intel trusted execution technology

© 2008 Intel Corporation

Intel® TXT The Front Door of Trusted Computing....

Outlines Introduction to Intel® TXT TechnologyWhy it matters?Bad & Good ListArchitectural EnhancementsHow it works?Control PointsLCP Protection Use ModelsBenefitsMeeting the requirementsConclusion References

6 Mar 20122Intel ® TXT

Front Door of Trusted Computing …

Introduction

Intel® TXT(Trusted eXecution Technology) Code named as LaGrande.

Provides Hardware-based Security enhancing the level of security (more useful for Business PCs)

Integrates new security features and capabilities into the processor, chipset and other platform components

3 6 Mar 2012Intel ® TXT


Why it matters?

Mechanism of Malwares may vary but they all seek to: 1. Corrupt Systems2. Disrupt Business3. Steal Data4. Seize control of Platforms

Traditional approaches by anti-viruses is to look for “known-bad” elements.

Intel® TXT provides “known good-focused” approach, that checks for malicious software before they are even launched.



5

Move from bad list to good list

VMM V20

VMM V4

Hacked_V1

Corrupted_V2

OS3

OS4

VMM V1

VMM V2

OS1

OS2

Bad list

Reactive

Good list

Proactive

VMM V8

VMM V4

Hacked_V1

Corrupted_V2

OS3

OS4

VMM V3

VMM V4

Hacked_V1

Corrupted_V2

OS3

OS4



Strict control enables switch to

good list Identity Check

Accurate identity of software

Good List Requirements Good List Requirements

Integrity Check

Must provide ability to validate list integrity at time of policy

enforcement

Management of list must provide for multiple users and assurance of

list integrity

Control Enforce the list policy



A number of system components’ functionalities as well as architecture is enhanced:

Processor: Provides for simultaneous support of the standard partition & one or more protected partitions.

Chipset: Provides protected channels to graphics h/w and i/o devices on

behalf of the protected partitions. Also provides interfaces to the TPM.

Keyboard & Mouse:Support encryption of keyboard and mouse input using a cryptographic key that is shared between the input device and the input manager for protected execution domain.

(contd..)

7

Architectural Enhancements



Graphics:Provides protected pathway between an application or software agent and the output display context(such as window object)

TPM(Trusted Platform Module):Hardware-based mechanism that stores cryptographic keys and other data related to Intel® TXT within the platform, also provides hardware support for the attestation process to confirm the successful invocation of the Intel TXT environment.



Internal Components of a TPM



How does it works?



Creates a Measured Launch Environment(MLE) that enables accurate comparison of all critical elements of launch environment against known-good source.

Creates a cryptographically unique identifier for each approved launch-enabled component, and then provides hardware-based enforcement mechanisms to block the launch of code that does not match approved code.

Intel TXT provides:• Verified Launch (MLE)• Launch Control Policy (LCP)• Secret Protection • Attestation

11

How does it works? (contd..)



How does it works? (contd..)



13

Control Points

Memory

SINIT ACM

MLE

MLE

MLE

Establish special environment

Load SINIT and MLE into memory

Invoke GETSEC [SENTER]

Load SINIT into ACEA

Validate SINIT digital signature

a Store SINIT identity in TPM

SINIT measures MLE in memory

CPU

ACEA

SINIT ACM

SINIT ACM

a Store MLE identity in TPM

aa



Control Points

Memory

SINIT ACM

MLE

MLE

MLE

Establish special environment

Load SINIT and MLE into memory

Invoke GETSEC [SENTER]

Load SINIT into ACEA

Validate SINIT digital signature

a Store SINIT identity in TPM

SINIT measures MLE in memory

CPU

ACEA

SINIT ACM

SINIT ACM

a Store MLE identity in TPM

aa

LCP

VMM1

VMM2

SINIT loads LCP

SINIT passes control to known MLE



LCP Protection LCP Protection



Ensures Safe Migration between Hosts through Trustable Pools



Benefits of Intel® TXT

Increased user confidence in their computing environment

More protection from malicious software

Improved protection of corporate information assets

Better confidentiality and integrity of sensitive information



Identity

Control

Integrity

Software stack identity provided by SENTER measurement

Control of software stack provided by authenticated code enforcing a launch control policy set for the specific platform

Integrity of the launch control policy guaranteed by hash and TPM controls

Meeting The RequirementsMeeting The Requirements



Safer Computing with Intel technologies

Pro

tecti

on

Cap

ab

ilit

ies

Time

Smart CardSmart Card

TPM (Trusted Platform Module)TPM (Trusted Platform Module)

Software-OnlySoftware-Only

Intel® Trusted Execution TechnologyIntel® Trusted Execution Technology

Execute DisableExecute Disable

Intel® Virtualization TechnologyIntel® Virtualization Technology

Future Technologies

Advancing Platform Protections

Intel® Active Management TechnologyIntel® Active Management Technology



Conclusion

With Intel® TXT enabled solutions we can:

Address the increasing and evolving security threats across physical and virtual infrastructure.

Facilitate compliance with government and industry regulations and data protection standards.

Reduce malware-related support and remediation costs.



References Software Development Guide, Intel® TXT, pdf format, March 2011 White Paper, Intel® TXT Software, pdf format Technology Overview, Intel® TXT, pdf format http://en.wikipedia.org/wiki/Trusted_Execution_Technology http://www.youtube.com/watch?v=LsjXjDksU http://www.intel.com/content/www/us/en/data-security/security-overview-

general-technology.html http://www.intel.com/content/www/us/en/architecture-and-technology/

trusted-execution-technology/trusted-execution-technology-overview.html

http://www.intel.com/content/www/us/en/architecture-and-technology/trusted-execution-technology/malware-reduction-general-technology.html

Intel ® TXT

Front Door of Trusted Computing …22 6 Mar 2012

16 Oct 2008 Front Door of Trusted Computing23