docs/design_documents/drtm_poc.rst

6 and formal definition of DRTM for Arm-based systems are detailed in the
10 currently used by TF-A covers all firmwares, from the boot ROM to the normal
11 world bootloader. As a whole, they make up the system's TCB. These boot
12 measurements allow attesting to what software is running on the system and
15 As the boot chain grows or firmware becomes dynamically extensible,
18 any time. As these measurements are stored separately from the boot-time
19 measurements, they reduce the size of the TCB, which helps reduce the attack
20 surface and the risk of untrusted code executing, which could compromise
21 the security of the system.
26    - **DCE-Preamble**: The DCE Preamble prepares the platform for DRTM by
27      doing any needed configuration, loading the target payload image(DLME),
28      and preparing input parameters needed by DRTM. Finally, it invokes the
29      DL Event to start the dynamic launch.
31    - **D-CRTM**: The D-CRTM is the trust anchor (or root of trust) for the
32      DRTM boot sequence and is where the dynamic launch starts. The D-CRTM
33      must be implemented as a trusted agent in the system. The D-CRTM
34      initializes the TPM for DRTM and prepares the environment for the next
35      stage of DRTM, the DCE. The D-CRTM measures the DCE, verifies its
38    - **DCE**: The DCE executes on an application core. The DCE verifies the
39      system’s state, measures security-critical attributes of the system,
40      prepares the memory region for the target payload, measures the payload,
41      and finally transfers control to the payload.
43    - **DLME**: The protected payload is referred to as the Dynamically Launched
46      disabled. The DCE provides data to the DLME that it can use to verify the
47      configuration of the system.
51 triggered as a SMC by DCE-Preamble and handled by D-CRTM, which launches the
55 EDK2 and the DRTM UEFI application.