Software-based trusted platform module

摘要

A “Firmware-Based TPM” or “fTPM” ensures that secure code execution is isolated to prevent a wide variety of potential security breaches. Unlike a conventional hardware based Trusted Platform Module (TPM), isolation is achieved without the use of dedicated security processor hardware or silicon. In general, the fTPM is first instantiated in a pre-OS boot environment by reading the fTPM from system firmware or firmware accessible memory or storage and placed into read-only protected memory of the device. Once instantiated, the fTPM enables execution isolation for ensuring secure code execution. More specifically, the fTPM is placed into protected read-only memory to enable the device to use hardware such as the ARM® architecture's TrustZone™ extensions and security primitives (or similar processor architectures), and thus the devices based on such architectures, to provide secure execution isolation within a “firmware-based TPM” without requiring hardware modifications to existing devices.

主权项

1. A method, comprising:
instantiating, in a pre-boot environment of a computing device without a hardware trusted platform module, a software-based trusted platform module in protected memory of the computing device; passing a command, issued by a caller instantiated within non-protected memory of the computing device, to the software-based trusted platform module to perform an operation; and using the software-based trusted platform module to interface with a security extension of a processor of the computing device to perform the operation in secure execution isolation.