eRoT Measurements
The measurements returned by each eRoT represent both the eRoT itself and the component it protects. It is important to note that updating either the eRoT firmware or the component firmware will result in changes to the measurement values reported by the eRoT.
A total of 64 measurements are returned by the eRoT. Some of these measurements are reserved, deprecated, device-specific (such as a serial number), or informational/metadata (such as the firmware build date). The reference measurements published by NVIDIA only include meaningful measurements that are not tied to a specific device instance. Measurement indexes not included in the reference should be ignored by the attestation verifier.
The "Part of Reference?" column indicates whether the CoMID contains a reference value for each measurement.
Whenever a hash value is reported in the table, the hash algorithm used is SHA-384.
Measurement indices may change over the product's lifetime with eRoT firmware updates. Any such changes are always reflected in the reference measurements provided with the release. Verifiers should not assume the structure of the measurement blocks, the number of measurements, or their internal formats. The reference measurements provided as part of the release collateral serve as the authoritative source for the measurement structure of that release. The following two sections outline the measurements mapped to Oberon release milestones and eRoT versions.
The tables below show the measurements returned by the Switch Tray with an eRoT firmware version greater than or equal to 01.04.0009.0000.
Index | What is Measured? | Part of Reference? |
1 | Measurement Block Format as Semver2.0. | Yes |
2 | Type of Component the eRoT is attached to: "FPG" - FPGA "BMC" - BMC "NVS" - NVSW "CPU" - x86 CPU | Yes |
3 | Reserved/Unused/Deprecated | No |
4 | Hash of currently executing eRoT FW. | Yes |
5 | Hash of eRoT FW – Active Slot | Yes |
6 | Hash of eRoT FW – Inactive Slot | Yes |
7-8 | Reserved/Unused/Deprecated | No |
9 | Hash of Component FW (Cached) – Active Slot | Yes |
10 | Hash of Component FW (Cached) – Inactive Slot | Yes |
11-12 | Reserved/Unused/Deprecated | No |
13 | Hash of eRoT OTP Configuration | Yes |
14 | Hash of eRoT FW Anti-Rollback Fuses | Yes |
15 | Hash of eRoT FW Key Revocation Fuses | Yes |
16 | Hash of Component FW Anti-Rollback Fuses | Yes |
17 | Hash of Component FW Key Revocation Fuses | Yes |
18 | Component Firmware Security Version Number (SVN) – Active Slot | Yes |
19 | Component Firmware Security Version Number (SVN) – Inactive Slot | Yes |
20 | Revocation Mode | Yes |
21-25 | Reserved/Unused/Deprecated | No |
26 | eRoT Serial Number | No |
27 | eRoT FW Image Header Hash – Active Slot | Yes |
28 | eRoT FW Image Header Hash – Inactive Slot | Yes |
29-30 | Reserved/Unused/Deprecated | No |
31 | Component FW – Active Slot Metadata Hash | Yes |
32 | Component FW – Inactive Slot Metadata Hash | Yes |
33-34 | Reserved/Unused/Deprecated | No |
35 | Component FW - Booted Instance Index | No |
36 | Component FW Version (as Semver2.0) – Active Slot | No |
37 | Component FW Version (as Semver2.0) – Inactive Slot | No |
38 | eRoT FW Version (as Semver2.0) – Active Slot | No |
39 | eRoT FW Version (as Semver2.0) – Inactive Slot | No |
40 | Executing eRoT FW Build Date | No |
41 | Component Firmware Active Slot Build Date | No |
42 | Component Firmware Inactive Build Date | No |
43 | Component Boot Status | No |
44 | eRoT Tray Enumeration ID | No |
45 | eRoT FW Configuration Strap Value | Yes |
46 | Hash of eRoT FW keys - Instance 0 | Yes |
47 | Hash of eRoT FW keys - Instance 1 | Yes |
48 | Hash of Component FW keys - Instance 0 | Yes |
49 | Hash of Component FW keys - Instance 1 | Yes |
50 | Debug token configuration: Byte 35-32: reserved Byte 31-24: device serial number Byte 23-8: nonce Byte 7-4: eRoT FW version Byte 3-2: struct size Byte 1: struct major version Byte 0: struct minor version | No |
51 | Debug Token Status information: Byte 4: bit 0 Debug token was installed bit 1 Debug token currently installed Byte 3-0: 32 bit integer, number of debug token installs, little endian | Yes |
52-61 | Reserved/Unused/Deprecated | No |
62 | Hash of the booted component FW. | Yes |
63 | Hash of the booted component FW metadata. | Yes |
64 | The PLDM Query Device Identifier for this eRoT. This is used to identify the CoMID against which the measurement block is to be compared. | Yes |
In the table above, "Active Slot" refers to the currently booted image, while "Inactive Slot" represents the second copy of the firmware. Both the eRoT firmware and the component firmware have two slots. During an update, the Inactive Slot is overwritten as part of the update and authentication process. After a successful update and boot, the previously Inactive Slot becomes the Active Slot, and a background copy process transfers the new Active Slot firmware into the now-unused Inactive Slot. This process may take a few minutes. If measurements are collected before the background copy completes, the two slots may have different values. The reference measurements assume a stable state, where both slots are identical, once the background copy process is finished.