4.1.1.1.3 Boot/Root of Trust Code: Integrity

If the IRT section is configured to be immutable, it cannot be modified through internal or external self writes. The immutability protects the integrity of the boot/root of trust code.

In a situation where the boot/root of trust code is in two sections, one immutable and one mutable, the integrity and authenticity of the mutable section should be verified before execution to that region is enabled.

Some applications may wish to verify the integrity of the immutable boot/root of trust to prove there has not been a corruption of memory. This can be accomplished using the using the CAM module to calculate and verify the hash of the boot code and/or verify an associated signature. IRT memory is only accessible when in IRT mode. Once IRT mode has been exited, an attempt to read IRT memory will result in an exception.

Key Consideration:

• The Cryptographic Accelerator Module (CAM) can be used to allow the boot code to verify its own integrity, if desired.