On Thu, 12 Mar 2020 at 20:43, Stuart Yoder <[email protected]> wrote: > > > >>> https://buyzero.de/products/letstrust-hardware-tpm-trusted-platform-module?variant=33890452626 > >>> > >>> Would we be able to use this as root of trust? > > > > AFAIK, TPM in itself can't act as a root of trust. It is rather a > > passive device which can provide you with trusted/secure services. In > > general a root of trust is the first piece of *non-modifiable* code > > that runs on a platform which is BootROM that establishes the chain of > > trust via verifying the first stage boot-loader which in turn > > continues the chain of trust to next boot stages and so on. > > You do need to take care with "root of trust" terminology. > > A root of trust is something that is inherently trusted, and in which > a compromise can't be detected. There are various terminology schemes > proposed from GlobalPlatform, TCG, NIST-- e.g. roots of trust for: update, > verification, measurement, storage, reporting, etc. > > So a boot ROM is _a_ root of trust-- for example a root of trust for > verification. > > A TPM is a root of trust for storage (i.e. securely storing measurements) > and for reporting (i.e. providing cryptographically signed attestation > reports). > > So, it depends what you mean. >
I guess the context of discussion was pretty clear in this regard: "Secure boot for Raspberries", no? BTW, in general I agree with you that one shouldn't confuse "root of trust for Secure boot" with "root of trust for storage or reporting". -Sumit > > Thanks, > Stuart _______________________________________________ boot-architecture mailing list [email protected] https://lists.linaro.org/mailman/listinfo/boot-architecture
