Using the TPM NVRAM to Protect Secure Boot Keys in POWER9 OpenPOWER Systems - Claudio Siqueira de Carvalho, IBM In OpenPOWER systems, most firmware code used to boot the platform OS is stored in the processor flash memory (PNOR). Although PNOR is non-volatile memory, it is unprotected. In order to secure boot the platform OS, it is well known that only platform OSs signed with authorized keys should booted. However, saving the authorized keys in a secure non-volatile memory is as important as using them to verify the platform OS. In this presentation, Claudio Carvalho will show how the shielded non-volatile memory (NVRAM) of the Trusted Platform Module (TPM) has become essential in OpenPOWER systems to protect the secure boot keys stored in PNOR. This discussion includes design and implementation aspects that are both currently in progress for the OpenPOWER firmware and the Linux Kernel layers. About Claudio Siqueira de Carvalho Claudio Carvalho is a brazilian Linux enthusiastic with over 15 years of experience in the Linux field. He started his career as a package builder during his Master's degree at the University of Campinas, building packages for Linux distributions based on Arch and Debian. In 2011, he joined the IBM Linux Technology Center, where he has worked on several Linux security projects since then. He worked on linux security certifications (HIPAA, Common Criteria and FIPS 140-2); OpenCryptoKi, which is an open source implementation of the CryptoKi API defined by the PKCS

11; and also OpenSSL plugins. Currently, he is an OpenPOWER firmware

developer and he also leads the Secure and Trusted Boot development team in the IBM Linux Technology Center.