Intel Trusted Execution Technology

Intel TXT allows

  1. Attestation of the authenticity of a platform and its operating system.
  2. Assuring that an authentic operating system starts in a trusted environment, which can then be considered trusted.
  3. Providing of a trusted operating system with additional security capabilities not available to an unproven one.

Intel TXT requirements:

  1. Intel TXT requires a TPM to measure parts of the firmware before it’s run on the BSP.
  2. Intel TXT requires signed Authenticated Code Modules (ACMs), provided by Intel.
  3. Intel TXT requires CPU and Chipset support (supported since Intel Core 2 Duo/ICH9).

Authenticated Code Modules

The ACMs are Intel digitally signed modules that contain code to be run before the traditional x86 CPU reset vector.

More details can be found here: Intel ACM.

Modified bootflow with Intel TXT

With Intel TXT the first instruction executed on the BSP isn’t the reset vector, but the Intel ACM. It initializes the TPM and measures parts of the firmware, the IBB.

Marking the Initial Boot Block

Individual files in the CBFS can be marked as IBB.

More details can be found in the Intel TXT IBB chapter.

Measurements

The IBBs (Initial Boot Blocks) are measured into TPM’s PCR0 by the BIOS ACM before the CPU reset vector is executed. To indentify the regions that need to be measured, the FIT contains one ore multiple Type 7 entries, that point to the IBBs.

Authentication

After the IBBs have been measured, the ACM decides if the boot firmware is trusted. There exists two validation modes:

  1. HASH Autopromotion
    • Uses a known good HASH stored in TPM NVRAM
    • Doesn’t allow to boot a fallback IBB
  2. Signed BIOS policy
    • Uses a signed policy stored in flash containing multiple HASHes
    • The public key HASH of BIOS policy is burned into TPM by manufacturer
    • Can be updated by firmware
    • Allows to boot a fallback IBB

At the moment only Autopromotion mode is implemented and tested well.

In the next step the ACM terminates and the regular x86 CPU reset vector is being executed on the BSP.

Protecting Secrets in Memory

Intel TXT sets the Secrets in Memory bit, whenever the launch of the SINIT ACM was successful. The bit is reset when leaving the MLE by a regular shutdown or by removing the CMOS battery.

When Secrets in Memory bit is set and the IBB isn’t trusted, the memory controller won’t be unlocked, resulting in a platform that cannot access DRAM.

When Secrets in Memory bit is set and the IBB is trusted, the memory controller will be unlocked, and it’s the responsibility of the firmware to clear all DRAM and wipe any secrets of the MLE. The platform will be reset after all DRAM has been wiped and will boot with the Secrets in Memory bit cleared.

Configuring protected regions for SINIT ACM

The memory regions used by the SINIT ACM need to be prepared and protected against DMA attacks. The SINIT ACM as well as the SINIT handoff data are placed in memory.

Locking TXT register

As last step the TXT registers are locked.

Whenever the SINIT ACM is invoked, it verifies that the hardware is in the correct state. If it’s not the SINIT ACM will reset the platform.

For developers

Configuring Intel TXT in Kconfig

Enable TEE_INTEL_TXT and set the following:

TEE_INTEL_TXT_BIOSACM_FILE to the path of the BIOS ACM provided by Intel

TEE_INTEL_TXT_SINITACM_FILE to the path of the SINIT ACM provided by Intel