Measured Launch, SRTM and DRTM

The measured launch implementation requires an x86 device with a Trusted Platform Module (TPM), Intel CPU and firmware that supports Intel Trusted Execution Technology (TXT).

The following items are measured:

• Device firmware

• BIOS configuration

• grub2 bootloader and boot config file

• CPU microcode loaded at runtime

• TXT Authenticated Code Modules

• tboot, trusted boot measurement and launch pre-VMM software module

• Xen hypervisor and the Xen boot command line

• XSM/flask policy

• Linux kernel and the kernel boot command line

• Linux initial ramdisk, initrd

• dom0 filesystem (read-only)

• network driver VM filesystem (read-only)

• TPM 1.2

• TPM 2.0

• Forward Seal Test Procedures (pre-compute PCRs for unattended upgrade)

• Improved key management (2015 design discussion)

• UEFI/SecureBoot support:  RFCv1  • RFCv2

• Virtual TPMs

• Attestation

• UEFI multi-boot modules

• Key recovery

• https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/openxt

• https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/tboot

• https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/tss

• https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/tpm-tools

• https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/xenclient/xenclient-tpm-scripts

• https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/xenclient/xenclient-tpm-setup

• https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/xenclient/xenclient-root-ro

• https://github.com/flihp/meta-measured

• http://hg.code.sf.net/p/tboot/code

• https://github.com/01org/tpm2.0-tss.git

• https://github.com/01org/tpm2.0-tools.git

• https://github.com/starlab-io/docker-tpm-emulator

• https://github.com/starlab-io/docker-tpm2-emulator

• https://github.com/PeterHuewe/tpm-emulator

• https://git.yoctoproject.org/cgit/cgit.cgi/meta-security

• https://github.com/WindRiver-OpenSourceLabs/meta-secure-env

• https://github.com/jiazhang0/meta-secure-core

• Qubes: Anti Evil Maid (2011)

• OpenXT: In Device We Trust: Measure Twice, Compute Once with Xen, Linux, TPM 2.0 and TXT (2017)

• Open Source Foundries: Secure OTA Collaboration (2017)

• Google: Replace UEFI with Linux (2017)  • Video

• HP SureStart BIOS protection:  Coprocessor detection of attacks against SMM (2017)

• Microsoft: Hardening with Hardware (2018)  • Video

• https://wiki.xenproject.org/wiki/Category:OpenEmbedded