Back to blog
Neelu S. Kalani

Static vs. Dynamic Root of Trust

A Static Root of Trust begins at boot and builds a measurement chain from the first trusted code through each later firmware component. In this model, every stage measures the next stage before handing over control, so the final integrity report reflects the whole path that executed since reset.

Static Root of Trust chain Static Root of Trust measures from the Boot ROM and S-anchor through trusted components. Static Root of Trust Boot ROM / S-anchor Boot Firmware Security Monitor + Run-time Firmware Trust chain includes boot firmware.
Static Root of Trust carries trust forward from boot, so boot-time firmware remains part of the measured chain.

The strength of this approach is that it is straightforward: trust starts early and follows the boot sequence. Its weakness is that the trusted computing base can become very large, because bootloaders, platform initialization code, device firmware, and run-time firmware may all sit inside the chain of trust.

A Dynamic Root of Trust starts later, after boot-time software has already run, and uses a protected launch point to measure only the software that should be trusted from that moment forward. This makes it possible to exclude earlier boot firmware from the trusted computing base, but only if the dynamic launch mechanism is isolated from the untrusted code that invokes it.

Dynamic Root of Trust chain Dynamic Root of Trust lets boot-time firmware trigger a protected launch anchor. Dynamic Root of Trust Boot ROM / S-anchor Boot Firmware Dynamic launch event D-anchor Security Monitor + Run-time Firmware Trust begins again at dynamic launch.
Dynamic Root of Trust lets boot-time firmware trigger a protected launch, but trust is re-established at the D-anchor.