Thistle Verified Boot (TVB) adds cryptographic verification of the authenticity of the Linux kernel (and possibly the device tree blob (DTB), the initramfs, and the root filesystem images) during device boot. Our first version of TVB uses U-Boot as the operating system bootloader, and an Infineon OPTIGA™ Trust M secure element chip as the immutable storage of the public verification key. The TVB boot flow is illustrated as follows. When in execution, Thistle’s Trust-M-aware U-Boot bootloader verifies the ECDSA signature of the Linux kernel image, loaded in memory, against a pre-provisioned, read-only public key on the Trust M secure element, and boots the kernel if and only if the signature is valid. TVB Boot Flow It’s called “verified boot” but not “secure boot”, because verification starts from U-Boot instead of an earlier-stage, ROM’ed boot loader (BOOTROM). In this sense, a secure boot solution provides stronger security assurance than a TVB-based one. However, the advantage of TVB is twofold:
  1. It is easy to implement and integrate on the device side, and raises the security bar on an other and it raises the security bar on an otherwise difficult to secure embedded device, either because the device lacks hardware support for secure boot (e.g., BeagleBone Black, Raspberry Pi 3), or the software tooling is lagging behind to make secure boot enablement on the device too complicated or costly (e.g., Raspberry Pi 4B, BeagleY AI).
  2. While one can manage their own signing keys as they wish, Thistle offers a Cloud signing facility backed by the Google Cloud Platform and their Cloud Key Management Service (KMS), making key management in production easy and secure.
Users need to be aware of the above information to make informed decisions when it comes to TVB integration.

Supported platforms