Understanding secure boot as part of the platform security architecture on modern System-on-a-chip (SoC)
Secure Boot and Image Authentication
Secure boot is designed to ensure that devices run authorized software. Multiple stakeholders rely on the integrity of the platform software. Users, carriers, device manufacturers (OEMs), and third parties who provide services all want to be sure that the device runs on software that they trust. Secure boot handles image authentication, which makes sure that only authorized software runs on the device. Being a bootstrap sequence, each loaded image verifies the authenticity of the next image, starting from the ROM software burned into fabric of the chip.
However, image authentication is only one part of secure boot, and the correct setup of the runtime matters as well. Indeed, a modern system-on-a-chip (SoC) is not a single monolithic software running on a single CPU. Instead, it’s a busy beehive of multiple interconnected processors and multiplexed resources.
Connecting and correctly partitioning all this is initially done during the device boot-up. For this task we have introduced a SoC root-of-trust (RoT) TME (Trust Management Engine), which is the bootstrap point of platform security on Snapdragon® SoCs.
The use of dedicated RoT instead of using the TEE to perform this task gives us much more flexibility to meet customer use cases across our diverse platform of products.
Least Privilege - Disarming the Deputy
Our requirement for SoC was to be configured to support diverse use cases. Hence, we treat execution environments in our security model as independent and mutually distrusting by default. During the bootup TME sets the stage for these independent execution environments.
However, once the hardware resources, such as memory ranges, are locked to their final owners TME access to them is no longer permitted. During the runtime the role of TME is to facilitate access to specific resources, such as the cryptographic keys of the hardware platform.
