ACSAC 2020

Anchoring Trust in a Totally Open Platform


Can a system be totally open at the same time that it is secure?  IBMTM teams from research, development, and manufacturing succeeded in creating a system with an open hardware design that runs open firmware and software.   From power-on through the host operating system, everything about the IBMTM Power SystemTM AC922 is open.   This presentation discusses a few of the security problems faced by our teams and how we solved them.   We chose the following ones to present, so that others could learn from our experiences, or simply because misery loves company, as the saying goes.    How did we set the system's very first secure boot key, so that it can be controlled by business partners, customers, developers, and testers in manufacturing, without requiring IBM to pre-program their keys, nor sign their keys nor their firmware?   How did we use a Trusted Platform Module to serve as a trust anchor and to protect the integrity of insecure storage? How did we use the builtin mechanisms of LinuxTM to implement secure and measured boot? How many keys do you need to secure an entire stack, from core root of trust to secure boot to firmware to host operating system?