You are on page 1of 23

Seminar Report 2005 - 2006

LaGrande Technology


LaGrande Technology (LT) is a highly versatile set of hardware enhancements that will come to Intel processors, chipsets and platforms over the next 2 to 3 years. LT creates a hardware foundation, on the client PC platform, that can help protect the confidentiality and integrity of data stored or created from software based attacks. It does this by enabling an environment where applications can run within their own space, protected from all other software on the system. In turn, this can help to protect vital data and processes from being compromised by malicious software running on the platform. LT features include capabilities in the microprocessor, chipset, I/O subsystems, and other platform components. When coupled with an LT enabled operating system and LT enabled applications, LT can help protect the confidentiality and integrity of data in the face of these increasingly hostile security environments. LT provides a versatile, general-purpose safer computing environment capable of running a wide variety of operating systems and applications. LT is expected to be available in Desktop & Mobile platforms for the Business segment in approximately the next two to three years.

Dept of Comp Science & Engg

SNG College of Engg, Kolenchery

Dept of Comp Science & Engg

Trusted Computing (TO The Trusted Computing Group (TCG) is an alliance of Microsoft, Intel, IBM, HP and AMD which promotes a standard for a 'more secure' PC. Their definition of 'security' is controversial; machines built according to their specification will be more trustworthy from the point of view of software vendors and the content industry, but will be less trustworthy from the point of view of their owners. In effect, the TCG specification will transfer the ultimate control of your PC from you to whoever wrote the software it happens to be running. TC provides a computing platform on which you can't tamper with the application software, and where these applications can communicate securely with their authors and with each other. The original motivation was digital rights management (DRM): Disney will be able to sell you DVDs that will decrypt and run on a TC platform, but which you won't be able to copy. The music industry will be able to sell you music downloads that you won't be able to swap. They will be able to sell you CDs that you'll only be able to play three times, or only on your birthday. All sorts of new marketing possibilities will open up. TC will also make it much harder for you to run unlicensed software. In the first version of TC, pirate software could be detected and deleted remotely. TC will protect application software registration mechanisms, so that unlicensed software will be locked out of the new ecology. Furthermore, TC apps will work better with other TC apps, so people will get less value from old non-TC apps (including pirate apps). Also, some TC apps may reject data from old apps whose serial numbers have been blacklisted. TC will also make it easier for people to rent software rather than buy it; and if you stop paying the rent, then not only does the software stop working but so may the files it created. So if you stop paying for upgrades to Media Player, you may lose access to all the songs you bought using it. There are many other possibilities. Governments will be able to arrange things so that all Word documents created on civil servants' PCs are 'born classified' and can't be leaked electronically to journalists. Auction sites might insist that you use trusted proxy software forbidding, so that you can't bid tactically at the auction. Cheating at computer games could be made more difficult. There are some gotchas too. For example, TC can support remote censorship, in its simplest form, applications may be designed to delete pirated music under remote control. For example, if a protected song is extracted from a hacked TC platform and made available on the web as an MP3 file, then TC-compliant media player software may detect it using a watermark, report it, and be instructed remotely to delete it (as well as all other material that came through that platform). This business model, called traitor tracing, has been researched extensively by Microsoft (and others). In general, digital objects created using TC systems remain under the control of their creators, rather than under the control of the person who owns the machine on which they happen to be stored (as at present). So someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the

Dept of Comp Science & Engg

software company that wrote the word processor could be ordered to do the deletion if she refuses. Given such possibilities, we can expect TC to be used to suppress everything from pornography to writings that criticise political leaders.

SNG College of Engg, Kolenchery

The Need for Safe, Protected Computing It clear we live in a hacker's world. Legions of hackers seem to have little else to do with their time than harass the rest of us, sometimes for kicks, sometimes to prove a cause, and sometimes to do serious damage. Some hacking might be aimed at specific companies or governments, or possibly be terrorist-related, but the nastiest of the hacker attacks steal our personal information and/or sensitive data by a variety of snooping methods. Viruses, worms, and trojans that exploit security holes in operating system software have infected millions of systems, causing significant headaches, cleanup time, and financial loss. Microsoft, Intel, and many others are developing protected computing environments to combat hacker attacks, while also providing secure computing for sensitive data processing and ecommerce transactions. Platform stability is improved when applications are run in a protected partition. While protection methods are not foolproof, NGSCB and LaGrande have well thought-out frameworks, and are highly-engineered defensive systems that once deployed, should protect the majority of end users and businesses from software attacks. In fact, Intel and Microsoft stress these technologies protect against software attacks, not hardware attacks. Many attacks waged on our computers are from anonymous sources and are software-based. Certainly your system may be physically compromised or stolen, and operating system and/ or internal hardware protection systems are of little help beyond encrypting your critical data, if you choose to use such features. As Intel security architect David Grawrock mentioned during his LaGrande architecture course at IDF, you won't see too many people snooping your front-side bus with a logic analyzer. In the interest of timeliness and accuracy, I'll replay many slides from two IDF presentations "LaGrande Technology and Safer Computing Overview" by Mike Ferron-Jones, Intel's Desktop Security Technologies Marketing Manager, and Luke Girard, Intel's Desktop Security Technologies Product Marketing Engineer, and "LaGrande Architecture" delivered by David Grawrock. Below we see the levels of security and protection typically installed in a corporate computing environment. You may relate to similar levels of protection in your clients. Numerous hacking tools can be used to gain access to client data within firewalls, and various methods of infiltration exist to get through network barriers in many businesses. Home systems may be open to many more exploits. Layers or levels of protection are required to secure a computing platform. Software methods must be supplemented by hardware security. You're likely familiar with smart cards, and you'll soon heara lot more about the "Trusted Platform Module" orTPM, which is a chip that stores unique platform information and encryption keys, and includes a random number generator for encryption algorithms. LaGrande is hardware-based protection, and it raises

Dept of Comp Science & Engg the overall level of protection significantly _______________________________________ SNG College of Engg, Kolenchery

SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology

water ngguM*




Clients Relatively Unprotected

Enejyi/Wl iilj .
UP3 pc**r croUOgn

T*a-fcK< uuw autn. Conifer

,V Client


Eaeryp VPN inttvwon SVi tcl.on



Mismatch between security measures and the financial value of data created & stored on clients

Safer Computing Initiative


Here's a great slide showing the vulnerabilities of today's PCs, and the need to protect input and output. We'll see that protection from DMA attacks requires chipset support, since DMA transactions do not need to use the processor.

'7j --------

Vulnerabilities of the PC Today

Sample of Common Vulnerabilities

Usar Output - Acc*ss to graphics (rami bufftr ' Result; what the Software can see or change user sees
Vulnerable to SW attack

Memory Ring 0 access to memory Result: Software can snoop thru the memory to find, capture, and alter settings, data, Vulnerable to SW passwords. Keys, etc. attack

Access to Keyboard & mousi data

Result: Software can see or change what the user is typing

DMA controller access to memory


Result: Software can access protected memory directly with DMA controller.

Below we can see where LaGrande technology will be most useful. Note on the y-axis that "LT means LaGrande Technology, not Lawrence Taylor. Clearly, the techies or marketing types at Intel who developed this acronym are not NY Giant fans, and did not expect people to visualize a linebacker, instead of a security technology, every time the term LTwas presented. But you can see that software-based attacks are the prime focus, and most of the expected areas (data, mail, e-commerce) can-be protected.

Depl of Comp Science & Engg


SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology

Protection And Attack Matrix


Attack Type

User Intent

Application Suitability


Forum J

Features of Trusted Computing Secure Booting Part of the heritage of TC computing products is a paper by Butler Lampson [provide link] which describes the techniques TC implements. Additionally, there is a paper called "Secure Booting" by Bill Arbaugh and Dave Farber (who is an EFF board member) which discusses some TC techniques. To provide a secure bootstrapping process, the hardware must know something about the software it loads. The TPM contains platform configuration registers4 (PCR) for this purpose. They store cryptographic hashesS of each of the pieces of code loaded at system start time. Each piece of code can check the hash of the code that loaded before it, and make a decision based on that. The PCRs can only be written to by the TPM, but can be read by all software. PCR 0 (the first PCR) contains a number installed by the hardware vendor and is called the root of trust for measurement (RTM). This mechanism can provide protection from boot viruses as follows: 1. At boot time, the TPM generates a hash of the boot virus, installs the hash in PCR 1, and loads the boot virus. 2. The boot virus mayor may not make use of the value in PCRO. 3. The boot virus will ask the TPM to load the operating system. The TPM generates a hash of the OS kernel referred to by the virus, installs it into PCR 2, and loads the kernel. 4. The kernel checks the value of PC R 1 ag a i n st its own data base of accepta ble values. There is a vanishingly small probability that the boot virus will hash to a value in the kernel's database. Therefore the operating system "knows" that it has been loaded by untrusted code, and can take whatever action it has been programmed to do.

Dept of Comp Science & Engg

SNG College of Engg, Kolenchery

Now, it is possible that the boot virus will reference a malicious operating system kernel that has been programmed either to recognize the boot virus' hash as valid, or to fail to take the appropriate action

Seminar Report 2005 - 2006

LaGrande Technology

when the virus is detected. However, application code (both local and remote) can be written to check the hash of the operating system in the PCR, and determine for itself if the operating system can be trusted. Another potential problem is one of user interface. Assume that the operating system is designed to present some kind of notification to the user that it does or does not trust the values in the PCRs. A compromised OS could present false symbols to the user! Seth posed this problem to representatives of Microsoft, and got a three-part answer. First, the PCRs are primarily intended for remote attestation; that is, remote application software (like a web server) can check the contents of the PCRs in your machine. Second, the user could decide at the time the OS is installed what the symbols for representing trusted and untrusted PCR values are, and an attacker would not be able to easily learn them. Third, as with SSH host keys or HTTPS server certificates, PCRs provide proof of software consistency overtime. They are a way to detect if the software configuration has changed. Sealed Storage Sealed storage is a storage system that allows reading and/or writing to storage medium if and only if the PCR registers have certain values. Therefore, only trusted software can access sealed storage. With sealed storage, the data is encrypted with a key based on the contents of the PCRs and a random number built into the TPM (each TPM is imprinted with a different random number). Note that this means you cannot restore data stored in sealed storage by installing the storage medium in a computer with a different TPM! Remote Attestation The TPM includes a "signing key" for generating cryptographic signatures, and this key is itself signed by the TPM manufacturer. Using this key, it is possible to verify the identity of the machine and the capabilities and integrity of the software it is running. In effect, you can use the key to establish trust, even between two computers connected by a network. You can also use remote attestation to detect if the hardware has been tampered with. Of course a lot still depends on the trustworthiness of the software the machine is running. If the software doing the attestation has a buffer overflow vulnerability or the like, it may be tricked. Remote attestation is also "good" for defending against the owner of the computer. For example, a server could deny service to a client computer if the client does not pass the attestation test. This has wonderful implications for Microsoft: vendor lock-in and breaking interoperability. It can also be used to enforce digital restrictions management (DRM) policies. Memory Curtaining In existing computers, any hardware device or device driver can access any region of the computer's memory. (This is called direct memory access, or DMA). TC provides memory curtaining, by which software developers can designate certain regions of memory

Dept of Comp Science & Engg



College of Engg, Kolenchery

inaccessible to hardware or other software. This is stronger than the protection provided by the memory management unit (MMU) that is part of most current computers; it's more like adding a new privilege ring to the CPU. Ross Anderson calls it "ring -1", suggesting that it is more privileged than ring 0. On the right side are two new privilege classes: the Nexus (previously known as the trusted operating root or TOR), and the Nexus computing agents (NCA) (previously known as trusted agents or TAs). While highly important, the NCAs possess the least degree of privilege. The NCAs are very small units of software that make requests of the TPM on behalf of user software; these requests must then be passed through the Nexus, which is the only software allowed to talk directly to the TPM. Memory curtaining protects each of the quadrants from each other, and each of the NCAs from each other.

Seminar Report 2005 - 2006

LaGrande Technology

Each NCA is identified to the Nexus by a hash. Via the TPM, NCAs can download . or get encrypted code and execute it a level of obscurity beyond even that of object code. On the bright side, NCAs cannot talk directly to hardware. Secure I/O Only the Nexus talks to the user interface devices attached to the computer: the keyboard, mouse and display. From the point of view of other software components, user interface I/O is "unobscurable" and "undiscoverable". Thus the applications and kernel cannot interfere with interactions between the user and NCAs. Curtained memory prevents user or kernel code from seeing what NCAs are doing, if they encrypt their messages to the hardware. Trusted Computing Products There exist four real designs for TC products. The Trusted Computing Group (TCG) Nee Trusted Computing Platform Alliance (TCPA), this committee has produced a design for a chip called the trusted platform module (TPM) or trusted computing base (TCB). You can buy real TPMequipped computers at this time. Intel's LaGrande Technology (LTJ T creates a hardware foundation, on the client PC platform, that can help protect the confidentiality and integrity of data stored or created from software based attacks. LT is the best solution for protecting our PCs against virus programs and hackers. AMD's Secure Execution Mode (SEM) AMD claims that SEM is equivalent toLT, but Seth can't verify that claim. Microsoft's Next Generation Secure Computing Base (NGSCB) Nee Palladium. Seth provides two silly jokes about Palladium: (1) Just like the statue of Athena in ancient Greece, which was called the Palladium, Microsoft's Palladium will provide inadequate protection against Trojans; (2) Just like the metal, Palladium will be expensive and toxic.

Dept of Comp Science & Engg

f^TT^ LaGrande Technology

SWG College of Engg, Kolenchery

LaGrande Technology Summary LT is a set of enhanced hardware components designed to help protect sensitive information from software-based attacks. LT features include capabilities in the microprocessor, chipset, I/O subsystems, and other platform components. When coupled with an LT enabled operating system and LT enabled applications, LT can help protect the confidentiality and integrity of data in the face of these increasingly hostile security environments. LT provides a versatile, general-purpose safer computing environment capable of running a wide variety of operating systems and applications. Intel is initially targeting LT for applications in the business segment. LaGrande Objectives and Components At the highest level, the following slide discusses LaGrande objectives. Note that compatibility and performance are not supposed to be compromised. We'll understand if this is true when we see operating systems interacting with processors implementing LaGrande technology a few years from now. The upcoming Prescott processor is supposed to have LaGrande features built-in, but not activated (similar to the way initial P4s had Hyper-Threading embedded but not activated). Intel does not expect to activate LaGrande technology in processors for a few more years.

Seminar Report 2005 - 2006

LaGrande Technology

LaGrande Technology Objectives

Protect: From: Confidential corporate & personal data * Sensitive communications E-commerce transactions Attack software on the system - Attack software on the network Inadvertent exposure due to compromised software Ease of Use * Performance Manageability Versatility Privacy Backwards compatibility

Without compromising:

Greater data protection with the flexibility & productivity of PC computing

inte l


And here's a more detailed look at LaGrande uses for business security and protected

Dept of Comp Science & Engg

Seminar Report 2005 - 2006

LaGrande Technology

Applying LT to Business Security

Some Usage Examples
Network Access Control
Hardened VPN Credential & Identity mgmt - Strengthened platform & user authentication tT policy compliance checking

Protect User & Company Data

Enhanced rile access mgmt End-to-end encrypted mail Protected document viewer

Protected Transactions
* Protected Input, authorization and signature processes

Protect signatures




Harden Intrusion detection software

Malicious Software Protection

LT can strengthen existing security measures and enable new usages


r~ ~ w w m

| r >wj)o-o =-

r forum

As discussed previously, to provide complete platform security and protection, hardware mechanisms must supplement software systems. While NGSCB provides a secure "nexus" or protected kernel, and NGSCB computing agents (programs) execute in a secured manner, certain hardware protections are required. The term attestation means that the system can validate that a process or system is who it says it is, or that you are who you say you are. While Microsoft discusses attestation, sealed storage, protected execution, and protected input/graphics in much detail related to NGSCB in their white papers and presentations, they did not discuss specific processor features required to make the whole thing work. And neither did Intel in the past, until this week. Understand that Intel could have given much more detail, but they are saving it for future public disclosures. Clearly AMD is also working on such technology, and Intel only gives as much info publicly as they believe developers need to know in an open forum. Developers likely can receive much more information under non-disclosure agreements (NDAs).

Summary of LT Capabilities
ks ed Applications & Infrastructure" .-E/iabtamQperatifKi Protected f Protected Input
{] Graphics

Enhanced protection software based attack


Protected Execution Protected Memory Pages Sealed Storage (TPM) Protected Input (KB & Mouse) Protected Graphics Attestation

A versatile hardware foundation for operating systems and applications


Dept of Comp Science & Engg



SNG College of Engg, Kolenchery

SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

domain separation and partitioning defined by NGSCB.

LaGrande Technology

The following graphic shows Intel's more generic version of Microsoft's left-hand/ right-hand

Protected LT Environment
Standard Partition
"Public Ana"

Protected Partition "The Vault"

LT- E Intel P &CI

Protected Disarete^ft^jp^j-

Foru m- J

And here's a slide Microsoft presented at IDF showing NGSCB's general partitioning.

How LT Mitigates Vulnerabilities


Protected Graphics generated from the protected partition not visible to regular software

--------- ' Intel

LT memory protection prevents unauthorized apps from viewing or modifying protected pages

Protected channel to keyboard defends against keyboard snooping and/or modification of keystrokes

LT platform creates a safer environment for valuable business data, transactions & processes


Dept oj Comp Science & Engg


StfG College

of Engg. Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology

LaGrande Technology Architecture

LT Architecture Overview The LT based platform delivers a number of key capabilities to the platform. These capabilities, when combined, deliver the protections that will be critical to evolve the IA-32 platform. The capabilities include: Protected Execution Provides applications with the ability to run in isolated protected execution environments such that no other unauthorized software on the platform can observe or compromise the information being operated upon. Each of these isolated environments has dedicated resources that are managed by the processor, chipset and OS kernel.

platform 1

read the memory of the application ' What Is needed Is some way to protect application from attacker Protected execution keeps resources of the application from the attacker Protected execution requires hardware support LaGrande Technology (LT) Protected Execution is an implementation of domain separation



Many atta

Sealed storage


Provides for the ability to encrypt and store keys, data or other secrets within hardware on the platform. It does this in such a way that these secrets can only be released (decrypted) to an executing environment that is the same as when the secrets were encrypted. This helps prevent attacks exploiting the vulnerability where the encrypted data has been transferred to other platforms either for normal use (thereby become decrypted) or for malicious attack.

Dept of Comp Science & Engg

SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology

Sealed Storage
Sealed storage Is the combination of measurements and encryption
Seal some data such that the data is only available (unsealed) when the indicated measurement is present on the TPM


Powerful technique to ensure that data Is only available to a known environment

- Sealing data to the brick wall ensures that the data is only available to the same brick wall - Changes in the wall change the measurement and make the data unavailable

TPM Provides Attestation and Sealed Storage intel Forum1










keyboard/mouse and applications running in the protected execution environments from being observed or compromised by any other unauthorized software running on the platform. For USB input, LT does this by cryptograph ically encrypting the keystrokes and mouse clicks with an encryption key shared between a protected domain's input manager and an input device. Only applications that have the correct encryption key can decrypt and use the transported data.

Protected Input
Create trusted channel between keyboard and keyboard manager Mouse and mouse manager also need a trusted channel

A LaGrande platform will provide the hardware hooks necessary to create the trusted channel OS needs to support use Input manager In protected execution Need new input device that supports the creation of the trusted channel Many ways to solve the channel creation Issues Application responsibility to create trusted path M
Forum -

intel Protected graphics: Provides a mechanism that enables applications running within the protected execution environment to send display information to the graphics frame buffer without being observed or compromised by any other unauthorized software running on the platform. This is done by creating a more protected pathway between an application or software agent and the output display context (such as a window object).

Dept of Comp Science & Engg

SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology

Attestation: Enables a system to provide assurance that the LT protected environment was
correctly invoked. It also provides the ability to provide a measurement of the software running in the protected space. The information exchanged during an attestation function is called an Attestation Identity Key credential and is used to help establish mutual trust between parties.

Prove platform properties
Hardware nature of platform Current running configuration - How was the brick wall built

Applicatio n

Attestation requires
Accurate measurement | TPM Storage of the measurement Verifiable report of the measurement A Trusted Platform Module (TPM) provides these capabilities

Attestation device needs to provide the assurances that the storage and reporting mechanisms are properly protected Knowing what the brick wall Is allows for the wall to report on applications protected by the wall -Mal

Protected Launch: Provides forthe controlled launch and registration of the critical OS and system software components in a protected execution environment. LaGrande is OS-agnostic per Intel, as you can see in the comments in the slide below.

OS Requirements
Domain separation design requires a small kernel with limited modifications
- OS with device drivers in ring 0 breaks this requirement - Drivers allow appl to gain access to 0 app2 resources

Easy to write brand new OS

unver - Without backwards compatibility for applications and devices OS will not be successful in real world - Microsoft's* NGSCB* is one such type of OS that will use the properties of LT to properly create domain separation and maintain backwards compatibility

Appl U5

I App2

Building domain separation wall requires cooperation of the OS


LaGrande Requires HW and SW changes

Dept of Comp Science & Engg

Trusted Platform Architecture Review Intel reviewed the core features of a trusted computing environment to prepare us for more details of LaGrande hardware features. The slides below are similar to what Microsoft presented at WinHEC when discussing the platform attributes of NGSCB, and we'll present the slides here for your review. First, let's look at the LT security feature overview, which includes protected execution, attestation, sealed storage, and protected input/output. Essentially the same stuff as with NGSCB.

Seminar Report 2005 - 2006

LaGrande Technology

LT Security Features
Feature Protected Execution Platform subset where SW runs w/o interference or observation. Attestation HW~basod proof of current Protected Partition environment. Why is this Important' Hardware implementation of domain separation

Only Install new secrets into an environment you believe will protect them. Environment HW and currently running SW. Can't just ask SW - it can be spoofed Suited Storage Hold secrets * Ensure that the secret can only be "unwrapped" if the for a specific Protected Identical environment Is re-launched. Execution environment. * Software-based encryption is Insufficient - we must still protect the root key used by that software. Prelected Input-Output Ensure * Provide infrastructure to create trusted channels to the Input and output devices protected communication to Allow the protected partition the ability to create trusted and from the partition paths


Foru eve m

And here's a review of some common forms of attack, and what's needed to protect yourcomputer.

Entering The Password

1 Read password in memory Defend using protected execution

Sniff password from keyboard

Defend using trusted input 3 Fake login screen Defend using trusted output 4 Change application to ignore password entry Defend using protected execution

^ Software Attacks Mitigated

Forum Depl o f Comp Science & Engg

SNG College of Engg, Kolenchery

Seminar Report 2005 - 20M

LaGrande Technology

LaGrande Technology Hardware Overview

^ L T tp td Hc

en h *n c*men t


Figure 1. Key LT Hardware Enhancements

Implementation of an LT-enabled platform requires a number of hardware enhancements (see Figure 1). Key hardware elements of the LT based platform are: Processor: Extensions to the IA-32 architecture allow for the creation of multiple execution environments, or partitions. This allows for the coexistence of a standard (legacy) partition and a protected partition, where software can run in isolation in the protected partition, free from being observed or compromised by other software running on the platform. Access to hardware resources (such as memory) is hardened by enhancements in the processor and chipset hardware. Other processor enhancements include: (1) event handling, to reduce the vulnerability of data exposed through system events, (2) instructions to manage the protected execution environment, (3) and instructions to establish a more secure software stack. Chipset: Extensions to the chipset deliver support for key elements of this new, more protected platform. They include: (1) the capability to enforce memory protection policy, (2) enhancements to protect data access from memory, (3) protected channels to graphics and input/output devices, (4) and interfaces to the Trusted Platform Module [Version 1.2]. Keyboard and Mouse: Enhancements to the keyboard and mouse enable communication between these input devices and applications running in a protected partition to take place without being observed or compromised by unauthorized software running on the platform. Graphics: Enhancements to the graphic subsystem enable applications running within a protected partition to send display information to the graphics frame buffer without being observed or compromised by unauthorized software running on the platform. The TPM v. 1.2 device: Also called the Fixed Token, is bound to the platform and connected to the PC's LPC bus. The TPM provides the hardware-based mechanism to store or 'seal' keys and other data to the platform. It also provides the hardware mechanism to report platform attestations.

Dept of Comp Science & Engg

SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology

The LaGrande Technology Protection Model

LT provides a set of capabilities that can be utilized in many different operating environments (Figure 2). One proposed architecture provides a protection model similar to the following: A standard partition that provides an execution environment that is identical to today's IA-32 environment. In this environment, users will be able to run applications and other software just as they do on today's PC. The standard partition's obvious advantage is that it preserves the value of the existing code base (i.e. existing software does not need modification to run in the standard partition) and potential future software that is less security conscious. Unfortunately, it also retains the inherent vulnerabilities of today's environment. A protected partition provides a parallel and co-existing environment that will run hardened software that makes use of the hardware-based security foundation enabled by LT. Within this environment, different applications can run in isolation, free from being observed or compromised by software running in the standard partition and other applications running in the protected partition. A protected partition requires an LT-capable processor, an LT-capable chipset, and a domain manager to provide domain separation. The TPM device protects secrets stored in an LT-enabled platform when the protected partition is not running. The LT protection model can support any domain manager, and future, enhanced OS kernel.








LaGrande Technology

Figure 2 . An example of L T protection model

Dept oj Comp Science & Engg

SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology

Applications can be written to execute within the protected partition or, in most cases, make use of both partitions. In the latter case, much of the application code could still reside within the standard partition (this code manages the human interface and handles I/O) and services written to manipulate secure or sensitive information, would move to modules written for the protected partition. The protected partition is hardened against software attacks because: o LT's domain separation allows hardened software to run in memory pages that are protected from viewing or modification by unauthorized applications. o LT's memory protection prevents DMA engines from reading or modifying protected memory pages. o LT's protected graphics processes application data from the protected partition such that it is not visible either to software in the standard partition or other software running in the protected partition. o LT provides a trusted channel to keyboard and mouse that prevents keyboard snooping and/or modification of user's keystrokes or mouse movements.

More Architectural Details on a Protected Environment Booting up a protected partition LT supports the ability to launch protected environments without platform reboot, and legacy software is able to run unmodified in a standard partition. Typically, a protected partition is launched by a request to an OS component that is LT-aware. In response to such a launch request, memory spaces are allocated for the protected partition and marked protected. The domain manager is loaded into the designated memory spaces and registered by an authenticated code module (AC). The launch of a protected execution environment occurs in stages. These are designed to ensure that the processor and the chipset recognize and participate in the launch, that all participants launch the same environment, and that there is no interference with the launch process. The stages include: 1. Ordinary software running on an LT processor executes a new SENTER instruction to initiate the launch process. This new instruction triggers a sequence of handshakes. At the conclusion of this first round of hand-shakes, the processor and chipset are ready to be brought into a protected environment. 2. The processor loads an authenticated code module into internal private memory, authenticates it, registers its identity in a platform configuration register (PCR) in the TPM, and then invokes it. The AC checks that there is no improperly configured hardware, enables memory protection for the proposed domain manager, records the identity of the domain manager in a TPM PCR, then transfers execution control to the domain manager.

Dept of Comp Science & Engg

Exiting a protected partition


SNG College of Engg, Kolenchery

When a protected partition is no longer needed, LT supports the take-down of the protected environment. This is again performed in stages. 1. The domain manager is responsible for cleaning up the protected partitions, ensuring that no secrets are left behind in either memory or registers. These actions include re-sealing secrets to be placed in persistent storage, and scrubbing the contents of protected partition pages. 2. The domain manager invokes a new instruction SEXIT to exit. The SEXIT instruction triggers a sequence of hand-shakes and then exits the protected environment. Special event protections

Seminar Report 2005 - 2006

LaGrande Technology

Most normal system events, including exceptions and interrupts, are handled within the protection boundaries established by the partitions. Such events may be serviced within the partition, or may be trapped to the domain manager for service (depending on the nature of the event). However, certain abnormal system events can potentially result in a transfer of control to agents running outside a protected partition, creating a potential venue of attack to confidential data residing in memory. LT processors and chipsets include hardware support that can detect and handle these events in a manner that does not permit the exposure of secrets or any tampering with protected execution. For example, certain system conditions could force a system reset without permitting the domain manager to first remove secrets from memory. LT hardware protections provide that, following an unanticipated reset, memory that might contain secrets is scrubbed before it can be accessed by entrusted software.

Depi of Comp Science & Engg


SNG College of Engg, Kolenchery

More on Attestation and Trust

Unsealing and sealing secrets LT provides the capability to seal and unseal secrets with the assistance of a TPM v.1.2 device. This capability ensures that a secret generated by one domain manager or environment is not available to another domain. The basis of this protection lies with theTPM's S t o r a g e R o o t K e y ( S R K ) , a public/ private key pair. The SRK private key never leaves the TPM. Any data encrypted with the SRK public key can only be decrypted by the corresponding SRK private key. As the private key never leaves the TPM, only this TPM may decrypt this data. The TPM provides a SEAL operation, which permits data and a list of PCRs to be encrypted into a blob using a TPM storage key. The resulting encrypted blob may be stored anywhere. A corresponding UNSEAL operation decrypts the blob, but will not expose decrypted data unless the saved PCR values match current PCRs. This operation permits a domain manager to seal data to the current PCR values representing

Seminar Report 2005 - 2006

LaGrande Technology

its current protected environment; the resulting blob can only be unsealed to expose the data if the identical domain manager is running. Typically, a domain manager generates its own bulk encryption key, to be used in software, and seals this key using the TPM. The bulk encryption key is then used to encrypt all secrets managed by this domain manager, and may also be used to encrypt secrets for the applications running in the protected partition. Establishing Initial Trust A sealed secret can only be unsealed and accessed by the same domain manager environment. If a secret known only to a user was sealed to an environment that the user chose to trust, then if this secret can be re-displayed the user knows the same trusted environment is currently running. A similar method uses a secret shared with a remote agent, allowing the remote agent to know that the same trusted environment is currently running. But that leaves the question of how the user or remote agent determines that the environment should be trusted before a shared secret exists. To put the question more succintly: how do we determine initial trust? LT supports an optional, verifiable reporting mechanism, called attestation. Attestation permits either the user or, optionally, a remote agent to measure the currently running environment using measurement and reporting mechanisms supported by the TPM. Based upon these reported measurements, the user or remote agent may use this information to decide whether to trust the current platform environment. For a remote agent, the attestation process involves standard cryptographic methods. A remote agent generates a random value (called a nonce or challenge), and sends it to the system to be tested. At that system, the TPM creates a record containing the nonce and the current PCR values (which represent the currently running domain manager

Dept of Comp Science & Engg


SNG Colle e

Z f EnS8- Kolenchery

environment). The TPM signs this record with its private key and the signed record is returned to the remote agent, along with the TPM's public key and credentials. The remote agent may examine the credentials to determine that this public key does; in fact, represent a real TPM, then uses the public key to verify the signature on the record and, then extracts the data from the record. The extracted data may now be checked against various lists to determine if this is an environment acceptable to the remote agent. Attesting the environment of a focal machine to a human user is more challenging, given that most humans cannot perform cryptographic calculations in their heads. There are at least three methods a user may choose from to identify the local machine environment and make a trust decision: 1. Assuming that a system is in its original state (as delivered from an OEM that a user trusts), the user may simply choose to trust this initial configuration. The user would be advised to create a secret (e.g. a favorite phrase or quote) to be sealed to this environment. As long as this secret can be displayed to the user on subsequent boots, the user has confidence that the same environment is running.

2. A portable token capable of cryptographic operations may be used to act as a "remote

agentlike" proxy for the user. This token can be loaded with measurements of valid environment configurations at the local retailer. Such a portable token can then be connected to the PC and performs attestation of the user system in a manner identical to that described for remote agents, The portable token could then report pass/fail. 3. The user may request that a remote agent perform attestation of the system. However, this leaves the problem of how the remote agent safely reports this information back to the user, given that the user cannot (yet) trust the software environment on the system. There are at least two methods of achieving this:

Seminar Report 2005 - 2006

LaGrande Technology

o If the user has a portable token, the remote agent's results can be communicated using cryptographically secured protocols to the portable token which displays the result for the user. o The remote agent provides the results "out-of-band", perhaps using an automated phone menu or mail.

Dept of Comp Science & Engg

Seminar Report 2005 - 2006

LaGrande Technology


LaGrande Technology (LT) is a highly versatile set of hardware enhancements that will come to Intel processors, chipsets and platforms over the next 2 to 3 years. LT creates a hardware foundation, on the client PC platform, that can help protect the confidentiality and integrity of data stored or created from software based attacks. It does this by enabling an environment where applications can run within their own space, protected from all other software on the system. In turn, this can help to protect vital data and processes from being compromised by malicious software running on the platform. LT is expected to be available in Desktop & Mobile platforms for the Business segment in approximately the next two to three years.

Dept of Comp Science & Engg

SNG College of Engg, Kolenchery

Seminar Report 2005 - 2006

LaGrande Technology



Serial No Description
Abstract 1 Introduction 1.1 1.2 1.3 1.4 1.5 2 Trusted Computing (TC) The Need for Safe, Protected Computing Safer Computing Initiative Features of Trusted Computing Trusted Computing Products

Page No

1 1 2 3 4 6 7 7 7 10 10 13 14 15

LaGrande Technology 2.1 2.2 3 LaGrande Technology Summary LaGrande Objectives and Components

LaGrande Technology Architecture 3.1 3.2 3.3 LT Architecture Overview Trusted Platform Architecture Review LaGrande Technology Hardware Overview

The LaGrande Technology Protection Model

Seminar Report 2005 - 2006

LaGrande Technology

4.1 More Architectural Details on a Protected Environment 16 5 More on Attestation and Trust 5.1 5.2 6 7 Conclusion Reference ' Unsealing and sealing secrets Establishing Initial Trust 18 18 18 20 21