Piotr Król
Piotr Król is a multi-disciplinary executive running several companies in the embedded systems and semiconductor industries, including 3mdeb, LPN Plant, and Vitro Technology. Piotr helps companies around the world realize their products’ potential by supporting upgradeability and enabling advanced hardware features through firmware.
His career started in Intel’s Data Center Division. He went through building storage controllers validation frameworks to implementing hardware initialization code for modern server platforms as BIOS Software Engineer realizing that the firmware ecosystem has to change and become more open.
After seven years at Intel, Piotr went on to start his own consulting company. Piotr specializes in Embedded Firmware (coreboot, UEFI/EDK2/BIOS, training, and security), Embedded Linux (Yocto, Buildroot, OpenWrt), and Trusted Execution Environments. His teams contributed to NGI projects related to open source implementation of Trusted Computing D-RTM, a firmware update for QubesOS and BSD systems, and working on bringing more open-source firmware and hardware-related projects in the future.
He is an active leader in the firmware community, speaking at events like the Platform Security Summit, Open Source Firmware Conference, and FOSDEM. Piotr is open-source software and open-source hardware evangelist, active in the Open Source Firmware (e.g. coreboot) and Linux communities.
S-RTM and D-RTM: Better Together
Together with Daniel Smith, TrenchBoot Project Leader, we invite Open Source Firmware Community to discuss various approaches to establishing a root of trust and maintaining its security properties over platform runtime. Initial measurement is crucial to platform security because the code that creates root measurement has to be secured. S-RTM (Static Root of Trust for Measurement) is found at a fixed point in time, which is the beginning of the boot process for most platforms. Typically, it is done by Intel Boot Guard, AMD Hardware Validated Boot, NXP High-Assured Boot, or other proprietary implementations. S-RTM-related measurements are recorded in TPM PCR[0-7]. Those can be used for local attestation (unsealing of secret, e.g., disk encryption password) or remote attestation. Finally, to keep the security properties of S-RTM, there is a need for a mechanism that can adjust firmware measurements after its update. D-RTM (Dynamic Root of Trust for Measurement) can be established at any point in time through dedicated hardware and firmware functions. D-RTM initial measurement happens right before the execution of minimal code called D-RTM Configuration Environment, which establishes a new Root of Trust for Measurement. D-RTM-related measurements are recorded in PCR[17-22] protected by hardware through the TPM locality mechanism. Obtained measurements can be used in precisely the same way as in the S-RTM case.
Let's discuss:
- update mechanisms
- protection mechanisms for S-RTM and D-RTM
- future of related functionality
- synergy: beyond RTM coexistence