Trusted Computing Platform

The Samsung Knox platform is built upon Trusted Computing principles, ensuring that devices only execute authorized and validated code (such as cryptographic keys protecting enterprise data) during startup. This code is stringently measured and cross-referenced against a database of approved components (hashes) specific to each platform. In the event of unauthorized firmware compromise, access to critical data would be denied.

As both a device hardware and software manufacturer, Samsung is uniquely positioned to establish a trusted computing environment across all Samsung Knox devices. Our robust supply-chain-guarantees enable us to embed cryptographic keys and code directly into the hardware during manufacturing at the factory. This foundational element is referred to as a Hardware-based Root of Trust in trusted computing terminology.

Upon initial boot, a Trusted Boot chain is established, where each Samsung Knox boot component undergoes measurement and authentication before subsequent components can run. Once this chain of trust is formed, features like Real-time Kernel Protection (RKP) maintain the trust-chain integrity by regulating requests between the kernel and critical system components, thereby preventing attackers from compromising the kernel and accessing sensitive data.

After completing the boot process, Samsung Knox devices establish a secure connection with a trusted server to verify their integrity through Knox Device Health Attestation. This step enables enterprises to confirm that the device has booted correctly and hasn’t been compromised.

The following diagram describes how Samsung Knox devices adopt trusted computing platform principles in greater detail: