then take ownership of the TPM,
which provides the ability to seal
(encrypt) data using the current PCR
values. The data can only be unsealed
(decrypted) if the PCR values are the
same as they were at the time the
data was sealed. Ownership of the
TPM can only be changed if the TPM
is cleared, and any attempt to unseal
data sealed by the previous key
owner will fail. In networked so act as
a root of trust for reporting (RTR) by
signing a quote of its current PCR set.
Freescale Trust
Architecture
Freescale’s QorIQ Trust Architecture
provides secure boot, secure runtime,
secure debug, tamper detection, and
devicespecific secret key usage. This
prevents the CPU from executing
untrusted code and prevents the use
of modified security keys. Security
features are self-contained in the
QorIQ system-on-chip - no external
trusted devices are required. Figure
6 shows the steps for the Freescale
secure boot process.
Code Signing and Provisioning:
1. The trust architecture relies on the
generation by the user of a public
and private key pair, which can be
accomplished using Freescale code
signing tools. The private key is used
to digitally sign all code that is to
execute on the QorIQ processor. The
private key must be protected. Any
modifications to the signed code can
then be detected during the secure
boot process.
2. The public key is hashed and
programmed into the CPU during
device provisioning. This provides a
basis to verify digital signatures of the
external secure boot code (ESBC).
Pre-Boot Phase:
3. After reset, all device activity is
blocked. Fuse values are sensed by
the security fuse processor (SFP)
which locks down interfaces and
memory and enforces security policy
before boot. The pre-boot loader (PBL)
then loads a reset configuration word
from external non-volatile memory to
begin system configuration.
Internal Secure Boot Code (ISBC)
Phase:
4. The CPU is allowed to boot and
Figure 6 Freescale Trust Architecture
46 l New-Tech Magazine Europe