xref: /rk3399_ARM-atf/docs/design_documents/drtm_poc.rst (revision e521a1fe3e5bdc8362494fd8439f1a1f661051df) 
1DRTM Proof of Concept
2=====================
3
4Dynamic Root of Trust for Measurement (DRTM) begins a new trust environment
5by measuring and executing a protected payload. The architectural requirements
6and formal definition of DRTM for Arm-based systems are detailed in the
7`DRTM Architecture for Arm`_
8
9Static Root of Trust for Measurement (SRTM)/Measured Boot implementation,
10currently used by TF-A covers all firmwares, from the boot ROM to the normal
11world bootloader. As a whole, they make up the system's TCB. These boot
12measurements allow attesting to what software is running on the system and
13enable enforcing security policies.
14
15As the boot chain grows or firmware becomes dynamically extensible,
16establishing an attestable TCB becomes more challenging. DRTM  provides a
17solution to this problem by allowing measurement chains to be started at
18any time. As these measurements are stored separately from the boot-time
19measurements, they reduce the size of the TCB, which helps reduce the attack
20surface and the risk of untrusted code executing, which could compromise
21the security of the system.
22
23Components
24~~~~~~~~~~
25
26   - **DCE-Preamble**: The DCE Preamble prepares the platform for DRTM by
27     doing any needed configuration, loading the target payload image(DLME),
28     and preparing input parameters needed by DRTM. Finally, it invokes the
29     DL Event to start the dynamic launch.
30
31   - **D-CRTM**: The D-CRTM is the trust anchor (or root of trust) for the
32     DRTM boot sequence and is where the dynamic launch starts. The D-CRTM
33     must be implemented as a trusted agent in the system. The D-CRTM
34     initializes the TPM for DRTM and prepares the environment for the next
35     stage of DRTM, the DCE. The D-CRTM measures the DCE, verifies its
36     signature, and transfers control to it.
37
38   - **DCE**: The DCE executes on an application core. The DCE verifies the
39     system’s state, measures security-critical attributes of the system,
40     prepares the memory region for the target payload, measures the payload,
41     and finally transfers control to the payload.
42
43   - **DLME**: The protected payload is referred to as the Dynamically Launched
44     Measured Environment, or DLME. The DLME begins execution in a safe state,
45     with a single thread of execution, DMA protections, and interrupts
46     disabled. The DCE provides data to the DLME that it can use to verify the
47     configuration of the system.
48
49In this proof of concept, DCE and D-CRTM are implemented in BL31 and
50DCE-Preamble and DLME are implemented in UEFI application. A DL Event is
51triggered as a SMC by DCE-Preamble and handled by D-CRTM, which launches the
52DLME via DCE.
53
54TF-A CI pipeline already includes coverage for building TF-A with a prebuilt
55EDK2 and the DRTM UEFI application.
56
57--------------
58
59*Copyright (c) 2022-2025, Arm Limited. All rights reserved.*
60
61.. _DRTM Architecture for Arm: https://developer.arm.com/documentation/den0113/latest
62