Trusted Execution Technology
From Wikipedia, the free encyclopedia
Trusted Execution Technology (TET or TXT), formerly known as LaGrande Technology is a key component of Intel's initiative of "safer computing".
Intel(R) Trusted Execution Technology (Intel(R) TXT) is a hardware extension to some of Intel's microprocessors and respective chipsets, intended to provide users and organizations (governments, enterprises, corporations, universities, etc.) with a higher level of trusting while accessing, modifying or creating sensitive data and code. Intel claims that it will be very useful, especially in the business world, as a way to defend against software-based attacks aimed at stealing sensitive information. Although commonly advertised by Intel as security technology, the Free Software Foundation claims that it can also be used to enable development of more advanced, tamper-resistant forms of DRM, and can be abused to achieve vendor lock-in.
It consists of a series of hardware enhancements, to allow for the creation of multiple separated execution environments, or partitions. One component is a relatively new chip residing on the motherboard, called the TPM (Trusted platform module), which allows for secure key generation and storage, and authenticated access to data encrypted by this key. Note however, that the private key stored in the TPM is generally not available to the owner of the machine, and never leaves the chip under normal operation. The TPM additionally provides for a means of remote assurance of a machine's security state. Another component is DMA page protection.
This technology could be coupled with VT-d (Intel(R) Virtualization Technology for Directed I/O) designed to backup the TXT outside of the chip, and even outside the Computer itself.
The TXT provides with hardware and firmware security, against software intended attacks. The TPM (Trusted Platform Module) that manages Trusted Platform requests, generates keys and certificates for private environments (application or service space) and manages the machine trust state, that will allow for example, the local user (or even a remote party) to check the security on a workstation with a higher level of confidence, using, for example, the Remote Attestation Protocol [1]
Contents |
[edit] TXT Architecture
The Intel(R) TXT protects five points on a server/client machine that are :
- The processor : With a private environment for applications, so that the hardware resources (such as memory pools) are locked to the calling applications and cannot be accessed whether for read or write by any other process running on the platform;
- The chipset : Enforces security on the main board by controlling more accurately the memory management policy, enhancements to memory access mechanisms, channel control mechanisms for hardware extensions (user I/O, Graphics, etc.) and secure interface to the TPM;
- The user Input : Protection states over keyboard, and mouse, allowing users to interact with trusted platform applications, without the risk of being compromised, neither observed by other running software;
- The Display Interface : This feature enables trusted platform applications to send display data to specific context (a window for example) memory buffer, preventing running software from stealing the being-transmitted information;
- The TPM device : Helps the system starting (in conjunction with ROM-BIOS startup routines), manages the keys, and provides attestations for the system trusted status.
[edit] Parallel Technologies
The TXT will be commercially distributed with another technology, the so called VT-d. The VT-d Provides with hardware remote security, protecting by hardware, storage and communications, adding another security level against software attacks.
VT-d is an environment model that shares hardware resources over I/O Virtualization. This can then allow control over each process access to resources without using reprobative exclusive access methods.
[edit] Availability
Intel has released the Q35 and Q33 chipsets that supports TXT[2]
Intel has also released Trusted Boot (tboot[3]) an Open source, pre-kernel/VMM module that uses Intel Trusted Execution Technology that adds the capability to veriify the Xen Virtual Machine Monitor (VMM) launch using Dynamic Root of Trust Measurement (DRTM).
