150a43b0fSManish V BadarkheDRTM Proof of Concept 250a43b0fSManish V Badarkhe===================== 350a43b0fSManish V Badarkhe 450a43b0fSManish V BadarkheDynamic Root of Trust for Measurement (DRTM) begins a new trust environment 5*e9235d8aSManish V Badarkheby measuring and executing a protected payload. The architectural requirements 6*e9235d8aSManish V Badarkheand formal definition of DRTM for Arm-based systems are detailed in the 7*e9235d8aSManish V Badarkhe`DRTM Architecture for Arm`_ 850a43b0fSManish V Badarkhe 950a43b0fSManish V BadarkheStatic Root of Trust for Measurement (SRTM)/Measured Boot implementation, 1050a43b0fSManish V Badarkhecurrently used by TF-A covers all firmwares, from the boot ROM to the normal 1150a43b0fSManish V Badarkheworld bootloader. As a whole, they make up the system's TCB. These boot 1250a43b0fSManish V Badarkhemeasurements allow attesting to what software is running on the system and 1350a43b0fSManish V Badarkheenable enforcing security policies. 1450a43b0fSManish V Badarkhe 1550a43b0fSManish V BadarkheAs the boot chain grows or firmware becomes dynamically extensible, 1650a43b0fSManish V Badarkheestablishing an attestable TCB becomes more challenging. DRTM provides a 1750a43b0fSManish V Badarkhesolution to this problem by allowing measurement chains to be started at 1850a43b0fSManish V Badarkheany time. As these measurements are stored separately from the boot-time 1950a43b0fSManish V Badarkhemeasurements, they reduce the size of the TCB, which helps reduce the attack 2050a43b0fSManish V Badarkhesurface and the risk of untrusted code executing, which could compromise 2150a43b0fSManish V Badarkhethe security of the system. 2250a43b0fSManish V Badarkhe 2350a43b0fSManish V BadarkheComponents 2450a43b0fSManish V Badarkhe~~~~~~~~~~ 2550a43b0fSManish V Badarkhe 2650a43b0fSManish V Badarkhe - **DCE-Preamble**: The DCE Preamble prepares the platform for DRTM by 2750a43b0fSManish V Badarkhe doing any needed configuration, loading the target payload image(DLME), 2850a43b0fSManish V Badarkhe and preparing input parameters needed by DRTM. Finally, it invokes the 2950a43b0fSManish V Badarkhe DL Event to start the dynamic launch. 3050a43b0fSManish V Badarkhe 3150a43b0fSManish V Badarkhe - **D-CRTM**: The D-CRTM is the trust anchor (or root of trust) for the 3250a43b0fSManish V Badarkhe DRTM boot sequence and is where the dynamic launch starts. The D-CRTM 3350a43b0fSManish V Badarkhe must be implemented as a trusted agent in the system. The D-CRTM 3450a43b0fSManish V Badarkhe initializes the TPM for DRTM and prepares the environment for the next 3550a43b0fSManish V Badarkhe stage of DRTM, the DCE. The D-CRTM measures the DCE, verifies its 3650a43b0fSManish V Badarkhe signature, and transfers control to it. 3750a43b0fSManish V Badarkhe 3850a43b0fSManish V Badarkhe - **DCE**: The DCE executes on an application core. The DCE verifies the 3950a43b0fSManish V Badarkhe system’s state, measures security-critical attributes of the system, 4050a43b0fSManish V Badarkhe prepares the memory region for the target payload, measures the payload, 4150a43b0fSManish V Badarkhe and finally transfers control to the payload. 4250a43b0fSManish V Badarkhe 4350a43b0fSManish V Badarkhe - **DLME**: The protected payload is referred to as the Dynamically Launched 4450a43b0fSManish V Badarkhe Measured Environment, or DLME. The DLME begins execution in a safe state, 4550a43b0fSManish V Badarkhe with a single thread of execution, DMA protections, and interrupts 4650a43b0fSManish V Badarkhe disabled. The DCE provides data to the DLME that it can use to verify the 4750a43b0fSManish V Badarkhe configuration of the system. 4850a43b0fSManish V Badarkhe 4950a43b0fSManish V BadarkheIn this proof of concept, DCE and D-CRTM are implemented in BL31 and 5050a43b0fSManish V BadarkheDCE-Preamble and DLME are implemented in UEFI application. A DL Event is 5150a43b0fSManish V Badarkhetriggered as a SMC by DCE-Preamble and handled by D-CRTM, which launches the 5250a43b0fSManish V BadarkheDLME via DCE. 5350a43b0fSManish V Badarkhe 54*e9235d8aSManish V BadarkheTF-A CI pipeline already includes coverage for building TF-A with a prebuilt 55*e9235d8aSManish V BadarkheEDK2 and the DRTM UEFI application. 5650a43b0fSManish V Badarkhe 5750a43b0fSManish V Badarkhe-------------- 5850a43b0fSManish V Badarkhe 59*e9235d8aSManish V Badarkhe*Copyright (c) 2022-2025, Arm Limited. All rights reserved.* 6050a43b0fSManish V Badarkhe 61*e9235d8aSManish V Badarkhe.. _DRTM Architecture for Arm: https://developer.arm.com/documentation/den0113/latest 62