As I previously explained in my last blog post “Mitigating threats in the cloud using Intel® TXT and Trusted Compute Pools”, Intel TXT has the capability to Measure Launch the Hypervisor and/or operating systems and consists of a series of hardware enhancements:
- Trusted Platform Module (aka. TPM) which allows for secure key generation and storage, and authenticated access to data encrypted by this key. By analogy, is a Smart Card embedded into the chip, because the private key stored in the TPM is not available to the owner of the machine, and never leaves the chip under normal operation;
- Memory and I/O virtualization performed by the Intel® 5520 chipset that among other things, protect certain areas related to TXT from DMA access;
- Intel® Xeon® 5600 series family or Xeon® E7 family that support the TXT instructions;
- Enabled BIOS and Hypervisor.
We maintain a list of hardware that is TXT capable where you can find out what manufactures and models are available that deliver fully enabled solutions.
How do these pieces work together?
Before we explain TXT, there is some groundwork to be done. First let’s understand how a key component in this technology works. The Trusted Platform Module is the root component of a secure platform. It’s a passive I/O device that is usually located on the LPC bus, and nowadays can be found as part of the North Bridge chipset. TPM has special registers, called PCR registers (i.e. PCR[0…23]) and can do some interesting things: Seal/Unseal secrets, allow Quoting (Remote Attestation) and do some crypto services, e.g. RSA, PRNG, etc.
The principle of TPM is that it is based on PCR extend operations, where it uses the previous PCR value to define the next one:
A single PCR can be extended multiple times and it’s computationally infeasible to define a specified value to a PCR, so the order where things happen matter [(ext(A),ext(B)) ≠ (ext(B),ext(A))] and the secret sealed in TPM can only be unsealed if the correct PCR values matches as presented in figure 1.
Figure 1 – Sealing/Unsealing TPM operation due PCR registers matching.
Intel® TXT brings a magic new instruction called SENTER that has the capability to attest the integrity of the hypervisor loader or OS kernel code in a process known as Measure Launch. As presented in figure 2, the hypervisor loader issues the GETSEC[SENTER] instruction, which essentially performs a soft processor reset and loads a signed authenticated code module (ACM), which can only be executed if it has a valid digital signature. This module verifies system configurations and BIOS elements by comparing against the “known good” values protected of sensitive memory areas by using Intel Virtualization Technology for Directed I/O (Intel VT-d) and chipset specific technologies, such as Intel Extended Page Tables (Intel EPT). Then it verifies and launches the hypervisor, which configures low-level systems and protects itself using hardware assisted paging (HAP).
Figure 2 – Dynamic Root Trust of Measurement
TXT is the right technology for a measured launch and, in conjunction with Intel Virtualization Technology (VT-x, VT-d and EPT); it’s also possible to implement run-time protection against malicious code.