This document covers the installation and configuration of the \emph{Trusted Boot Module} (TBM) and the \emph{Read-Only Trusted System} (ROTS).
The TBM is an additional board that consists of a \emph{microcontroller unit} or MCU to manage the boot procedure of the host device in a secure fashion by managing keys, logs and other files related to trusted boot management.
Furthermore, the host device will be restricted to only boot from one read-only storage device that will contain a trusted image or the \emph{Read-Only Trusted System} (ROTS).
Once this image has been booted, the hosted device is in a trusted state from which it will be able to execute a minimal software stack to enumerate the images to boot, to verify these images and to select what image to boot.
Once the image has been booted, the host device will enter an untrusted stage and the TBM will only allow for restricted access.
This implementation allows the host device to only boot images that are trusted and prevents attackers from tampering with the host device or the TBM to boot untrusted images as long as they don't have physical access and as long as there are no vulnerabilities.
\caption{a high-level overview of the interaction between the host device and the Trusted Boot Module}
\label{fig:tbm-overview}
\end{figure}
Figure~\ref{fig:tbm-overview} shows a high-level overview of the design.
Once the device receives power the \emph{Trusted Boot Module} will boot and at some point the TBM will power on the host device.
The host device will then read the trusted image from the SPI NOR flash.
Because the device has been configured to be restricted to boot from the SPI NOR flash and because the SPI NOR flash has been configured to be read-only, the host device will be in a trusted state.
The image that has been booted is designed to be minimal and only contains the software necessary to perform the boot procedure.
Furthermore, the image does not contain a network stack to reduce the amount of possible vulnerabilities and thus to minimise the attack vector.
Once the trusted image has been booted, the host device will enumerate the images to boot and co-operate with the TBM to verify images and to select the image to boot.
This co-operation happens by means of serial communication with the TBM, where the TBM will grant access to the key storage to the ROTS.
Once an image has been selected to boot, the ROTS will inform the TBM that it will boot this image and enter the untrusted stage.
From there on the TBM will only allow for restricted access.
\section{Building ROTS}
\section{Building ROTS}
\subsection{u-boot}
\subsection{u-boot}
@ -148,6 +173,10 @@ For the initramfs, we will need static binaries of \emph{busybox}, \emph{kexec-t
\section{Flashing ROTS}
\section{Flashing ROTS}
To write the ROTS image to the SPI NOR flash, we can either use an external programmer or boot the device in FEL mode and use the \emph{sunxi-fel} tool.
To write the images, it is strongly recommended to use the \emph{sunxi-fel} tool as it is much faster than using an external programmer.
However, to configure the write-protection an external programmer must be used, as there are few tools that support configuring the write-protection of the SPI NOR flash.
\subsection{Using an External Programmer}
\subsection{Using an External Programmer}
In order to be able to program the SPI NOR flash with an external programmer, we will need an external programmer such as the BusPirate v3.6a or the BusPirate v4.0 and SOIC clip.
In order to be able to program the SPI NOR flash with an external programmer, we will need an external programmer such as the BusPirate v3.6a or the BusPirate v4.0 and SOIC clip.