The purpose of secure boot is to ensure that only payloads which have been verified are executed as the system boots. This document describes the process by which OpenTitan aims to ensure this property holds, as well as the services that the secure boot chain provides to software, such as attestation and firmware upgrade support.
- PMP: Physical Memory Protection unit from the RISC-V ISA Volume II: Privileged Architecture specification. Allows defining properties (RWX) for regions of physical memory. Note that the use of ePMP is currently being considered and that this specification will change to accomodate it.
ROM: Metal mask ROM, sometimes known as Boot ROM.
ROM_EXT: ROM Extension. Stored in flash and signed by the Silicon Creator.
BL0: Bootloader. Signed by the Silicon Owner.
Kernel: Signed by the Silicon Owner.
Boot Process Overview
The boot process flows as follows:
- Power on.
- Execution is restricted to the ROM region via OpenTitan Secure Boot HW Support.
- The last PMP region (region #15) is configured by reset logic to cover the entire flash region, with only the R and L bits set (that is, the region is Read-only and Locked, meaning the region is respected in Machine mode and cannot be unlocked unless by a system reset).
- Execution enters ROM stage.
- All SRAM except for retention SRAM is cleared.
- The active boot slot is loaded from the flash Boot Info. This value is
called the Active
- Starting with the Active
ROM_EXTSlot, the ROM code performs the following:
- Determine if the slot is empty by testing for presence of the header
- If present, continue validation. If missing, enter boot failure logic.
- Using the Silicon Creator public key stored in ROM, verify the
signature of the payload digest, using the process outlined in
OpenTitan Secure Boot HW Support.
- If signature validation fails, enter boot failure logic.
- Perform system state measurements and derive the CreatorRootKey identity (see Identities and Root Keys), which will reside in the key manager, as an intermediate state.
- Write PMP region #0: Read, Execute, Locked, covering the entirety of
ROM_EXTimage from the active slot.
- Transfer execution to the entry point specified in the
ROM_EXTmanifest for the active slot.
- Determine if the slot is empty by testing for presence of the header magic value.
- If the Active
ROM_EXTSlot fails to boot, look up the boot failure policy from the ownership blob and act upon it.
- Execution enters
- If the device reset cause is a boot services request then begin
processing requests from persistent SRAM.
- See Boot Services for details.
ROM_EXTreads the Boot Info page to determine which BL0/Kernel image it should be booting.
ROM_EXTcomputes the digest of the Silicon Owner image, and compares it with the digest present in the manifest.
- If mismatched, abort boot.
ROM_EXTverifies the digest signature from the manifest with Silicon Owner key stored in the Boot Info page.
- If verification fails, abort boot.
- Derive OwnerIntermediateKey (see
Identities and Root Keys)
- Includes writing Software Binding Value from the Silicon Owner image before deriving.
- Construct the boot information structure at the beginning of SRAM.
- The boot information structure contains information about the boot
process, such as which
ROM_EXTand silicon owner boot slot was used.
- The boot information structure contains information about the boot process, such as which
- Load PMP region #1: Read, Execute, Locked, covering the executable region of the Silicon Owner code as described in the Silicon Owner code manifest.
- Transfer execution to the entry point of the Silicon Owner code.
- If the device reset cause is a boot services request then begin processing requests from persistent SRAM.
- Execution enters Silicon Owner code.
- Silicon Owner code execution is beyond the scope of this document.
In order to provide a flexible boot mechanism the Boot Info page will store a
structure called the Boot Policy. The boot policy dictates the boot flow,
including storing boot attempts and successes for a given
the ROM code to decide when to mark a
ROM_EXT good or bad. The boot policy
also contains directions to
ROM_EXT about which slot it loads silicon owner
code from. TODO(gdk): Expand on policy.
The OpenTitan Secure Boot implementation uses two mechanisms to attempt to
prevent glitching attacks from moving the program counter ahead into
user-controllable code without validation: the first being
OpenTitan Secure Boot HW Support. This mechanism
ensures that execution cannot leave the ROM stage without going through a
hardened comparator path that ensures the active
ROM_EXT has been verified.
The second isolation mechanism is the PMP. By default, the PMP is configured
with a single region that covers flash and only grants read access to the core.
Each stage must explicitly add a new region that allows execution in the region
that it has verified. The PMP configuration is documented here:
Secure Boot PMP.
The first mechanism ensures that we can enter
ROM_EXT with an extremely high
level of confidence in the code there, and the second ensures that the barrier
to execution for each successive stage remains high.
Memory on OpenTitan can be considered as split into three separate regions: ROM, Flash Info, and addressable flash. The addressable flash is further divided into two equally-sized regions called Flash Bank 0 and Flash Bank 1. The beginning addresses for Flash Bank 0 and Flash Bank 1 are the only fixed points of reference that the system is opinionated about, as they correspond to the beginning of each physical flash bank. It is expected that a Silicon Owner might arbitrarily reserve space at the end of each flash bank to use as additional storage.
Boot Services refers to the functionality stored inside of
can be controlled via specific messages passed between from Silicon Owner code
in retention SRAM. Since ROM/
ROM_EXT is responsible for the boot process and
is the only software on the device which can manipulate identities belonging to
the Silicon Owner, these services are required to perform actions such as
attestation of device identity and firmware update.
Entering Boot Services
Boot services are invoked by placing a request structure at the beginning of
retention SRAM and resetting the system with the cause
UNLOCK_OWNERSHIP: As per Ownership Transfer’s Unlock Flow, relinquish ownership of the device.
TRANSFER_OWNERSHIP: Initiate processing of an ownership transfer blob.
REFRESH_ATTESTATION: See Attestation. Causes the
ROM_EXTto regenerate the attestation chain as per the attestation command section.
UPDATE_FIRMWARE: Instructs the active
ROM_EXTto begin the firmware update process. This process allows for attempting to boot from a new
ROM_EXTor silicon owner code with a programmable attempt count that must be satisfied before committing to the new code. This is done by updating the boot policy block. When a kernel wishes to update the other slot in the device it writes the firmware there and then issues an
UPDATE_FIRMWAREcommand to instruct the next boot of
ROM_EXTto attempt to load from that slot.
This document does not prescribe an exact data structure for the
manifest as seen by the Mask ROM. However, these are the requirements that the
manifest format is required to support:
- Hash scheme selection. The manifest must specify the hashing scheme that
- Signature scheme selection. The manifest must specify the signature
scheme that covers the
- Key derivation constants. As specified in the Identities and Root Keys document, the manifest header must include constants used to derive the next key generation.
- Header version. The version of the
ROM_EXT. This version field is used as part of the measurements for key derivations, and can be used as a constraint for the boot policy.
- Rollback protection. A generation marker that is used by
ROM_EXTto determine if this version is bootable or is considered a rollback.
- Entrypoint. The executable entrypoint for this