Skip navigation

The passive TPM

Posted by DavidGrawrock Oct 25, 2007


One interesting point that many individuals do not realize is that the TPM is not an active device. Let me explain. For this purpose an active device is one that gets to make a "decision" on the platform and interrupt what else is going on. A passive device only responds to requests.



The TPM, on the PC, currently resides on the Low Pin Count (LPC) bus. The LPC bus, as it's name implies, has just a few pins and wires and is very limited on the amount of data that moves across the bus. In fact the LPC bus operates at the blazing (tongue in cheek here) speed of 33 MHz. One property of the LPC bus is that the devices that attach to the bus are supposed to, by specification, to be passive devices. That is each device on the LPC bus only responds to commands.



The TPM design also only contemplates a passive device. The entire command set is designed to respond to requests. There are no commands that work on interrupts or initiate an action. Each TPM command is a response to a specific request from either the platform itself or the users of the platform.



The reason why this distinction is important is that with the TPM being a passive device, using the TPM requires software to request the TPM to perform an operation. The TPM has no mechanism to act independently on it's own.



Now you know why the TPM is a passive device.



PS sorry for not posting for a few days but life can get busy at times.




TPM Initial Trust

Posted by DavidGrawrock Oct 1, 2007


When dealing with Initial trust it is important to figure out who is trusting what.



First we will define a few terms to use.


Verifier - The entity that wants to trust the platform.
Platform - the vPro platform everyone is buying (you are buying one aren't you?)
Platform Configuration - the set of software measured by the platform (vPro measures BIOS and if executing the VMM)
Platform credentials - evidence of the platform properties which on vPro includes presence of TPM and the ability to execute TXT.


Now with these definitions let us work through a few trust decisions.



IT wants to trust new platform in the enterprise


Here we are assuming that the platform is brand new. The IT department uses the platform credentials to ensure that the platform delivered matches the platform credentials. If the platform does not come with credentials IT can create credentials for internal IT use.
Trust here is on either supplied credentials or direct creation of new credentials.


IT wants to trust a platform as it attaches to the network


here the platform contacts an access point (wired or wireless) and before assigning an IP address the access point asks for the current platform configuration. The trust necessary here is that the access point has to have sufficient evidence of the platform properties (credentials from our first use model) and then the access point obtains the platform configuration and validates the TPM report. (note that this is just the network access control protocol)
The access point must be able to determine what is a valid platform configuration and it does not matter if it is the first time the platform connects or the 20th time. The only issue is does the access point understand the platform configuration, if it does then the access point grants access, if it does not the access point blocks access. Determination of a valid platform configuration includes knowing what BIOS is supposed to be present and which VMM is supposed to be running.
Trust in this model requires the platform evidence (credentials) and the ability to understand the platform configuration.


Timing for the first two models does not matter. Whenever IT creates the evidence it is sufficient for IT, does not matter if it is the first day of use for the platform or in the second year of use. If one is using NAC, then the credentials provide the root of trust to believe the measurements and then the measurements provide information on the platform configuration. What else is executing on the platform does not change what measurements were taken. Measurements are not a one time operation but occur each time the associated root of trust executes (static RTM that is on each boot, dynamic RTM occurs on each invocation of GETSEC[SENTER]). It does not matter what else is executing or has executed, the measurement represents what occurred during the execution of the RTM.



Understand that platform configuration would not normally include the entire application stack. Rather the measured environment would provide additional measurements for applications. The entries in the PCR represent those components measured by the RTM and do not normally include applications. For instance when launching TXT the DRTM measures the SINIT authenticated code module, the measured launched environment (MLE), and a few registers. That is it. No applications, additional measurements would be provided by the MLE for applications or environments the MLE launches.



Applications can not just register with the TPM, there must be some process that measures the application and stores the measurement into some repository (which may or may not be the TPM).



Hopefully this little explanation helps in who is trusting what.







Hello World

Posted by DavidGrawrock Sep 25, 2007


Hi the vPro team has asked me to blog here regarding the Trusted Platform Module (TPM) and general security issues. For some strange reason I said yes. I have never blogged before, though i do read some blogs regularly, so hopefully I get this right



To give a little bit of my bona fides, I have been the chair of the TPM workgroup for many years and have been the editor of the TPM spec since the begining of the TCG. For extra credit I am also the security architect of Intel Trusted Execution Technology (TXT). Those two jobs may be part of why it seems like I have no real life outside of Intel. But then I really do as this is my 27th year as a soccer coach, this year it is a U14 girls team, Go Shark Bait (ooh ha ha).



Anyway after that little digression some information on the TPM. A vPro platform requires the inclusion of a Version 1.2 TPM. The features of a TPM include storage of measurements, reporting the measurements, protection of information, and basic cryptographic services. I have classes that take hours to give and my first blog post will not cover all of the features and uses of the TPM.



What I will focus on today is that the TPM is an integral part of the platform. Adding a TPM to the platform requires laying out the real estate for the device, adding busses to the device, changing the BIOS to initialize and configure the device, and then OS and applications that take advantage of the TPM. Without all of these changes the TPM does not provide benefits to the platform or the users of the platform. One change that is very important to the platform is the ability to accept and store measurements. The platform is designed to perform a measurement for two critical processes. The first is the boot of the platform. The measurement of the boot process is known as the "static root of trust for measurement" or S-RTM. The other process is the TXT launch and measurement known as the "dynamic root of trust for measurement" or D-RTM. For those just learning about the TPM measurement in this context means take a cryptographic hash of the target (BIOS or VMM). The hash in use is SHA-1.



The result of either RTM is the knowledge, stored in the TPM as a measurement value, of the status of which BIOS just booted the platform or which VMM is executing. Knowledge of the status of the platform then enables both local processes and remote processes to make trust decisions regarding the platform.



Well most likely this is too long for a first post. Please be kind to a first time blogger and let me know what details you would like to dive into.






Filter Blog

By date: By tag: