What is the difference betwen a Trusted Computing Base and a Root of Trust?

Question

What is the difference betwen a Trusted Computing Base (TCB) and a Root of Trust (RoT)? Can both terms be used interchangeably?

A TCB is defined by the NIST as follows:

Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.

A RoT is defined by GlobalPlatform as follows:

A computing engine, code, and possibly data, all co-located on the same platform; provides security services. No ancestor entity is able to provide a trustable attestation (in Digest or other form) for the initial code and data state of the Root of Trust.

It looks like these are the same things but used in slightly different contexts. TCB seems to be used for the general case while Root of Trust seems to be focused on cryptographic applications and hardware security subsystems (like TPMs).

You have a specific definition for TCB from a seemingly authoritative source written down in your question. Do you have a similar specific definition for RoT that you can write down in your question? This would make the question less vague and maybe get you better answers. — hft, Mar 24 '21 at 17:11
I'd be interested to know in the TCB definition what they mean by "computer system." In other parts of NIST - the RSM, for example, when you're talking about system certification and accreditation, a "system" can include technology, people and processes, other supporting systems, etc... — D0gfather, Mar 25 '21 at 00:27

What is the difference betwen a Trusted Computing Base and a Root of Trust?

0 Answers0