IoT and Chain of Trust

In the previous article, we discussed what TPM means and features of TPM. In this short article we'll see applications of TPM in creating and establishing chain of trust.

Establishing a tamper proof chain of trust works at two levels. First, a device is booted in a trusted manner. This device interacts with other devices which are also booted in a secure way. The second level deals with establishing "chain of trust" amongst these secure devices. It is important to note that TPM only provides required mechanism to establish root of trust, but it is entirely up to the host machine and software (which includes OS as well as application software) to establish trusted execution environment and should be capable of doing so. Let's see how this mechanism works, with the help of a simple example.

Consider a simplistic IoT setup as shown in following figure.



The Server

At the time of boot, BIOS uses Core Root of Trust i.e. BIOS boot block which is immutable, to measure BIOS blocks and stores the hash to Platform Configuration Register (PCR) 0 in TPM. When BIOS boot block needs to start next module, it again "measures" it and updates the hash in TPM. This process repeats until BIOS finishes execution. At the end of this step, the BIOS is measured up and the hash is available with TPM, if required.

When the control passes to boot loader, similar to BIOS, it measures various software modules that it invokes and updates TPM's PCRs. Once the server boots, application software continues to measure software components and update PCRs with this data. This also include kernel modules, drivers etc. So whenever any request is received to execute any piece of software, it is validated first with TPM hash and then it is executed. Any tampering with any software module after system boot-up will cause a mismatching "measurements", thus securing the system.

This process flow can be depicted as shown in following figure.



Edge computing devices

These devices themselves are small computers and they too have their own TPM modules on board. Exactly the same procedure is followed in booting up these devices as in Server.

Chain of Trust between Server and Edge devices

Till this point, the server as well as edge devices are booted in "clean" environment. From this step onwards, edge devices authenticate themselves with the server using encrypted communication channels. Authentication and extending chain of trust beyond the server boundary can be achieved by integrating security features across solution logic.

Chain of Trust between Edge devices and smart sensors

Integrating a hardware TPM at sensor level may not be feasible considering real-estate, cost benefits and onboard computing power. Many a times, the device merely transmits data to edge device. Even in such cases, fair amount of security measures can be implemented, which we will discuss in a separate article. However, it will suffice to say that the edge device should closely monitor and authenticate these devices frequently so as to thwart any physical tampering attempt.

References

 Unified Extensible Firmware Interface
The Trusted Computing Group

Comments

Post a Comment

Popular posts from this blog

Security in Linux Kernel - Part 2

Image
  In the previous part of this series, we saw role of LSMs in kernel security. As mentioned earlier, there are eight LSMs available today in the modern Linux kernel. In this part, let's have a look at different main stream LSMs. SMACK Simplified Mandatory Access Control Kernel ( SMACK ) is designed primarily for embedded linux systems with an intention to make it easier for administrators. This was the second LSM (after SELinux) to be accepted in the linux kernel. It appeared in the 2.6.25 kernel release. This is an attribute (label) based simple LSM, and is the default for Linux implementations tuned for Automotive industry. Yama Yama collects system-wide DAC security restrictions that are not handled by the core kernel itself. It offers control over scope of ptrace() system call to control ptrace attachment by processes. Build time configuration option CONFIG_SECURITY_YAMA and runtime option through sysctls can be used to enable this LSM. The ptrace restrictions can be controll
Read more

Trusted Platform Module

Image
In the previous article, we discussed end device security and various factors affecting it. There was a fleeting mention about TPM - the Trusted Platform Module. In this installment we will discuss mode about the TPM. Generally, for any device, the safest way to ensure it's integrity is to make sure it always boots from a secured, verified and unalterable source. This forms the logical "root" of the entire boot process. Once the device boots from a trusted source, it further uses it to verify each and every software component it utilizes. Every module checks and verifies integrity of the next module to be loaded thus forming a "chain of trust" which if broken can be easily detected. This chain of trust then can be extended to encompass other devices across and upstream the network hierarchy. In this installment, let's have a deeper look at TPM. What is TPM? TPM is (generally) a chip designed to provide security related functions. It provides functiona
Read more

Common Git Tips

Image
Obtain list of commits git reflog --oneline git log --oneline These commands will also print commit ID - a.k.a. commit hash. Obtain list of branches created by a user git for-each-ref --format=' %(authorname) %09 %(refname)' --sort=authorname | grep <username> Obtain branch hash git show-ref branch_name Delete a local/remote branch Assume that a branch "bugfix/114355" is created to fix a bug. To delete the local branch: git branch -d bugfix/114355 git branch -D bugfix/114355 '-D' is same as specifying "--delete --force" . To remove the remote branch as well: git push origin --delete bugfix/114355 Undo last commit git reset --soft HEAD~1 Roll back repo to a commit To roll-back the repository to a particular commit, follow these steps. find the hash corresponding to the particular commit by checking the commit logs: git log --oneline roll back the repository by resetting the HEAD pointer: git reset --hard <commit_hash> Remove the latest co
Read more