TBM
/
tbm-docs
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

user-doc: add introduction

Browse Source
master
S.J.R. van Schaik 7 years ago
parent debb346b99
commit a3af9e0eb0
1 changed files with 25 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 25
      user-doc/user-doc.tex

25
user-doc/user-doc.tex
Unescape View File

@ -83,6 +83,31 @@
\section{Introduction}
This document covers the installation and configuration of the \emph{Trusted Boot Module} (TBM) and the \emph{Read-Only Trusted System} (ROTS).
The TBM is an additional board that consists of a \emph{microcontroller unit} or MCU to manage the boot procedure of the host device in a secure fashion by managing keys, logs and other files related to trusted boot management.
Furthermore, the host device will be restricted to only boot from one read-only storage device that will contain a trusted image or the \emph{Read-Only Trusted System} (ROTS).
Once this image has been booted, the hosted device is in a trusted state from which it will be able to execute a minimal software stack to enumerate the images to boot, to verify these images and to select what image to boot.
Once the image has been booted, the host device will enter an untrusted stage and the TBM will only allow for restricted access.
This implementation allows the host device to only boot images that are trusted and prevents attackers from tampering with the host device or the TBM to boot untrusted images as long as they don't have physical access and as long as there are no vulnerabilities.
\begin{figure}[H]
\centering
\includegraphics[width=0.8\linewidth]{figures/tbm.pdf}
\caption{a high-level overview of the interaction between the host device and the Trusted Boot Module}
\label{fig:tbm-overview}
\end{figure}
Figure~\ref{fig:tbm-overview} shows a high-level overview of the design.
Once the device receives power the \emph{Trusted Boot Module} will boot and at some point the TBM will power on the host device.
The host device will then read the trusted image from the SPI NOR flash.
Because the device has been configured to be restricted to boot from the SPI NOR flash and because the SPI NOR flash has been configured to be read-only, the host device will be in a trusted state.
The image that has been booted is designed to be minimal and only contains the software necessary to perform the boot procedure.
Furthermore, the image does not contain a network stack to reduce the amount of possible vulnerabilities and thus to minimise the attack vector.
Once the trusted image has been booted, the host device will enumerate the images to boot and co-operate with the TBM to verify images and to select the image to boot.
This co-operation happens by means of serial communication with the TBM, where the TBM will grant access to the key storage to the ROTS.
Once an image has been selected to boot, the ROTS will inform the TBM that it will boot this image and enter the untrusted stage.
From there on the TBM will only allow for restricted access.
\section{Building ROTS}
\subsection{u-boot}

Write Preview
Loading…
Cancel
Save