Using the TPM NVRAM to Protect Secure Boot Keys in POWER9 OpenPOWER Systems

Explore how the Trusted Platform Module (TPM) NVRAM is utilized to protect secure boot keys in POWER9 OpenPOWER systems in this 41-minute conference talk. Delve into the importance of securing authorized keys in non-volatile memory for platform OS verification. Learn about the design and implementation aspects of using TPM's shielded NVRAM to safeguard secure boot keys stored in PNOR. Discover the OpenPOWER firmware and Linux Kernel layers involved in this process. Gain insights into the POWER9 boot flow, firmware secure boot, and OS secure boot architecture. Understand TPM2 NV authorization, atomic secure boot variable updates, and various TPM2 NV commands. Presented by Claudio Siqueira de Carvalho, an experienced Linux security expert and OpenPOWER firmware developer from IBM's Linux Technology Center.

SECURITY
Using the TPM NVRAM to Protect Secure Boot Keys in OpenPOWER
Outline
OpenPOWER Secure Boot Team
Disclaimer
What is Secure Boot for?
POWER9 Boot Flow
Firmware Secure Boot is Upstream
Problem Statement
Protecting the OS Secure Boot Keys
OS Secure Boot Keys: Integrity
TPM2 NV Authorization
Atomic Secure Boot Variable Update
OS Secure Boot NV Indices
Firmware Secure Boot NV Index
Other TPM2 NV Commands
OS Secure Boot Architecture
Final Considerations
References
Questions?