What is the reasoning behind having a separate DRTM? Is there any security vulnerability associated with having just the static root of trust?
1) Hardware Microcode verifies BIOS ACM
2) BIOS ACM verifies BIOS
3) BIOS verifies its components
4) BIOS verifies the initial-program loader (IPL) and IPL configurations. In Linux, this would include GRUB and the GPT table or MBR.
You then have this gap where GRUB can load modules and run commands without anything getting measured.
5) Then GRUB loads tboot which issues the GETSEC SENETER instruction.
6) Again the hardware (u-code) kicks in to measure yet another ACM (SINIT ACM)
7) SINIT ACM measures tboot and enforces the Launch-Control Policy based on PCR values and tboot measurements
8) tboot measures the kernel/ RAM disk image and enforces the verified launch policy (VLP) based on its measurement
Why do you need DRTM? Is it to offer greater flexibility or is there a security advantage? Isn't it possible to have a setup where immediately after static measurements, GRUB measures its modules, the kernel, and the init RAM disk image?