TrenchBoot: Unified Approach to Harness Boot Integrity Technologies

Daniel Smith
Apertus Solutions

Ensuring and verifying that system launch has executed with only the intended system software is widely accepted as a prerequisite for placing trust in the integrity of a computer system. A variety of hardware and software based technologies are available on commodity computing platforms, with different capabilities and similar-sounding names all aiming to address different aspects of this requirement. To provide clarity for discussion of this topic, this presentation will cover the fundamentals of establishing system integrity at boot and review the modern landscape of boot integrity technologies, with definitions for important terms.

In addition, a new software framework, TrenchBoot, will be presented. We will describe TrenchBoot’s place in the early system software stack, how it leverages the the available boot integrity technologies and the cooperation of earlier launch components to provide a stronger footing for launch of the Operating System. TrenchBoot enables fine-grained platform verification in support of advanced security and assurance use cases. We describe the aim to provide a standard measured launch approach, with an extensible, Open Source, reusable implementation suitable for third-party extension and integration.


🔎 Boot Integrity · OpenXT · Xen
Slides


References

Source Code

Upstreaming

Presenter

  • Linux Security Summit — TrenchBoot: How to nicely boot system with Intel TXT and AMD SVM, slides · video (Aug 2019)
  • Xen Summit — How TrenchBoot is Enabling Measured Launch for Open-Source Platform Security, video (Jul 2019)