TF-A• Bootflow• Implementation details• Testing
3 © 2021 Arm
Introduction
• Measured Boot is a boot flow that computes and securely records hashes of code and other critical data at each stage in the boot chain.
• A TPM is (typically) used to hold the measurements.• These measurements (records) can be used later for attestation or to
enforce security policies.
Measured Boot
4 © 2021 Arm
IntroductionTPM
• A TPM is a module that can securely store artifacts used to authenticate a computing platform1.
• It provides attestation, crypto services and Key Management.• Typically implemented as a discrete silicon.
• It can also be implemented in firmware (e.g. in TrustZone).
• Keeps measurements (e.g. hashes) of all code and data loaded.• Information is recorded (extended) into the Platform Configuration Registers (PCRs).
1 https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/
5 © 2021 Arm
Rationale for Measured Boot on TF-A
• Arm Servers commonly implement or include a TPM service for attestation and secure boot.
• In some cases, the TPM service can only be accessed from the Secure World.
• This is normally accomplished by a Secure Partition (or similar), which is available relatively late on the boot process.
6 © 2021 Arm
Suggested bootflow (example)
7 © 2021 Arm
Implementation detailsDriver
• TF-A includes a Measured Boot driver used by the BL2 stage.• BL1 measures BL2 and pases the measurement via TB_FW_CONFIG
DTB.• BL2 measures the rest of the images and data and records all the
measurements on the event log in Secure Memory.• Supports a number of cryptographic hash functions.
• In the current implementation, algorithms are provided by the Mbed TLS library.
8 © 2021 Arm
BindingsDriver
• Measured Boot driver expects a tpm_event_log node in nt_fw_config and tsp_fw_config DTS files.
9 © 2021 Arm
EnablementDriver
• Measured Boot is now fully integrated into TF-A since version 2.3.• MEASURED_BOOT=1 flag in the build command line to enable it.• TPM_HASH_ALG flag to select the hashing algoritm.
• TRUSTED_BOARD_BOOT must be enabled for Measured Boot.
• EVENT_LOG_LEVEL can be used to set up the log level at which the event log is going to be dumped.
10 © 2021 Arm
Testing
• To validate Measured Boot functionality we need to• Be able to pass the Event Log to a TPM service (or any other attestation service).
• The TPM service must be able to process and extend the records.
• We do not validate the output of the hash algorithms.
• We do not validate the output of an attestation mechanism.
11 © 2021 Arm
TestingTest flow and components
12 © 2021 Arm
TestingOPTEE/fTPM Service Initialization
13 © 2021 Arm
TestingPass criteria
• The fTPM prints the event log as it processes it, using the same output format as the TF-A logs.
• Debug dumps from TF-A and from fTPM must match.
• After requesting the content of PCR0, this cannot be all 0x0.
• All other PCRs must be all 0x0.
© 2021 Arm
Thank YouDanke
Gracias谢谢ありがとうAsante
Merci감사합니다धन्यवादKiitosشكرًا
ধন্য�বা�দתודה
The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm
Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective
owners.
www.arm.com/company/policies/trademarks
© 2021 Arm