How does it work?
Link hardware and software
There are many ways to facilitate trust in the initial state of a system, with varying trade-offs and levels of assurance.
This is an established approach of allowing independent parties to ensure that compiled code matches its source. It decreases the trust required in build machines as a compromised build can be easily detected.
Attestation of present
stboot uses a TPM to measure all code in the boot path before execution - from the first firmware instruction to userland - to provide remote attestation.
Attestation of past
stboot will eventually support integration with a Transparency Log to deter compromise of signing keys, as well as make historical configurations open to scrutiny.
Want to link with our community?
Join the System Transparency Slack channel