Hi Stephen,
>
>
> I am new to TCG. My understanding is that in SRTM BIOS itself is
> assumed to be trustable. It’s not measured on a PC client during the
> boot since it’s the first one being loaded and executed. But it forms
> the basis of chain of trustable measurements. Is this correct?
It is measured, but at least the initial component (e.g. BIOS boot
block) can't be measured by an independent entity and thus must be trusted
as the core root of trust for measurement (CRTM). The CRTM measures itself
and the rest of BIOS among other things into PCR-0. In some
implementations, the CRTM may be the entire BIOS; in others, it may be just
the BIOS boot block.
> What if my BIOS can’t be trusted? Can I still do remote attestation
> of the PC client booted this way?
Can you define what you mean by "can't be trusted"? What's your
threat
model? If you can't trust the static CRTM, then you should use DRTM instead,
e.g. Intel TXT (actually, that's preferable in general if your hardware supports
it). But even there you will have some residual vulnerability to SMM and thus
a dependency on the BIOS until STMs are available.
[Li, David] My threat model has to assume an attacker can gain physical access to the
motherboard and reflash the BIOS. That's why I worry about using TPM to ensure a
trusted boot.
I am aware of TXT (not in a detailed way). But what's STM? Any pointers?
--
Stephen Smalley
National Security Agency