Initiatives such as the Trusted Computing Group's (TCG) Mobile Trusted Module (MTM) documents TCG Mobile Reference Architecture version 1.0 12 Jun. 2007 (Non Patent Literature 1) and TCG Mobile Trusted Module Specification version 1.0 12 Jun. 2007 (Non Patent Literature 2) describe how to start-up a device in an assured and trusted fashion. These methods have been thoroughly reviewed to ensure that trust and security is maintained throughout the boot process, so provide a useful baseline for those wanting to implement a device that can boot securely. A key component of this secure boot process is a RIM (Reference Integrity Metrics) Certificate. This is a signed structure that defines what the current expected platform state should be, represented by a hash of a set of Platform Configuration Registers (PCRs), which themselves contain known, publically defined hash values. These PCRs act as integrity measurements that may be recorded in RIM Certificates to define an expected machine state. In addition, the RIM Certificate also specifies a PCR to be extended if the current state is verified. This extend process takes a specified PCR and calculates a new hash value based on the previous PCR value concatenated with a new known value defined within the RIM Certificate. A typical straightforward secure boot sequence as defined by the TCG starts with the initialization and self-verification of the core components such as the roots of trust for verification and for measurement (the RTV+RTM), the MTM itself and associated core MTM interface components. Next, additional components that support other parts of the firmware are started in a trusted fashion such that each component is verified by an already-trusted component before passing control to it, then the component verifies itself to ensure it has been launched from a trusted component. This sequence of verify=>execute=>self-verify has the effect of dynamically extending the trust boundary outwards from the roots of trust to each component within the system. Finally the operating system runs to provide a secure and trusted path for client applications to access MTM services.
There are extra functions that may appear within the above sequence of events. The TCG specifies that a device may have more than one MTM, some of which must be started during secure boot, others which may load within application space. Alternatively, as described within Japanese patent application 2008-264530 transient PCRs may be defined, or as described within US Patent Application No 2006/0212939 A1 (Patent Literature 1) virtual PCRs may be defined. These functions and modules that manage a set of PCRs (and provide other services as defined in the prior art) are described collectively within this patent application as “PCR domains”, with a oneto-one relationship of one PCR domain managing one set of PCRs. In addition, a “PCR domain state” is defined as being a set of values of one or more PCRs from a PCR domain at a given point in time. By indicating the values of specific PCRs, the domain state describes what components are already active within the domain; as described above for each PCR domain there is a specified expected sequence of extend operations, so by looking at a given PCR domain state one can determine the progress through the expected sequence of extend operations, thus by implication the progress through the expected sequence of component execution. In the TCG specification this state may be represented by a TPM_PCR_SELECTION to indicate the PCRs within the domain to reference, and a TPM_COMPOSITE_HASH to store a composite hash of the PCRs indicated by the TPM_PCR_SELECTION. RIM Certificates contain such a PCR domain state to indicate the PCR values that must be set within the domain for the certificate to be considered valid.