Another option is to look at the 96boards platforms: https://www.96boards.org/product/developerbox/ (that's supported upstream by TF-A https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/socion... )
and the Secure96 mezzanine board https://www.96boards.org/product/secure96/ https://www.96boards.org/blog/getting-started-with-the-secure96-tpm/ but the boot flow with TF-A and this mezzanine board hasn't been officially proved.
Ard and Stuart (cc-ed) have done some investigations and experiment in this direction and might add something.
Thanks Matteo
-----Original Message----- From: TF-A tf-a-bounces@lists.trustedfirmware.org On Behalf Of Dan Handley via TF-A Sent: 09 January 2020 09:56 To: tf-a@lists.trustedfirmware.org Subject: Re: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
(Back on the list)
Sorry Iñigo, I don't know enough about the hw capabilities of Raspberry Pi and its boot flow to be able to help you further. Olivier gave some more pointers.
Dan.
From: Iñigo Vicente Waliño inigovicentewalino@gmail.com Sent: 09 January 2020 07:42 To: Dan Handley Dan.Handley@arm.com Subject: Re: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
Yes, thank you very much.
Then, what I'm trying to say is that if I want a secure boot, I need a trust root. If Raspberry Pi cannot provide that trusted root, can I use a TPM?
Iñigo
El mié., 8 ene. 2020 a las 16:32, Dan Handley via TF-A (<tf- a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org>) escribió: (Back on the list)
By rpi I guess you mean Raspberry Pi?
How do we ensure that the ROM is safe?
I'm not sure what you mean by "safe". By definition the ROM is non- modifiable but maybe you also want it to be non-readable by normal world software?
Although Raspberry Pi contains CPUs that implement TrustZone, I believe there is no TrustZone Controller IP policing access to memory so there is nothing preventing normal world software from accessing memory that is mapped in as secure. Perhaps that is what you mean by "rpi does not provide security"? I also don't know what you mean by "a TPM does not work".
Dan.
From: Iñigo Vicente Waliño <inigovicentewalino@gmail.commailto:inigovicentewalino@gmail.com> Sent: 08 January 2020 14:54 To: Dan Handley <Dan.Handley@arm.commailto:Dan.Handley@arm.com> Subject: Re: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
Assuming that BL1 is used and implemented in ROM, for example, with an rpi. How do we ensure that the ROM is safe? He sought that rpi does not provide security and that a TPM does not work. Why?
Thanks.
El mié., 8 ene. 2020 a las 13:21, Dan Handley via TF-A (<tf- a@lists.trustedfirmware.orgmailto:tf- a@lists.trustedfirmware.org<mailto:tf- a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org>>) escribió: Hi Inigo
TrustZone is a trademark referring to the security extensions of the Arm architecture. That is separate to BL1, which is the first boot stage of Trusted Firmware-A (or some other equivalent boot firmware). The expectation is that BL1, if used, is implemented in ROM to provide the Root of Trust for the Application Processor (AP).
An alternative flow is for a separate "security processor" to authenticate the AP firmware before the AP is released from reset. In such a flow, there is no need for BL1 and BL2 since that functionality is provided by the security processor. In such a flow, the TF-A RESET_TO_BL31 config can be used (see in-source documentation).
A TPM can provide additional security by storing secrets not even visible to TrustZone software (e.g. root keys or boot measurements). However, TPMs typically don't do firmware authentication on their own; some other software will need to use the secrets it stores, e.g. boot firmware may ask the TPM verify a signature corresponding to the next boot stage.
If the TPM is changed to another, is the boot performed?
That depends on your system design.
Dan.
-----Original Message----- From: TF-A <tf-a-bounces@lists.trustedfirmware.orgmailto:tf-a-bounces@lists.trus tedfirmware.org<mailto:tf-a-bounces@lists.trustedfirmware.orgmailto: tf-a-bounces@lists.trustedfirmware.org>> On Behalf Of Iñigo Vicente Waliño via TF-A Sent: 08 January 2020 10:33 To: tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org< mailto:tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmwar e.org> Subject: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
Hi,
Does ARMv8 TrustZone provide BL1 in a secure ROM? Can a TPM be used
as
a trusted root or is it useless? If the TPM is changed to another, is the boot performed?
Thanks, Inigo. -- TF-A mailing list TF-A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmware.org< mailto:TF-A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmwar e.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A@lists.trustedfirmware.orgmailto:TF- A@lists.trustedfirmware.org<mailto:TF- A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a
Hello all,
I am not 100% sure what the ask is here, but I do have an implementation of measured boot with local attestation available on the SynQuacer based DeveloperBox. This is based on the Secure96 TPM combined with special SCP firmware that programs the SPI controller's command sequencer to expose the TPM TIS frame via a window in memory. (This removes the need for a SPI stack in each boot stage)
I am in the process of writing up some instructions on how to reproduce this, including the use of the TPM to seal the encryption key of the root partition against the state of PCR7, which is where the measurement of the secure boot state resides (Secure boot on or off along with the contents of db/dbx). This is basically what BitLocker gives you on Windows, i.e., the root partition is unlocked automatically on boot, unless you fiddle with the secure boot settings.
Reach out to me if you want more info on this.
________________________________________ From: Matteo Carlini Matteo.Carlini@arm.com Sent: Thursday, January 9, 2020 11:18 To: tf-a@lists.trustedfirmware.org; Stuart Yoder; Ard Biesheuvel Subject: RE: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
Another option is to look at the 96boards platforms: https://www.96boards.org/product/developerbox/ (that's supported upstream by TF-A https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/socion... )
and the Secure96 mezzanine board https://www.96boards.org/product/secure96/ https://www.96boards.org/blog/getting-started-with-the-secure96-tpm/ but the boot flow with TF-A and this mezzanine board hasn't been officially proved.
Ard and Stuart (cc-ed) have done some investigations and experiment in this direction and might add something.
Thanks Matteo
-----Original Message----- From: TF-A tf-a-bounces@lists.trustedfirmware.org On Behalf Of Dan Handley via TF-A Sent: 09 January 2020 09:56 To: tf-a@lists.trustedfirmware.org Subject: Re: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
(Back on the list)
Sorry Iñigo, I don't know enough about the hw capabilities of Raspberry Pi and its boot flow to be able to help you further. Olivier gave some more pointers.
Dan.
From: Iñigo Vicente Waliño inigovicentewalino@gmail.com Sent: 09 January 2020 07:42 To: Dan Handley Dan.Handley@arm.com Subject: Re: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
Yes, thank you very much.
Then, what I'm trying to say is that if I want a secure boot, I need a trust root. If Raspberry Pi cannot provide that trusted root, can I use a TPM?
Iñigo
El mié., 8 ene. 2020 a las 16:32, Dan Handley via TF-A (<tf- a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org>) escribió: (Back on the list)
By rpi I guess you mean Raspberry Pi?
How do we ensure that the ROM is safe?
I'm not sure what you mean by "safe". By definition the ROM is non- modifiable but maybe you also want it to be non-readable by normal world software?
Although Raspberry Pi contains CPUs that implement TrustZone, I believe there is no TrustZone Controller IP policing access to memory so there is nothing preventing normal world software from accessing memory that is mapped in as secure. Perhaps that is what you mean by "rpi does not provide security"? I also don't know what you mean by "a TPM does not work".
Dan.
From: Iñigo Vicente Waliño <inigovicentewalino@gmail.commailto:inigovicentewalino@gmail.com> Sent: 08 January 2020 14:54 To: Dan Handley <Dan.Handley@arm.commailto:Dan.Handley@arm.com> Subject: Re: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
Assuming that BL1 is used and implemented in ROM, for example, with an rpi. How do we ensure that the ROM is safe? He sought that rpi does not provide security and that a TPM does not work. Why?
Thanks.
El mié., 8 ene. 2020 a las 13:21, Dan Handley via TF-A (<tf- a@lists.trustedfirmware.orgmailto:tf- a@lists.trustedfirmware.org<mailto:tf- a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org>>) escribió: Hi Inigo
TrustZone is a trademark referring to the security extensions of the Arm architecture. That is separate to BL1, which is the first boot stage of Trusted Firmware-A (or some other equivalent boot firmware). The expectation is that BL1, if used, is implemented in ROM to provide the Root of Trust for the Application Processor (AP).
An alternative flow is for a separate "security processor" to authenticate the AP firmware before the AP is released from reset. In such a flow, there is no need for BL1 and BL2 since that functionality is provided by the security processor. In such a flow, the TF-A RESET_TO_BL31 config can be used (see in-source documentation).
A TPM can provide additional security by storing secrets not even visible to TrustZone software (e.g. root keys or boot measurements). However, TPMs typically don't do firmware authentication on their own; some other software will need to use the secrets it stores, e.g. boot firmware may ask the TPM verify a signature corresponding to the next boot stage.
If the TPM is changed to another, is the boot performed?
That depends on your system design.
Dan.
-----Original Message----- From: TF-A <tf-a-bounces@lists.trustedfirmware.orgmailto:tf-a-bounces@lists.trus tedfirmware.org<mailto:tf-a-bounces@lists.trustedfirmware.orgmailto: tf-a-bounces@lists.trustedfirmware.org>> On Behalf Of Iñigo Vicente Waliño via TF-A Sent: 08 January 2020 10:33 To: tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org< mailto:tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmwar e.org> Subject: [TF-A] Does ARMv8 TrustZone provide a secure ROM?
Hi,
Does ARMv8 TrustZone provide BL1 in a secure ROM? Can a TPM be used
as
a trusted root or is it useless? If the TPM is changed to another, is the boot performed?
Thanks, Inigo. -- TF-A mailing list TF-A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmware.org< mailto:TF-A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmwar e.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A@lists.trustedfirmware.orgmailto:TF- A@lists.trustedfirmware.org<mailto:TF- A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A@lists.trustedfirmware.orgmailto:TF-A@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
tf-a@lists.trustedfirmware.org
-
Ard Biesheuvel -
Matteo Carlini