So, what is the criterion to implement Secure boot or Trusted boot. Where are the instructions to implement either? What are some minimum pre-requisites on existing Router (say) to implement either.
On Mon, Jan 7, 2019 at 1:54 AM Dr. Greg <g...@enjellic.com> wrote: > On Sat, Jan 05, 2019 at 07:22:36PM -0800, Mat wrote: > > Good morning, I hope the week is starting well for everyone. > > > How would a device vendor use tboot to implement secure/trusted boot > > on their networking devices like routers and switches? > > > > If someone can also clarify diff between secure boot and trusted > > boot, when to use what. > > Let me invert the order of these questions and then expand on the > former. > > Simplistically, secure boot is a firmware based solution for > implementing cryptographically signed boot images. A public key is > available to the firmware that is used to authenticate the signature > on a kernel image. This provides a platform security architect an > assurance that the system has been booted with a known state of an > operating system image. > > TBOOT is the software component of a larger body of technology > referred to as Trusted eXecution Technology (TXT). It is a cohort of > processor/chipset/hardware/software technology that provides a > framework for validating that the platform is in a known state up to > and through the operating system load. > > The intent of both technologies is to provide a 'root of trust' that > platform architects can use to create inferences (attestations) about > the integrity of an application stack running on a platform. > TXT/tboot provides a more comprehensive guarantee as to the quality of > that trust root. > > How to effectively leverage this 'root of trust' to create a secure > device is a large, complex and arguably immature topic. I direct > engineering for a company that uses both of these technologies, and to > a much larger extent Intel's Software Guard Extensions (SGX), to > provide platform security guarantees for devices such as you describe. > We refer, generically, to these types of devices as Intelligent > Network Endpoint Devices (INED's). > > We use a trust root to support something we refer to as Autonomous > Introspection (the 'other' AI). The notion of AI involves running a > modeling engine that can make deterministic decisions about whether or > not the platform is operating in a manner consistent with the intent > of the developer. If not, the introspection engine can take very > precise and targeted actions in order to discipline the context of > execution that is attempting to engage in an extra-dimensional > behavior. > > Technically, neither TXT/Tboot or Secure Boot, make a platform > 'secure'. What they provide is a guarantee that there is a known > 'good' state on which a security architecture can be crafted. > > > -c > > Hopefully the above is a helpful summary. We can go into more detail > on any of these issues if you have more specific questions. > > Have a good remainder of the week. > > Dr. Greg > > As always, > Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. > 4206 N. 19th Ave. Specializing in information infra-structure > Fargo, ND 58102 development. > PH: 701-281-1686 > FAX: 701-281-3949 EMAIL: g...@enjellic.com > > ------------------------------------------------------------------------------ > "Human beings, who are almost unique in having the ability to learn > from the experience of others, are also remarkable for their apparent > disinclination to do so." > -- Douglas Adams >
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel