Trusted Boot Module
In this project, a system is designed and built for booting trusted (signed) OS images on existing, ARM-based systems. It consists of open hardware and software that allows users to start up Linux systems on off-the-shelf ARM development boards. The hardware consists of cheap, off-the-shelf components that provide for an easily verifiable solution that does not depend on 'black box' components, and ensures that only trusted code is run on the system.
The TBM is developed by Whitebox Systems engineers. Whitebox Systems is a spin-off of University of Amsterdam research focusing on providing a decentralized authorization framework, where general practioners own (ARM-based) hardware that runs a web service framework allowing granular access to information of patients to specific healthcare profesionals. This imposes stringent constraints on trustworthiness of the hardware and the software running on it.
The goal of the TBM is to ensure that the ARM-based server owned by doctors only runs a trusted OS and trusted software, in this case Whitebox software. The owner of the hardware can easily replace the keys that are used to validate the authenticity of the software, or even modify the validation software itself. The TBM consists of hardware (an MCU with storage) that is running independently from the main board, and which is used by a trusted OS that is initially booted by the main board from read-only storage to get information about the time and the status of the latest running software. This information is used to select from available OS and application images a version that is signed by a known trusted key or set of keys, and which is newer than the current version. This prevents rollback to a previous (vulnerable) image or state. By forcing regular reboots of the ARM hardware, the TBM can regularly validate the software that is booted, and ensure that persistent backdoors on these devices are prevented. The trusted OS and the TBM, thus working in collaboration, provide a basis for trusting the software that is running on ARM hardware.
The system now makes use of Olimex hardware, but is not tied this specific hardware. The goal is that it is usable for multiple ARM-based boards, including for example the Raspberry Pi.
Documentation
The protocol between trusted OS and TBM, executed before an untrusted OS image is booted, will be demonstrated at a talk at SHA2017 [https://sha2017.org].
With this page, we release a first (evaluation) version of the Whitebox sourcecode and documentation for review.
A user guide can be found here
Technical documentation can be found here
The following repositories contain the full current source code and documentation sources.
The source code, hardware (PCB) design and documentation will be released under a free and open source license when the code and documentation are sufficiently complete and once we figured out what the most suitable license type is.
If you want to contribute to or follow the project, join our mailing list by mailing list@whiteboxsystems.nl and saying "Hi!"
Acknowledgements
The project is financially supported by Stichting NLnet. The software makes use of libopencm3 (under LGPL).
So far, the largest contribution to the design and implementation of the TBM has been provided by Stephan van Schaik [and Merlijn Wajer], member[s] of the Whitebox development team. Mark Janse designed the hardware.
Project initiated/supervised by Guido van 't Noordende and Merlijn Wajer.