how to build hardware support for secure startup

7/29/2019 How to Build Hardware Support for Secure Startup

1/34

How To Build Hardware Support ForSecure Startup

Steve Heil & Mark Williams

Program ManagersWindows SecurityMicrosoft Corporation

Manny Novoa

Security StrategistPersonal Systems Group

Hewlett-Packard


2/34

Session Outline

Quick overview of Windows codenamed

Longhorn Secure Startup featureOverview of Longhorn TPM Services architecture

Developing applications that work with TPMServices

Windows Longhorn Logo Program proposedrequirements for Secure Startup & TPM Services

Hewlett-Packard presents options & trade-offs for

building Secure Startup-capable systemsResources & Call to Action


3/34

Session Goals

This session answers the system builders

question, How do I build PC client SKUs thatsupport Secure Startup?

Attendees should leave this session withthe following:

Guidelines for developing software for TPM Services

A better understanding of why and how to build SecureStartup-capable system SKUs

Knowledge of where to find resources for meeting

the Secure Startup system Windows Logo Programrequirements and building Secure Startup-capableplatforms


4/34

Quick Overview of Secure Startup

Technology providing higher security through use

of Trusted Platform Module (TPM)Addresses the lost or stolen laptop scenarios withTPM-rooted boot integrity and encryption

Provides secure system startup and full volumeencryption built on TPM services

Attackers are stopped from using software toolsto get at data


5/34

What is a TPM?

Module on the motherboard that:

Protects secrets from attackersPerforms cryptographic functions

For example, RSA, SHA-1, RNG

Meets encryption export requirements

Can create, protect and manage cryptographic keysProvides a unique Endorsement Key (EK)

Performs digital signature operations

Holds Platform Measurements (hashes)

Anchors chain of trust for keys, digital certificates andother credentials

To see industry standard specs for TPM 1.2,go to www.trustedcomputinggroup.org
http://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/


6/34

TPM Services Design Requirements

Create an environment where the TPM can

be sharedProvide an appropriate level of abstraction forconstrained resources

Protect applications from each other

Provide infrastructure for 3rd party developersand system manufacturers to add value

A single driver to support a variety of v1.2-compliant TPMs in the market

Provide mechanisms to support the right to opt-inand the right to privacy


7/34

TPM Services Architecture Simplified

* = TCG Software Stack


8/34

TPM Services Application Development

Write code using the Trusted Service Provider

layer of a TCG v1.2 TSS that has been built uponthe TPM Base Services (TBS)

Some commands are blocked by default

Command blocking is configurable by the administrator

The Storage Root Key authorization data is zero

Access TPM functionality through the Microsoftfeatures

WMI Interface

Key Storage Provider (KSP)


9/34

TCG Stack vs. TPM Services Stack

TPM applications use theTCG Service Provider(TSP) interfaces

The TCG Core Servicescomponent (TCS) isported to communicate

with the TBS instead ofthe TCG Device DriverLayer (TDDL)

TPM applications are

more agile and betterprotected whenusing TBS


10/34

Introducing

Mark Williams

Program ManagerWindows SecurityMicrosoft Corporation


11/34

Secure Startup & Windows LonghornLogo Program

The two proposed Windows Longhorn LogoProgram requirements for Secure Startup are

SYS-SEC-1 System supports Secure Startupvia v1.2 TPM

SYS-SEC-2 System supports Secure Startup by usingsystem firmware security enhancements

These are If implemented requirements

Based on industry-standard specsTCG TPM Specification Version 1.2, atwww.trustedcomputinggroup.org/home

TCG TPM Interface Specification v1.2, Revision RC26 or later,at www.trustedcomputinggroup.org/members

TCG PC Client Specific Implementation Spec for ConventionalBIOS v1.2, Revision 0.98 or later, at

www.trustedcomputinggroups.org/members
http://www.trustedcomputinggroup.org/homehttp://www.trustedcomputinggroup.org/membershttp://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroup.org/membershttp://www.trustedcomputinggroup.org/home


12/34

Secure Startup & Core Logic Chipset

Secure Startup code uses memory-mapped I/O

to communicate with TPMPlatform core logic chipset MUST implementmemory-mapped I/O to TPM 1.2 over LPC bus

Memory region maps to TPM 1.2 Locality 0

TPM 1.2 Locality 0 system memory address is 0xFED4_0xxx

This memory region MAY be protected

Details about TPM 1.2 memory-mapped LPCinterface is in an industry-standard specification

TCG TPM Interface Specification v1.2, Revision RC26 or later,at www.trustedcomputinggroup.org/members
http://www.trustedcomputinggroup.org/membershttp://www.trustedcomputinggroup.org/members


13/34

How Does Secure Startup Use The TPM?

Secure Startup code uses TPM 1.2 to

Measure software components of system boot process; for eachsystem boot event:

Performs hash of component code and/or data

Adds entry to Event Log

Extends appropriate PCR with hash value

Later seals secrets against those PCR valuesTo protect secrets on the next platform reset

Mapping of the PCR usage to system boot events is in anindustry-standard specification

TCG PC Client Specific Implementation Spec for Conventional

BIOS v1.2, Revision 0.98 or later, atwww.trustedcomputinggroups.org/members

TCG draft specification for PCR usage on EFI-based platformsunder development
http://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroups.org/members


14/34

Why Are Firmware Extensions Required?

Secure Startup code runs in the pre-OS

environment that is controlled by firmwareSecure Startup code must be able to usefirmware to access the TPM

BIOS must expose INT 1Ah interface

This INT1A interface is specified in the TCG v1.2 PC ClientImplementation Specification

Secure Startup code uses a subset of the INT1Ahfunctions in the TCG spec

TCG_StatusCheck

TCG_PassThroughToTPM

TCG_CompactHashLogExtendEvent

Draft TCG EFI Protocol Spec contains these samethree functions


15/34

Secure Startup ArchitectureStatic Root of Trust Measurement of early boot components


16/34

Example Firmware Requirements

Requirements for BIOS usage of TPM 1.2 PCR[4]

The BIOS MUST measure into PCR[4] each IPL that isattempted and executed; if IPL code returns control back toBIOS then each IPL MUST subsequentlybe measured

The BIOS MUST NOT measure portions of the IPL

pertaining to the specific configuration of the platform intoPCR[4]

For example, the disk geometry data in the MBR would not bemeasured into PCR[4]

To measure the content of an MBR style disk, the BIOS would

measure 0000-01B7h into PCR[4] and 01B8-01FFh intoPCR[5]

These requirements are from TCG spec,proposed for testing in the Windows Longhorn

Logo Program


17/34

EFI Architectures & Requirements

Security-enhanced firmware MAY be conventional BIOS,EFI, or a combination of BIOS and EFI

TCG currently drafting two industry-standardEFI specs

EFI Protocol Spec common to PC Clients and Servers

EFI Implementation Spec for PC Clients

Includes mapping of TPM PCR event measurements to EFI bootcomponents

Microsoft is contributing to these specs

Planned support for EFI support in Longhorn OS loader

Draft TCG EFI specs are currently available to TCGmember companies, atwww.trustedcomputinggroup.com/members
http://www.trustedcomputinggroup.com/membershttp://www.trustedcomputinggroup.com/members


18/34

Building a Secure Startup System

After system builder has:

Chosen a TPM 1.2 vendorCommitted a BIOS team to working on the extensions

What else is needed?

Build a TCG-defined Host Platform which includes

Motherboard

Host processor(s)

TPM

Immutable part of firmware called the Static Core Root of Trust

for Measurement (S-CRTM)Other devices that connect directly to the CPU and interactdirectly with the CPU


19/34

Example Motherboard Requirement

The platform MUST perform a Host Platform Resetwhich may be:

Cold Boot Host Platform Reset,

Hardware Host Platform Reset, or

Warm Boot Host Platform Reset

Boot Strap Host processor MUST be reset & begin

execution with the S-CRTMAll remaining Host Processors MUST be reset

The TPM MUST be reset

Execution of TPM_Init signal

TPM MUST NOT be reset without a HostPlatform Reset

See TCG PC Client Specific Implementation Spec forConventional BIOS v1.2, Revision 0.98 or later, atwww.trustedcomputinggroups.org/members
http://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroups.org/members


20/34

Options And Trade-offs

After the Secure Startup functional requirements

are met, the system builder has options toconsider, including:

1:1 binding of TPM to platform

BIOS & CRTM architectures

Operational states of TPM & customer deploymentscenarios


21/34

Longhorn Secure Startup

An OEM Cookbook

Manny Novoa

Security StrategistPersonal Systems Group

Hewlett-Packard


22/34

TPM V1.2 Platform Requirement

1:1 binding of TPM to platform

System builders desire common motherboards acrossmultiple platforms (may span consumer/commercial)

Modular TPM facilitates build process and serviceability

HOWEVER

TCG Specification clearly dictates binding requirement

TPM bound to 1 and only 1 platform

Soldered to motherboard is well understood

Modular add-in requires cryptographic bindingSecurity target implication to demonstrate how TPM can not beused on another platform! This is not trivial!

Choice of binding has implications on platform costand maintenance/serviceability!


23/34

TPM BIOS Impacts: CRTM

Two CRTM options for PC ArchitectureBoot Block as CRTMImmutable (fixed) code per TCG Specification

or

Prove secure update process in conformancesecurity target

Entire BIOS as CRTM

Prove secure update process in conformancesecurity target

Challenge for most flash mechanismsin the runtime state!


24/34

TPM BIOS Impacts: Size Implications

S-CRTM TPM interface codeadds 3KB to 6KB to boot block

F000 segment size limitationrequires creative mapping of

BIOS coreBIOS Setup must include TPM functions includingenable/disable and factory reset (ForceClear)

RTM TPM interface code is now 32-bit

Mechanism required to transition from natural BIOSstate to 32-bit mode


25/34

Physical Presence

Remote Deployment Consideration

Customers demand automated mechanism to activate and takeownership of TPM

However

TCG specification conflicts in its physical presence requirements

New process is under review by PC Client Workgroup

Conduit to BIOS for command sequences requiring physicalpresence

S-CRTM must detect user presence (i.e. button press, etc.), otherwisephysical presence is locked

e.g. BIOS must distinguish a SW initiated warm/coldboot from a physical pressing of the power button

Value add opportunity in requiring platformadministration credential

Platform builder action: ensure any existingremote deployment scripts migrate to supportnew physical presence process


26/34

TPM Ownership

TPM Services will handle the process of TPM ownership

Current TCG V1.1 implementations each have specifictools for ownership, which integrate to TSS stack

Ownership Blobs are NOT universally compatible

Blob exchange/process mechanism is currently in definition

Migration from TCG-enabled Windows XP andWindows 2000 platforms?

TCG defined Migration/Maintenance facility may suffice wheretreat Longhorn installation as a new device/platform

Mechanism under evaluation/creation at Microsoft

Fresh Longhorn/Secure Startup installationPlatform builder must ensure only a single GUIfor ownership (via the OS)

Information gathered must be provided seamlesslyto TSS software layer


27/34

HP ProtectTools focus areas:

Pre-boot security

Single sign-on convenience

Multifactor authentication

Leverage infrastructurecomponents (e.g. TPM)

Migration to Longhorn SecureStartup only affects EmbeddedSecurity & BIOS modules

Update to TPM V1.2

BIOS Integration of INT 1A,PCR measurements &

physical presenceSecuring CRTM

Other value-add modulesfocus on pre-boot or viawell defined OS interfaces

(CAPI, PKCS11, TSS)

Case Study: HP ProtectTools & Longhorn

HP ProtectTools Security Manager

for client PCs

Smart Card

Securityfor HP ProtectTools

Credential

Managerfor HP ProtectTools

BIOS

Configurationfor

HP ProtectTools

EmbeddedSecurity

for

HP ProtectTools

only


28/34

ProtectTools Platform Lessons

Use highest level API whenever possible

CSP for CAPI allows TPM to functionas any other crypto device/token

S/Mime support, IE integration forcerts, etc.

PKCS#11 module for TPM

RSA SecureID, smart card support,USB crypto token support, etc.

Enhance Secure Startupwith TPM and Smart Card pre-bootauthentication

Independent of Secure Startup to preventsystem boot without strong user authentication

Offers strong pre-OS credential storage

Enhanced by Secure Startup in offline scenario

App 1 App 2 App N

PKCS

#11

CAPI

CSP

TSS/TCS

TBS


29/34

Recap For System Builder (OEM)

Begin TPM 1.2 integration process

Standalone chip: Atmel, Infineon, ST Micro,

Integrated: BroadCom (NIC), National (SIO),

Ensure 1-1 binding of TPM to platform/motherboard

BIOS Implications

Immutable S-CRTM or define secure flash process

Support physical presence detection within CRTM

Space requirements to add Integrity measurement code and TPMinterface code to S-CRTM and RTM

INT 1A support for runtime environment

Leverage TPM in tools/applicationsExample: HP ProtectTools Credential Manager uses TPM toprotect SSO store

Design value add to highest API level possible


30/34

Call to Action

Develop TPM applications using a TSS thats

been ported to TBSGet on the list to receive Secure Startup DesignGuide publication from Microsoft

Send e-mail to [email protected]

System builders send your reference platforms toSecure Startup test team at Microsoft for evaluation

Review the v1.2 TCG specifications atwww.trustedcomputinggroup.org
mailto:[email protected]://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/mailto:[email protected]


31/34

Secure Startup Resources

For answers to questions about Secure Startup

and related TPM [email protected]

TCG Web Site

http://www.trustedcomputinggroup.org
mailto:[email protected]://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/mailto:[email protected]


32/34

Community Resources

Windows Hardware & Driver Central (WHDC)

www.microsoft.com/whdc/default.mspx

Technical Communities

www.microsoft.com/communities/products/default.mspx

Non-Microsoft Community Sites

www.microsoft.com/communities/related/default.mspx

Microsoft Public Newsgroups

www.microsoft.com/communities/newsgroups

Technical Chats and Webcasts

www.microsoft.com/communities/chats/default.mspx

www.microsoft.com/webcasts

Microsoft Blogs

www.microsoft.com/communities/blogs
http://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/communities/related/default.mspxhttp://www.microsoft.com/communities/newsgroupshttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/webcastshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/webcastshttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/communities/newsgroupshttp://www.microsoft.com/communities/related/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspx


33/34

how to build hardware support for secure startup

Documents