In 2007, Intel introduced a new security feature on the business desktop line called Trusted Execution Technology (TXT). TXT was added to Intel vPro notebooks in 2008 and to the server platform in 2010. TXT is the foundation of a new generation of safe computers.

 

Many of the most sophisticated attacks against PC equipment nowadays aim to infect the user’s machines for different ends -- sending spam, DDoS attacks, information robbery. It has been a big challenge to mitigate them on the software layer.

 

As a hardware manufacturer, it’s our responsibility to join this battle and help the software industry develop more robust security solutions. However, Intel’s initiative isn’t the first one. Who remembers the ring hierarchy introduced on the 286 that allowed creating an operating system with privilege isolation? Or Execution Disable Bit, that helped prevent malware propagation on the machine, marking appropriated memory areas for code execution? We don’t treat security on just one layer and treating it in depth is not enough (e.g. software, hardware, and process). We must always be ahead of security issues, because it’s a race between who needs to be protected and who wants to attack.

 

Trusted Execution Technology (TXT) comes as a reinforcement to deal with threats that act on the same level of the kernel operating system or even more privileged levels -- like hypervisor’s malware, where the malicious code can take advantage of the CPU virtualization instructions to emulate hardware instructions and completely control the operating system.

 

How does it work?

 

Before we explain TXT, there is some groundwork to be done. First let’s understand how a key component in this technology works: the Trusted Platform Module, which is the root component of a secure platform. It’s a passive I/O device that is usually located at the LPC bus, and nowadays can be found as part of the North Bridge chipset. TPM has special registers, called PCR registers (i.e. PCR[0…23]) and can do some interesting things: Seal/Unseal secrets, allow Quoting (Remote Attestation) and do some crypto services, e.g. RSA, PRNG, etc.

 

The principle of TPM is that it is based on PCR extend operations, where it uses the previous PCR value to define the next one:

 

TPM-ExtendEquation.PNG

A single PCR can be extended multiple times and it’s computationally infeasible to define a specified value to a PCR, so the order where things happen matter [(ext(A),ext(B)) ≠ (ext(B),ext(A))] and the secret sealed in TPM can only be unsealed if the correct PCR values matches as presented in figure 1.

 

TPM-Sealing and Unsealing Operation.png

Figure 1 – Sealing/Unsealing TPM operation due PCR registers matching.

 

TPM is used also by Microsoft BitLocker, a full disk encryption technology, where the key to decrypt the disk is located in the TPM chip and the retrieving #_msocom_1 of this key depends on the integrity of the code that can be executed in memory, since the bootstrap and this process is known as Static Root Trust of Measurement (aka. SRTM) as presented in figure 2.

 

SRTM-DescriptionFlow.png

Figure 2 – Static Root Trust of Measurement

 

SRTM produces excellent results and a great level of security -- mainly against offline attacks --but the problem is that multiple components must be verified in the chain of trust once TPM is initialized. Verifying the integrity of each component in the path of computer initialization, as presented in figure 2, can become hard to manage due to the number of components involved. We need to measure every possible piece of code that might have been executed since the system boot; this imposes scalability issues.

 

Therefore, to cope with this limitation, TXT uses a different approach, named DRTM (Dynamic Root Trust of Measurement). Instead of validating every single piece of code, there is a magic new instruction called SENTER that has the capability to attest the integrity of the hypervisor loader or OS kernel code in a process known as Measure Launch. As presented in figure 3, the hypervisor loader issues the GETSEC[SENTER] instruction, which essentially performs a soft processor reset and loads a signed authenticated code module (ACM), which can only be executed if it has a valid digital signature. This module verifies system configurations and BIOS elements by comparing against the “known good” values protected of sensitive memory areas by using Intel Virtualization Technology for Directed I/O (Intel VT-d) and chipset specific technologies, such as Intel Extended Page Tables (Intel EPT). Then it verifies and launches the host system (a hypervisor core or an OS kernel code), which configures low-level systems and protects itself using hardware assisted paging (HAP).

 

DRTM-DescriptionFlow.png

Figure 3 – Dynamic Root Trust of Measurement

 

 

TXT is the right technology for Measure Launch and, in conjunction with Intel Virtualization Technology (VT-x, VT-d and EPT), it’s also possible to implement run-time protection against malicious code.