Intel Trusted Execution Technology for Server Platforms : A Guide to More Secure Datacenters.
- 1 online resource (149 pages)
Intro -- Contents at a Glance -- Contents -- Foreword -- About the Authors -- Acknowledgments -- Introduction -- Chapter 1: Introduction to Trust and Intel � Trusted Execution Technology -- Why More Security ? -- Types of Attacks -- What Is Trust? How Can Hardware Help? -- What Is Intel� Trusted Execution Technology? -- Static Chain of Trust -- Dynamic Chain of Trust -- Virtualization -- Measured Launch Environment -- Finding Value in Trust -- Cloud Computing -- Attestation: The Founding Principle -- Value to System Software -- Cloud Service Provider/Cloud Service Client -- What Intel TXT Does Not Do -- Enhancements for Servers -- Including BIOS in the TCB -- Processor-Based CRTM -- Trusting the SMM -- Other Differences -- Impact of the Differences -- Roles and Responsibilities -- OEM -- Platform Owner -- Host Operating System -- Other Software -- Chapter 2: Fundamental Principles of Intel � TXT -- What You Need: Definition of an Intel � TXT-Capable System -- Intel� TXT-Capable Platform -- Intel TXT Platform Components -- Processor -- Chipset -- Trusted Platform Module (TPM) -- BIOS -- Authenticated Code Module (ACM) -- The Role of the Trusted Platform Module (TPM) -- TPM Interface -- Localities -- Control Protocol -- Random Number Generator (RNG) -- SHA-1 Engine -- RSA Engine and Key Generation -- Platform Configuration Registers (PCRs) -- Nonvolatile Storage -- Attestation Identity Key (AIK) -- TPM Ownership and Access Enforcement -- Cryptography -- Symmetric Encryption -- Asymmetric Encryption -- Cryptographic Hash Functions -- Why It Works and What It Does -- Key Concepts -- Measurements -- Secure Measurements -- Static and Dynamic Measurements -- The Intel TXT Boot Sequence -- Measured Launch Process (Secure Launch) -- Protection Against Reset Attacks -- Launch Control Policy -- Platform Configuration (PCONF). Trusted OS Measurements (MLE Element) -- Protecting Policies -- Sealing -- Attestation -- Summary -- Chapter 3: Getting It to Work: Provisioning Intel � TXT -- Provisioning a New Platform -- BIOS Setup -- Enable and Activate the Trusted Platform Module (TPM) -- Enable Supporting Technology -- Enabling Intel� TXT -- Summary of BIOS Setup -- Automating BIOS Provisioning -- Establish TPM Ownership -- What Is TPM Ownership ? Why Is This Important? -- How to Establish TPM Ownership -- Pass-Through TPM Model -- Remote Pass-Through TPM Model -- Management Server Model -- Protecting Authorization Values -- Install a Trusted Host Operating System -- VMware ESXi Example -- Linux Example (Ubuntu) -- Create Platform Owner's Launch Control Policy -- How It Works -- What LCP Does -- Specifying Platform Configuration: The PCONF Element -- Specifying Trusted Operating Systems: The MLE Element -- Specifying Trusted ACMs -- Specifying a Policy of "ANY" -- Revoking Platform Default Policy -- Why Is PO Policy Important? -- Prevent Interference by the Platform Supplier Policy -- Establishing Trusted Pools -- Reduce the Need for Remote Attestation -- Reset Attack Protection -- Considerations -- Summary -- Chapter 4: Foundation for Control: Establishing Launch Control Policy -- Quick Review of Launch Control Policy -- When Is Launch Control Policy Needed? -- Remote Attestation -- What Does Launch Control Policy Deliver? -- PCR0: CRTM, BIOS, and Host Platform Extensions -- PCR1: Host Platform Configuration -- PCR2, 3: Option ROM Code and Configuration Data -- PCR4, 5: IPL Code and Configuration Data -- PCR6: State Transition and Wake Events -- PCR7: Host Platform Manufacturer Control -- Platform Configuration (PCONF) Policy -- Specifying Trusted Platform Configurations -- Tools Needed for Creating a PCONF Policy -- Difficulties with Using PCONF Policy. Specifying Trusted Host Operating Systems -- Tools Needed for Creating MLE Policy -- Options and Tradeoffs -- Impact of SINIT Updates -- Impact of Platform Configuration Change -- Impact of a BIOS Update -- Impact of OS/VMM Update -- Managing Launch Control Policy -- Think Big -- Use a Signed List -- Make Use of Vendor-Signed Policies -- Use Multiple Lists for Version Control -- Using the Simplest Policy -- Other Tips -- Strategies -- Impact of Changing TPM Ownership -- Decision Matrix -- Chapter 5: Raising Visibility for Trust: The Role of Attestation -- Attestation: What It Means -- Attestation Service Components -- Endpoint, Service, and Administrative Components -- Attestation Service Component Capabilities -- Administrative Component Capabilities -- Attestation in the Intel TXT Use Models -- Enabling the Market with Attestation -- OpenAttestation -- Mt. Wilson -- How to Get Attestation -- Chapter 6: Trusted Computing: Opportunities in Software -- What Does "Enablement" Really Mean? -- Platform Enablement: The Basics -- Platform Enablement: Extended -- Provisioning -- Updates -- Attestation -- Reporting and Logging -- Operating System and Hypervisor Enablement -- Enablement at Management and Policy Layer -- Provisioning -- Updates -- Attestation -- Reporting and Logging -- Enablement at the Security Applications Layer -- Chapter 7: Creating a More Secure Datacenter and Cloud -- When Datacenter Meets the Cloud -- The Cloud Variants -- Cloud Delivery Models -- Intel TXT Use Models and the Cloud(s) -- The Trusted Launch Model -- Trusted Compute Pools: Driving the Market -- Extended Trusted Pools: Asset Tags and Geotags -- Compliance: Changing the Landscape -- Chapter 8: The Future of Trusted Computing -- Trust Is a Foundation -- More Protections and Assurance -- Is There Enough to Trust? -- Measures at Launch Time. -- What Intel TXT Measures. The Whitelist Approach -- The Evolution of Trust -- Trusted Guest -- End-to-End Trust -- Runtime Trust -- The Trust and Integrity "Stack" -- Index.