S-RTM and D-RTM: Better Together

Together with Daniel Smith, TrenchBoot Project Leader, we invite Open Source Firmware Community to discuss various approaches to establishing a root of trust and maintaining its security properties over platform runtime. Initial measurement is crucial to platform security because the code that creates root measurement has to be secured. S-RTM (Static Root of Trust for Measurement) is found at a fixed point in time, which is the beginning of the boot process for most platforms. Typically, it is done by Intel Boot Guard, AMD Hardware Validated Boot, NXP High-Assured Boot, or other proprietary implementations. S-RTM-related measurements are recorded in TPM PCR[0-7]. Those can be used for local attestation (unsealing of secret, e.g., disk encryption password) or remote attestation. Finally, to keep the security properties of S-RTM, there is a need for a mechanism that can adjust firmware measurements after its update. D-RTM (Dynamic Root of Trust for Measurement) can be established at any point in time through dedicated hardware and firmware functions. D-RTM initial measurement happens right before the execution of minimal code called D-RTM Configuration Environment, which establishes a new Root of Trust for Measurement. D-RTM-related measurements are recorded in PCR[17-22] protected by hardware through the TPM locality mechanism. Obtained measurements can be used in precisely the same way as in the S-RTM case.

Let's discuss:

• update mechanisms
• protection mechanisms for S-RTM and D-RTM
• future of related functionality
• synergy: beyond RTM coexistence