@ -1,5 +1,6 @@
\documentclass [twoside,a4paper] { article}
\usepackage { adjustbox}
\usepackage { amsmath}
\usepackage { amssymb}
\usepackage { booktabs}
@ -154,6 +155,41 @@ In the most simplistic model, the boot procedure that will be performed is as fo
The communication between the host device and the TBM follows a client-server model where the host devices sends requests to the TBM over serial.
\subsection { Design}
\begin { figure} [H]
\centering
\begin { adjustbox} { width=\textwidth ,center}
\begin { tikzpicture}
\draw [thick,draw=gray!70,->] (-0.2,0) node[left] { \tt \small \uppercase { TBM} } -- (15,0);
\draw [thick,draw=gray!70,->] (-0.2,4) node[left] { \tt \small \uppercase { ROTS} } -- (15,4);
\draw [thick,draw=green!70!black,dashed] (0,0) -- ++(0,4) node[midway, sloped, below] { \tt \small \uppercase { trusted} } ;
\draw [thick,draw=blue!30,->] (1, 4) -- ++(.5,-4) node[midway, sloped, below] { \tt \small \uppercase { hi <version>} } ;
\draw [thick,draw=red!30,->] (1.75, 0) -- ++(.5,4) node[midway, sloped, below] { \tt \small \uppercase { hello <version>} } ;
\draw [thick,draw=blue!30,->] (3, 4) -- ++(.5,-4) node[midway, sloped, below] { \tt \small \uppercase { ls certs} } ;
\draw [thick,draw=red!30,->] (3.75, 0) -- ++(.5,4) node[midway, sloped, below] { \tt \small \uppercase { <listing>} } ;
\draw [thick,draw=blue!30,->] (5, 4) -- ++(.5,-4) node[midway, sloped, below] { \tt \small \uppercase { cat certs/cert.crt} } ;
\draw [thick,draw=red!30,->] (5.75, 0) -- ++(.5,4) node[midway, sloped, below] { \tt \small \uppercase { <content>} } ;
\draw [thick,draw=blue!30,->] (7, 4) -- ++(.5,-4) node[midway, sloped, below] { \tt \small \uppercase { time} } ;
\draw [thick,draw=red!30,->] (7.75, 0) -- ++(.5,4) node[midway, sloped, below] { \tt \small \uppercase { 1501842512} } ;
\draw [thick,draw=blue!30,->] (9, 4) -- ++(.5,-4) node[midway, sloped, below] { \tt \small \uppercase { booting <version>} } ;
\draw [thick,draw=red!30,->] (9.75, 0) -- ++(.5,4) node[midway, sloped, below] { \tt \small \uppercase { ok} } ;
\draw [thick,draw=red!70!black,dashed] (11, 0) -- ++(0, 4) node[midway, sloped, below] { \tt \small \uppercase { untrusted} } ;
\draw [thick,draw=blue!30,->] (12, 4) -- ++(.5,-4) node[midway, sloped, below] { \tt \small \uppercase { booting ok} } ;
\draw [thick,draw=red!30,->] (12.75, 0) -- ++(.5,4) node[midway, sloped, below] { \tt \small \uppercase { ok} } ;
\end { tikzpicture}
\end { adjustbox}
\caption { protocol diagram.}
\end { figure}
\subsection { Clock Drift}
To cope with clock drift the real-time clock has to be synchronised with an external clock. The most straight-forward method to support this within the protocol is to allow an absolute time to be set. However, this should only be allowed from the read-only trusted stage. An alternative method is to allow the clock to be corrected by introducing a limited amount of additional ticks or to stop the clock for a limited amount of ticks. By having limited correction, the clock can still be synchronised while an attacker cannot change the clock by more than a negligible factor each year.