Linux Security Summit North America 2019

TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It reduces the attack surface introduced by platform firmware.

TrenchBoot contributors are working to add SecureLaunch boot capability to the Linux kernel, making it capable of using Intel TXT or AMD SVM Secure Launch for platform hardware security. This will enable a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure.

This talk introduces the TrenchBoot architecture, the role of SecureLaunch, the goals that drove its development, and some examples how both can increase the platform security. Within this discussion, mechanisms will be presented on how DRTM-enabled capabilities for client, server and embedded platforms may be integrated into Linux distributions.