then take ownership of the TPM,

which provides the ability to seal

(encrypt) data using the current PCR

values. The data can only be unsealed

(decrypted) if the PCR values are the

same as they were at the time the

data was sealed. Ownership of the

TPM can only be changed if the TPM

is cleared, and any attempt to unseal

data sealed by the previous key

owner will fail. In networked so act as

a root of trust for reporting (RTR) by

signing a quote of its current PCR set.

Freescale Trust

Architecture

Freescale’s QorIQ Trust Architecture

provides secure boot, secure runtime,

secure debug, tamper detection, and

devicespecific secret key usage. This

prevents the CPU from executing

untrusted code and prevents the use

of modified security keys. Security

features are self-contained in the

QorIQ system-on-chip - no external

trusted devices are required. Figure

6 shows the steps for the Freescale

secure boot process.

Code Signing and Provisioning:

1. The trust architecture relies on the

generation by the user of a public

and private key pair, which can be

accomplished using Freescale code

signing tools. The private key is used

to digitally sign all code that is to

execute on the QorIQ processor. The

private key must be protected. Any

modifications to the signed code can

then be detected during the secure

boot process.

2. The public key is hashed and

programmed into the CPU during

device provisioning. This provides a

basis to verify digital signatures of the

external secure boot code (ESBC).

Pre-Boot Phase:

3. After reset, all device activity is

blocked. Fuse values are sensed by

the security fuse processor (SFP)

which locks down interfaces and

memory and enforces security policy

before boot. The pre-boot loader (PBL)

then loads a reset configuration word

from external non-volatile memory to

begin system configuration.

Internal Secure Boot Code (ISBC)

Phase:

4. The CPU is allowed to boot and

Figure 6 Freescale Trust Architecture

46 l New-Tech Magazine Europe