In this paper, we are going to introduce Static Root of Trust Measurement with Verified Boot using different mechanisms of SPI flash protection. We shall prove VBoot great support for coreboot, TPM usage, and cryptographical operations, and its ability to perform measured and verified boot. We will explain why the Root Key and Recovery Key are the most important components in the VBoot and should be well protected. As a result, we will show a mechanism for automatic decryption of a disk with the assistance of TPM and policies tied to the firmware measurements stored in the TPM.
Speakers: Michał Żygowski