Firma: Disk-Based Foundations for Trusted Operating Systems

Secure boot mechanisms aim to provide guarantees of integrity of a system as it loads. It ensures that if a system is running, all of its process will satisfy integrity verification requirements. While secure boot has been available for a long time, it is not available in commodity systems due to the high cost of secure hardware. In this paper, we describe Firma, an architecture that provides secure boot functionality based on a storage root of trust. Unlike previous secure boot mechanisms, use of the disk can protect data secrecy by only releasing data to systems trusted not to leak data, while also providing data integrity through release to high integrity systems. We implement a prototype of Firma and show how it may be used to provide a trusted virtual machine monitor (TVMM) capable of supporting strong security guarantees for running VMs. Only minimal administration is required, and we detail the tasks necessary to support the architecture, showing new systems can be configured with a small number of automated steps. Our evaluation shows that Firma requires additional overhead of just over 1 second for the boot process.