In general, in order to provide security, existing boot frameworks typically place a public key and a Root-to-Trust for Enforcement within an immutable storage. They then require that any image that the system boots from (e.g., an operating system) be signed with a digital signature using a private key corresponding to the public key. The public and private keys are global.
A drawback of this system is that it is inflexible. It does not allow fine-grained control of the boot process, and cannot be adapted to work with third-party management systems, since new images/events cannot be authorized securely on the device. In addition, images are not device-specific. For example, one image can be transferred from one device to another and still be verified by the same signature, since even though the image has been authorized to run on one device, the signature will also verify the image on another device.
A secure boot mechanism based on TCG technology using so-called Device Integrity Registers is briefly introduced by Siani Pearson et al, in “Trusted Computing Platforms: TCPA Technology in Context” (ISBN 0-13-009220-7) (“[TPCA]”). In general, the mechanism introduced in [TCPA] is limited in that it is neither scalable nor flexible. The mechanism does not allow a fine-granularity control of the boot-process, nor does it allow large amounts of secure configurations to be specified. Further, TCG requires that platform-identifying information not be placed in Platform Configuration Registers (PCRs) (discussed below). Where this requirement is followed, the solution suggested in [TCPA] does not allow binding of secure boot configurations to an individual system.
A need, therefore, exists for a method of creating an improved secure boot mechanism that is configurable yet simple. In particular, a need exists for creating such a secure boot mechanism in a setting where Trusted Computing Group (TCG) technology (e.g., a Trusted Platform Module (TPM)) is used.