Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > 2007 > September > 25
Up to Blog Posts in Intel® vPro™ Expert Center
Previous Next

Intel vPro Expert Center Blog

Currently Being Moderated
David Grawrock
9

Hello World

Posted by David Grawrock on Sep 25, 2007 7:16:00 PM

 

Hi the vPro team has asked me to blog here regarding the Trusted Platform Module (TPM) and general security issues. For some strange reason I said yes. I have never blogged before, though i do read some blogs regularly, so hopefully I get this right

 

 

To give a little bit of my bona fides, I have been the chair of the TPM workgroup for many years and have been the editor of the TPM spec since the begining of the TCG. For extra credit I am also the security architect of Intel Trusted Execution Technology (TXT). Those two jobs may be part of why it seems like I have no real life outside of Intel. But then I really do as this is my 27th year as a soccer coach, this year it is a U14 girls team, Go Shark Bait (ooh ha ha).

 

 

Anyway after that little digression some information on the TPM. A vPro platform requires the inclusion of a Version 1.2 TPM. The features of a TPM include storage of measurements, reporting the measurements, protection of information, and basic cryptographic services. I have classes that take hours to give and my first blog post will not cover all of the features and uses of the TPM.

 

 

What I will focus on today is that the TPM is an integral part of the platform. Adding a TPM to the platform requires laying out the real estate for the device, adding busses to the device, changing the BIOS to initialize and configure the device, and then OS and applications that take advantage of the TPM. Without all of these changes the TPM does not provide benefits to the platform or the users of the platform. One change that is very important to the platform is the ability to accept and store measurements. The platform is designed to perform a measurement for two critical processes. The first is the boot of the platform. The measurement of the boot process is known as the "static root of trust for measurement" or S-RTM. The other process is the TXT launch and measurement known as the "dynamic root of trust for measurement" or D-RTM. For those just learning about the TPM measurement in this context means take a cryptographic hash of the target (BIOS or VMM). The hash in use is SHA-1.

 

 

The result of either RTM is the knowledge, stored in the TPM as a measurement value, of the status of which BIOS just booted the platform or which VMM is executing. Knowledge of the status of the platform then enables both local processes and remote processes to make trust decisions regarding the platform.

 

 

Well most likely this is too long for a first post. Please be kind to a first time blogger and let me know what details you would like to dive into.

 

 

 

 

Tags: tpm, security, txt


Add a comment Leave a comment on this blog post.
Sep 26, 2007 10:57 AM Todd Christ Todd Christ    says:

David - welcome to the Pro Expert Center and great first post! I'm excited to see more data on the TPM front as securty and encryption are becoming more and more visible at every layer of computing.

 

On a more personal note, I had coached my son's soccer team for only one year - I can't even imagine 27! More power to ya!
Reply
Sep 26, 2007 11:01 AM David Grawrock David Grawrock    says in response to Todd Christ:

I got a comment, oops did i say that out loud?

 

Anyway thanks for the comment, hopefully we can delve into what the TPM is in the future.

 

1 year, you are a rookie. Worst year for me was when i had three teams at once, never again for me. Scheduling was a nightmare.
Reply
Sep 26, 2007 11:28 AM steven sprague steven sprague    says:

David,

 

This is a great place to educate everyone on the role and capabilities of TPMs on a Vpro platform. I enjoyed your post and welcome to blogging. There is so much that any IT shop can do with a TPM today. With ten's of millions of units already in the market it is a very valuable asset to improve the security of any network today. You touched on the TPM's role in integrity measurment, it should also be noted that the TPM can be used to form the foundation of any Network access control solution.

The first step in any NAC installation is to establish strong machine identity this is done with either 802.1x or ipsec both of these technologies support client certificate based identity. These technologies set up the location for integrity measurments to be evaluated. It is trivial for IT to use the TPM to generate the key pair for these certificates. The result is that the private key is now held in tamper resistant silicon and can't be migrated by a user or malware. This ensures that only approved machines are ever on the network and that all machines can have integrity measuments reported.

 

I look forward to discussing the number of roles that the TPM can support for the Vpro platform

 

Steven
Reply
Sep 27, 2007 11:15 AM Guest Hal Finney  says:

Hello David - I am very glad to see you posting here! I read your book on Intel's Safer Computing Initiative and am looking forward to getting more information on how the TPM chip fits into the larger security picture.

 

Two questions to start with: how does TPM relate to other vPro technologies such as AMT? I think I read that AMT does not use TPM?

 

And second, does Intel plan to release any software or SDK that supports TPM management?

 

One other question, do you know if there are any plans to make the slides from the security track of the IDF available? (Oops, guess that's 3 questions!)
Reply
Sep 29, 2007 12:08 PM steven sprague steven sprague    says in response to Hal Finney:

Hal,

I am sure david has comments but I thought I would add a note.

 

software currently ships with Intel Motherboards the embassy trust suite this application provides local managment capabilities and most importantly a CSP that enables one to use the TPM with many network security applications. Wave also provides central managment capabilities that can be augmented by the AMT Managment tools. Most of the deployed TPMs come supported by local software

 

Cool things we hope to be able to do is secure the pre boot 802.1x for AMT with a TPM held key pair. This could enhance the security of the network connection.

 

What do you want to do?

Steven Sprague

CEO

Wave Systems Corp.
Reply
Sep 29, 2007 2:44 PM David Grawrock David Grawrock    says in response to steven sprague:

Some good questions here and i will attempt to answer them on my next blog post. I've got a long flight ahead of me and i will build the post in the air and then upload it sometime tomorrow.

 

Thanks everyone for getting this started.
Reply
Oct 1, 2007 10:42 AM Guest Bill York  says in response to David Grawrock:

David,

You mentioned some classes that you have on this subject. Can you provide information to these classes?

 

Thanks,

Bill York
Reply
Oct 1, 2007 10:42 AM Mohan Veeramachaneni Mohan Veeramachaneni    says:

Hi David,

Great to have your insight on TPM shared here. I have many questions in this area but let me start with two of them first.

 

Initial Trust: I would like to understand how the initial trust on bios measurements or VMM or any other program is established to compare the on-going measurement calculated by the TPM. Is the initial trust based on the conformance and compliance certificates generated by the manufacturer and the trusted third party? If so, how is initial trust established for a new application that wants to use TPM after TPM has been in use say for a year or so in an untrusted environment with multiple user applications being launced in completely randon order? Can you always say since TPM is a secure environment whenever the measurement is first stored for any application it is the initial trusted measurement so it can be compared again using the same PCR locations? (If application are launched in a random order the PCR values can not be predicted so how can we use them to extend hash for the new application?) How does any new application registers itself with TPM to store initial measurements of its hash so it can reuse this measurement to compare next time it loads to verify that the application has not been altered?

 

Second question of Archive/migratable keys. When you have a migratable key and wrap the private key of a migratable key with a SRK from TPM - do you associate this wrapping process with a password so user can decrypt this key and use it outside of the TPM? Are migratable keys less secure since they are stored outside of TPM although protected by some password etc.

 

Sorry for the long thread but figured it would benefit the community as a whole.
Reply
Oct 1, 2007 3:56 PM David Grawrock David Grawrock    says in response to Mohan Veeramachaneni:

Well I am glad to see that some are reading the TPM posts and hopefully I can answer some of the questions. Answering the questions seems better than simply going off and attempting to talk to myself.

 

The first question from Hal, who used up three questions in only two, was how the TPM relates to other platform technologies. The answer is that the TPM provides specific technologies that complement the other technologies. The complement between AMT and the TPM is that AMT provides a management tool to respond to the current state of the platform as reported by the TPM. One way to respond would be to send to the platform an update to a reported component that represents a potential vulnerability. The flow would be platform measures component and stores measurement in TPM, server requests TPM attestation, server notes down level component, sends remediation to AMT, AMT applies fix, and platform installs new component (which may only happen on the next reboot depending on the component). Note the use of both components to do their job on the platform.

 

Hal’s second question was the creation of software and SDK’s for TPM management. I do not know of any Intel plans for that software but TPM management code is available from a variety of vendors including Wave, Infineon, and NTRU. As Steve noted we bundle with our platforms the Wave solution. I would check with the TCG web site (www.trustedcomputinggroup.org) for more pointers.

 

Hal’s third question, as he read my book he gets to ask three questions when starting with two, is on the potential of slides from IDF. After all of the IDF satellite versions finish they may put the slides up, but not prior to that. If you attended IDF then you do have access as a participant (see there really is a reason to go). BTW I love IDF and enjoy the talks, the show floor, and the keynotes. It was great to see the demo of TXT in Pat Gelsinger’s keynote.

 

Bill asked about the classes I give. The classes are normally at TCG events, IDF, or closed events. I have been teaching at the trusted summer schools (www.etiss.org is one). Right now I do not have any scheduled open classes.

 

Our last question was from mveerama who wondered about initial trust. I am going to cover that one in a specific post and it will immediately follow this one.
Reply

Actions

Popular Blog Posts