A processor, such as a central processing unit (CPU), may perform a boot-up process after power-on in order to initialize the processor and various components used to perform processing operations. The boot-up process may begin with the processor reading one or more configuration pins, initializing one or more clocks, and performing a limited number of initialization operations for some peripherals (e.g., a keyboard interface, an output device interface, a memory interface, etc.) of the processor. After initializing the memory interface, the boot process may continue based on boot code stored in a memory that is external to the processor. For example, the boot code may be stored in a memory, such as a solid state storage device, and may be accessed after the memory interface is initialized. The processor may retrieve primary boot code of a primary boot loader from the memory and execute the primary boot code to perform additional initialization operations (e.g., initializing or re-initializing clocks, initializing additional peripherals, etc.). After executing the primary boot code, the processor may access the memory to retrieve secondary boot code of a secondary boot loader. The processor may execute the secondary boot code to complete initialization of a motherboard, to load an operating system, to measure and validate the operating system, and to begin initialization of the operating system.
After executing the secondary boot code or initializing the operating system, the processor may begin performing measurements of code before executing the code. The measurements may be used to verify that the code is provided by a trusted or expected source, and not a malicious entity. However, the processor is not capable of performing measurements on the primary boot code and the secondary boot code prior to execution because the processor is not sufficiently initialized until after execution of the primary boot code and the secondary boot code. If a malicious entity, such as a hacker, alters or replaces the primary boot code or the secondary boot code, the processor may perform unexpected operations or may grant the malicious entity access to secure data. Because the processor does not measure the primary boot code or the secondary boot code, such a security breach would likely go undetected by the processor.
To provide a root of trust for the boot-up process of a system, the processor may be coupled, via an interface (e.g., Serial Peripheral Interface (SPI) bus, an Inter-Integrated Circuit (I2C) bus, a Low Pin Count (LPC) interface, or another interface), to a device (e.g., a microprocessor or an automatic measuring processor) that is configured to act as a “Trusted Platform Module” (TPM) device. A TPM device may perform verification, binding, and/or sealing operations in accordance with one or more standards. As part of a verification process of code executed on or to be executed on the processor, the processor performs “measurements” of the code. As used herein, performing measurements of the code may refer to the processor generating hash values based on the code. The processor may use the hash values to “extend” (e.g., perform extend operations on) registers of the TPM to cause the registers to store values based on the hash value. To perform an extend operation, the processor concatenates a value in a particular register with a new measurement value and then creates a hash value of the concatenated values. For example, the processor may issue an extend instruction that includes a hash value (or other measurement value) and that indicates a particular register, and the TPM may concatenate a value stored at the particular register with the hash value, generate a new hash value based on the concatenated value, and store the new hash value in the particular register. The TPM may generate a TPM quote that includes values stored in registers of the TPM. The TPM may generate a TPM quote signature by signing the TPM quote using a provisioned attestation identity key (AIK). The TPM quote signature may be used to verify that the TPM quote accurately reflects the values stored in the registers.
The TPM device is integrated into the system such that the TPM is re-initialized when the processor is re-initialized (e.g., reset or powered down and powered back on) and is not re-initialized when the processor is not also re-initialized. Code which causes the processor to initialize the TPM device is typically part of the secondary boot code, or part of code that is executed later in the boot-up process than the secondary boot code. Prior to the TPM device being initialized, the TPM device may be unable to perform extend operations on registers in the TPM device.