Dynamic vs Static root of trust

Question

In TCG specification (for TPM devices) they specify how a static root of trust can be built up using secure boot and trusted boot. An alternative method appears to be Intel's Dynamic boot using their Intel TXT technology. I was just wondering from a security point of view which is preferable and what the major differences are? Thanks

Answer 1

It's complicated.

Both are Root of Trust for Measurements meaning they can be used to measure the running environment.

The main problem with SRTM is that you need to keep measurements of the entire platform boot sequence (BIOS config, 3rd party boot rom (e.g. network cards), etc) and this includes a LOT of code. Any change to any of this requires new measurements.

The intent of DRTM was to avoid all of this by providing the capability of executing code from a clean slate while the system is running (no need to reboot like SRTM). However, it didn't turned out exactly that way since TXT is vulnerable to a malicious SMM (System Management Mode / ring -2) or Intel's ME/AMT (Management Engine / Active Management Technology / ring -3). Briefly, this means SMM and ME code is not isolated from the Late Launch and malicious code can gain access to the Measured Launch Environment even though it has not been measured - not a really clean slate.

These are very complex attacks only demonstrated by researchers (ITL) but they are possible. I'm saying this because they still consider TXT to be valuable even tough it's vulnerable.

One could recommend using SRTM with DRTM to measure the SMM code as it's contained in SRTM measurements (PCR 0-1). This would in theory make sure you have very few SRTM to maintain and the code is really coming from the manufacturer... but it doesn't mean it's not malicious (e.g. computrace?).

Nothing can be done for Intel ME/AMT as far as I know. If someone found a new flaw and inserted malware, the security model breaks. Keep in mind this is said to be extremely difficult. Also, since ITL's researh/attack, Intel's ME security model has improved.

In conclusion, DRTM cannot be more secure then SRTM. Using both of them is probably the best setup. Assuming there's not flaw, it means you need to trust Intel (that's a given) and the platform manufacturer (BIOS/SMM). This can easily be done by using TXT via Tboot: use PCONF (0-1), SINIT (17) and MLE policies (18)). See this.

See this for an overview of how SRTM and DRTM works.