1. Field
The present invention relates to a method for attesting a component of a system during a boot process.
2. Description of the Related Art
Trusted boot is a process for booting and establishing a chain of trust in a computing system. With reference to the environment (100) of FIG. 1, for example, a system administrator takes delivery of a server (a managed system (120)) and proceeds to install system software. The managed system (120) comprises a secure device (125), e.g. a TPM (Trusted Platform Module). Once the system (120) is configured and booting, each component (hardware and/or software) of the managed system (120) cryptographically measures another component and can “extend” (but not directly write to) a measurement value into a Platform Configuration Register (PCR) of the TPM (125). Each component is also operable to access an event log in order to write data associated with the measurement of a component into an entry associated with the event log.
The administrator trusts the configuration and takes these initial measurements as trusted. The assumption is that no one has subverted the system after the install/configuration and before the measurements were recorded.
The measurements can be remotely attested by a managing system (105) which has a database (115) to store expected attestation values for components of each managed system. The values would typically be stored along with some metadata describing what the values mean. The managing system (105) comprises a TPM emulator (110) for e.g., comparing the measurements with the values. If there is no match between the measurements and the values, typically, the managing system (105) further has to compare the measurements against a (large) list (e.g., a reference manifest) of measurement values provided by manufacturers of components. Typically, a reference manifest comprises a large number of measurement values associated with each component of a managed system (200) and these measurement values can be taken to be “trusted”.
The remote attestation process itself may be initiated by either the managing or managed system.
Changes to the managed system (120) can be detected by subsequent trusted boot and remote attestation processes.
The above processes are described, for example, in section 4 of the Trusted Computing Group (TCG) Specification Architecture Overview; Specification; Revision 1.4; 2 Aug. 2007 and section 2 of the TCG Infrastructure Working group Architecture Part II—Integrity Management; Specification Version 1.0; Revision 1.0; 17 Nov. 2006.
Maintaining a database of trusted values (from a reference manifest) for managed systems that a managing system manages is complex e.g., due to heterogeneous platform configurations; due to trusted values genuinely varying between managed systems having the same configuration because of differences such as processor count or identical software which configured itself differently during installation—in practice, two managed systems with an identical software and hardware configuration may have different trusted values despite both managed systems having booted in a trusted manner.