Misplaced Pages

#95904

52-633: Intel TXT uses a Trusted Platform Module (TPM) and cryptographic techniques to provide measurements of software and platform components so that system software as well as local and remote management applications may use those measurements to make trust decisions. It complements Intel Management Engine . This technology is based on an industry initiative by the Trusted Computing Group (TCG) to promote safer computing. It defends against software-based attacks aimed at stealing sensitive information by corrupting system or BIOS code, or modifying

104-419: A chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity (to verify that the boot process starts from a trusted combination of hardware and software), and to store disk encryption keys. One of Windows 11 's operating system requirements is TPM 2.0 implementation. Microsoft has stated that this is to help increase security against firmware attacks. The bloat of functions

156-516: A differential power analysis attack against TPMs that was able to extract secrets. Main Trusted Boot (tboot) distributions before November 2017 are affected by a dynamic root of trust for measurement (DRTM) attack CVE - 2017-16837 , which affects computers running on Intel's Trusted eXecution Technology (TXT) for the boot-up routine. In 2018, a design flaw in the TPM 2.0 specification for

208-876: A PC, either the Low Pin Count (LPC) bus or the Serial Peripheral Interface (SPI) bus is used to connect to the TPM chip. The Trusted Computing Group (TCG) has certified TPM chips manufactured by Infineon Technologies , Nuvoton , and STMicroelectronics , having assigned TPM vendor IDs to Advanced Micro Devices , Atmel , Broadcom , IBM , Infineon, Intel , Lenovo , National Semiconductor , Nationz Technologies, Nuvoton, Qualcomm , Rockchip , Standard Microsystems Corporation , STMicroelectronics, Samsung , Sinosun, Texas Instruments , and Winbond . There are five different types of TPM 2.0 implementations (listed in order from most to least secure): The official TCG reference implementation of

260-411: A PCR Quote) so that any entity can verify that the measurements come from, and are protected by, a TPM, thus enabling Remote Attestation to detect tampering, corruption, and malicious software. Additionally, those values can be used to identify the execution environment (the particular BIOS version, OS level, configuration, etc.) and compare them to their own lists of known-good values to further categorize

312-443: A PCR is to extend exactly the same measurements in exactly the same order. Therefore, if any module being measured has been modified, the resulting PCR measurement will be different and thus it is easy to detect if any code, configuration, data, etc. that has been measured had been altered or corrupted. The PCR extension mechanism is crucial to establishing a Chain of trust in layers of software (see below). The technology supports both

364-476: A TXT-based integrity system for the Linux kernel and Xen hypervisor. Windows 10 PCs with PCR7 Binding have the ability to enable or disable full device encryption . Trusted Platform Module Trusted Platform Module ( TPM ) is an international standard for a secure cryptoprocessor , a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to

416-455: A company specializing in disaster recovery for Microsoft Exchange . HyTrust's CEO and chairman is John De Santis – formerly vice president of Cloud Services at VMware and chairman and CEO of TriCipher, a software security infrastructure company. In November 2013, HyTrust acquired HighCloud Security, a cloud encryption and management software provider. This acquisition added encryption and key management to HyTrust's products. In spring 2015,

468-431: A hardware keystroke logger , by resetting TPM, or by capturing memory contents and retrieving TPM-issued keys. The condemning text goes so far as to claim that TPM is entirely redundant. The VeraCrypt publisher has reproduced the original allegation with no changes other than replacing "TrueCrypt" with "VeraCrypt". The author is right that, after achieving either unrestricted physical access or administrative privileges, it

520-535: A new revision is released it is divided into multiple parts by the Trusted Computing Group. Each part consists of a document that makes up the whole of the new TPM specification. The Trusted Platform Module (TPM) provides: Computer programs can use a TPM for the authentication of hardware devices, since each TPM chip has a unique and secret Endorsement Key (EK) burned in as it is produced. Security embedded in hardware provides more protection than

572-457: A particular sequence of measurements, hash measurements in a sequence are not written to different PCRs, but rather a PCR is "extended" with a measurement. This means that the TPM takes the current value of the PCR and the measurement to be extended, hashes them together, and replaces the content of the PCR with that hash result. The effect is that the only way to arrive at a particular measurement in

SECTION 10

#1732779984096

624-478: A separate motherboard component. Field upgrade is the TCG term for updating the TPM firmware. The update can be between TPM 1.2 and TPM 2.0, or between firmware versions. Some vendors limit the number of transitions between 1.2 and 2.0, and some restrict rollback to previous versions. Platform OEMs such as HP supply an upgrade tool. Since July 28, 2016, all new Microsoft device models, lines, or series (or updating

676-498: A single TPM. He was able to do this after 6 months of work by inserting a probe and spying on an internal bus for the Infineon SLE 66 CL PC. In case of physical access, computers with TPM 1.2 are vulnerable to cold boot attacks as long as the system is on or can be booted without a passphrase from shutdown, sleep or hibernation , which is the default setup for Windows computers with BitLocker full disk encryption. A fix

728-415: A software-only solution. Its use is restricted in some countries. The primary scope of TPM is to ensure the integrity of a platform during boot time. In this context, "integrity" means "behaves as intended", and a "platform" is any computer device regardless of its operating system . This is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until

780-421: A static chain of trust and a dynamic chain of trust. The static chain of trust starts when the platform powers on (or the platform is reset), which resets all PCRs to their default value. For server platforms, the first measurement is made by hardware (i.e., the processor) to measure a digitally signed module (called an Authenticated Code Module or ACM) provided by the chipset manufacturer. The processor validates

832-460: A vulnerability, known as ROCA, which generated weak RSA key pairs that allowed private keys to be inferred from public keys . As a result, all systems depending upon the privacy of such weak keys are vulnerable to compromise, such as identity theft or spoofing. Cryptosystems that store encryption keys directly in the TPM without blinding could be at particular risk to these types of attacks, as passwords and other factors would be meaningless if

884-401: Is available." The DoD anticipates that TPM is to be used for device identification, authentication, encryption, and device integrity verification. In 2006 new laptops began being sold with a built-in TPM chip. In the future, this concept could be co-located on an existing motherboard chip in computers, or any other device where the TPM facilities could be employed, such as a cellphone . On

936-752: Is focused on TPM 2.0. HyTrust HyTrust , an Entrust company, is an American company. It specialized in security, compliance and control software for the virtualization of information technology infrastructure. The company was founded in 2007 and is based in Mountain View , California . Entrust Corp. acquired it in January 2021. HyTrust was founded in 2009, partnered by VMware , Symantec , Cisco Systems , and Citrix Systems , and backed by $ 5.5 million funding from Trident Capital and Epic Ventures. It further raised $ 10.5 million from Granite Ventures and Cisco Systems in 2010. In summer 2013,

988-439: Is hosted on SourceForge and GitHub and licensed under BSD License. In 2022, AMD announced that under certain circumstances their fTPM implementation causes performance problems. A fix is available in form of a BIOS -Update. While TPM 2.0 addresses many of the same use cases and has similar features, the details are different. TPM 2.0 is not backward compatible with TPM 1.2. The TPM 2.0 policy authorization includes

1040-487: Is in the use of Microsoft Office 365 licensing and Outlook Exchange. Another example of TPM use for platform integrity is the Trusted Execution Technology (TXT), which creates a chain of trust. It could remotely attest that a computer is using the specified hardware and software. Full disk encryption utilities, such as dm-crypt , can use this technology to protect the keys used to encrypt

1092-414: Is only a matter of time before other security measures in place are bypassed. However, stopping an attacker in possession of administrative privileges has never been one of the goals of TPM (see § Uses for details), and TPM can stop some physical tampering . In 2015 Richard Stallman suggested to replace the term "Trusted computing" with the term "Treacherous computing" due to the danger that

SECTION 20

#1732779984096

1144-451: Is physically present at the console of the machine. The United States Department of Defense (DoD) specifies that "new computer assets (e.g., server, desktop, laptop, thin client, tablet, smartphone, personal digital assistant, mobile phone) procured to support DoD will include a TPM version 1.2 or higher where required by Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) and where such technology

1196-535: Is running on non-tampered components. In 2021, the Dolos Group showed an attack on a discrete TPM, where the TPM chip itself had some tamper resistance, but the other endpoints of its communication bus did not. They read a full-disk-encryption key as it was transmitted across the motherboard, and used it to decrypt the laptop's SSD. In October 2017, it was reported that a code library developed by Infineon , which had been in widespread use in its TPMs, contained

1248-577: The SHA-1 hashing algorithm. More recent TPM versions (v2.0+) call for SHA-2 . A desired characteristic of a cryptographic hash algorithm is that (for all practical purposes) the hash result (referred to as a hash digest or a hash) of any two modules will produce the same hash value only if the modules are identical. Measurements can be of code, data structures, configuration, information, or anything that can be loaded into memory. TCG requires that code not be executed until after it has been measured. To ensure

1300-476: The " treacherous computing " threat he had warned of. Linux Torvalds in 2023 wrote that there is no way to believe that randomness generated by TPM is any better than randomness generated anyway by the CPU, and there is no point in supporting randomness from a firmware source. In 2010 Christopher Tarnovsky presented an attack against TPMs at Black Hat Briefings , where he claimed to be able to extract secrets from

1352-494: The 1.2 HMAC, locality, physical presence, and PCR. It adds authorization based on an asymmetric digital signature, indirection to another authorization secret, counters and time limits, NVRAM values, a particular command or command parameters, and physical presence. It permits the ANDing and ORing of these authorization primitives to construct complex authorization policies. The Trusted Computing Group (TCG) has faced resistance to

1404-590: The LCP and its lists of known-good measurements are protected by storing a hash measurement of the policy in the TPM in a protected non-volatile location that can only be modified by the platform owner. Once the LCP is satisfied, the SINIT ACM allows the MLE to execute as a Trusted OS by enabling access to special security registers and enabling TPM Locality 2 level access. The MLE is now able to make additional measurements to

1456-531: The Software Stack (TSS) Enhanced System API (ESAPI) specification of the TCG. It was developed by Fraunhofer Institute for Secure Information Technology (SIT). IBM 's Software TPM 2.0 is an implementation of the TCG TPM 2.0 specification. It is based on the TPM specification Parts 3 and 4 and source code donated by Microsoft. It contains additional files to complete the implementation. The source code

1508-436: The TPM 2.0 Specification has been developed by Microsoft . It is licensed under BSD License and the source code is available on GitHub . In 2018 Intel open-sourced its Trusted Platform Module 2.0 (TPM2) software stack with support for Linux and Microsoft Windows. The source code is hosted on GitHub and licensed under BSD License . Infineon funded the development of an open source TPM middleware that complies with

1560-541: The TPM is authentic. Starting with TPM 2.0, the certificates are in X.509 DER format. These manufacturers typically provide their certificate authority root (and sometimes intermediate) certificates on their web sites. To utilize a TPM, the user needs a software library that communicates with the TPM and provides a friendlier API than the raw TPM communication. Currently, there are several such open-source TPM 2.0 libraries. Some of them also support TPM 1.2, but mostly TPM 1.2 chips are now deprecated and modern development

1612-402: The attacks can extract encryption secrets. Infineon has released firmware updates for its TPMs to manufacturers who have used them. Currently, a TPM is provided by nearly all PC and notebook manufacturers in their products. The TPM is implemented by several vendors: There are also hybrid types; for example, TPM can be integrated into an Ethernet controller, thus eliminating the need for

Trusted Execution Technology - Misplaced Pages Continue

1664-459: The company raised $ 18.5 million in an oversubscribed C round with investments from Intel Capital, In-Q-Tel , Carahsoft, Fortinet, and previous investors. The website also mentions McAfee , Trend Micro , CA Technologies , RSA , and VCE . HyTrust was founded by the company's president, Eric Chiu, vice president Renata Budko, vice president Boris Strongin, and engineer Boris Belov. Before HyTrust, both Chiu and Budko worked for Cemaphore Systems –

1716-456: The company raised $ 33 million in Series D funding. In 2017, the company raised $ 36 million and acquired DataGravity, a security company. HyTrust was acquired by Entrust in January 2021. HyTrust's products are based on the company's patented intelligent security control system for virtualized ecosystems. HyTrust CloudControl is a VMware vSphere-compatible virtual appliance that sits between

1768-461: The computer can be made to systematically disobey its owner if the cryptographical keys are kept secret from them. He also considers that TPMs available for PCs in 2015 are not currently dangerous and that there is no reason not to include one in a computer or support it in software due to failed attempts from the industry to use that technology for DRM , but that the TPM2 released in 2022 is precisely

1820-472: The computer's storage devices and provide integrity authentication for a trusted boot pathway that includes firmware and the boot sector . Any application can use a TPM chip for: Other uses exist, some of which give rise to privacy concerns. The "physical presence" feature of TPM addresses some of these concerns by requiring BIOS / UEFI -level confirmation for operations such as activating, deactivating, clearing or changing ownership of TPM by someone who

1872-403: The deployment of this technology in some areas, where some authors see possible uses not specifically related to Trusted Computing , which may raise privacy concerns. The concerns include the abuse of remote validation of software decides what software is allowed to run and possible ways to follow actions taken by the user being recorded in a database, in a manner that is completely undetectable to

1924-460: The dynamic PCRs. The dynamic PCRs contain measurement of: The technology also provides a more secure way for the operating system to initialize the platform. In contrast to the normal processor initialization [which involved the boot-strap-processor (BSP) sending a Start-up Inter-Processor Interrupt (SIPI) to each Application Processor, thus starting each processor in "real mode" and then transitioning to "virtual mode" and finally to "protected mode"],

1976-462: The hardware configuration of an existing model, line, or series with a major update, such as CPU, graphic cards) implement, and enable by default TPM 2.0. While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a discrete (dTPM) silicon component in a single semiconductor package, an integrated component incorporated in one or more semiconductor packages - alongside other logic units in

2028-485: The operating system avoids that vulnerability by performing a secure launch (a.k.a. measured launch) which puts the Application Processors in a special sleep state from which they are directly started in protected mode with paging on, and are not allowed to leave this state. PCR values are available both locally and remotely. Furthermore, the TPM has the capability to digitally sign the PCR values (i.e.,

2080-862: The operating system has fully booted and applications are running. When TPM is used, the firmware and the operating system are responsible for ensuring integrity. For example, the Unified Extensible Firmware Interface (UEFI) can use TPM to form a root of trust : The TPM contains several Platform Configuration Registers (PCRs) that allow secure storage and reporting of security-relevant metrics. These metrics can be used to detect changes to previous configurations and decide how to proceed. Examples of such use can be found in Linux Unified Key Setup (LUKS), BitLocker and PrivateCore vCage memory encryption. (See below.) Another example of platform integrity via TPM

2132-456: The operating system invokes a special security instruction, which resets dynamic PCRs (PCR17–22) to their default value and starts the measured launch. The first dynamic measurement is made by hardware (i.e., the processor) to measure another digitally signed module (referred to as the SINIT ACM) which is also provided by the chipset manufacturer and whose signature and integrity are verified by

Trusted Execution Technology - Misplaced Pages Continue

2184-413: The platform's configuration. The Trusted Platform Module (TPM) as specified by the TCG provides many security functions including special registers (called Platform Configuration Registers – PCRs) which hold various measurements in a shielded location in a manner that prevents spoofing. Measurements consist of a cryptographic hash using a Secure Hashing Algorithm (SHA); the TPM v1.0 specification uses

2236-466: The platform. This ability to evaluate and assign trust levels to platforms is known as Trusted Compute Pools. Some examples of how Trusted Compute Pools are used: Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust , PrivateCore , Citrix , and VMware . Open-source projects also utilize the TXT functionality; for example, tboot provides

2288-548: The processor. This is known as the Dynamic Root of Trust Measurement (DRTM). The SINIT ACM then measures the first operating system code module (referred to as the measured launch environment – MLE). Before the MLE is allowed to execute, the SINIT ACM verifies that the platform meets the requirements of the Launch Control Policy (LCP) set by the platform owner. LCP consists of three parts: The integrity of

2340-447: The same package(s), and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on a general purpose System-on-a-chip (SoC). TPM endorsement keys (EKs) are asymmetric key pairs unique to each TPM. They use the RSA and ECC algorithms. The TPM manufacturer usually provisions endorsement key certificates in TPM non-volatile memory . The certificates assert that

2392-608: The signature and integrity of the signed module before executing it. The ACM then measures the first BIOS code module, which can make additional measurements. The measurements of the ACM and BIOS code modules are extended to PCR0, which is said to hold the static core root of trust measurement (CRTM) as well as the measurement of the BIOS Trusted Computing Base (TCB). The BIOS measures additional components into PCRs as follows: The dynamic chain of trust starts when

2444-415: The static root of trust for measurement (SRTM) was reported ( CVE - 2018-6622 ). It allows an adversary to reset and forge platform configuration registers which are designed to securely hold measurements of software that are used for bootstrapping a computer. Fixing it requires hardware-specific firmware patches. An attacker abuses power interrupts and TPM state restores to trick TPM into thinking that it

2496-441: The user. The TrueCrypt disk encryption utility, as well as its derivative VeraCrypt , do not support TPM. The original TrueCrypt developers were of the opinion that the exclusive purpose of the TPM is "to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer". The attacker who has physical or administrative access to a computer can circumvent TPM, e.g., by installing

2548-960: The virtual infrastructure and its administrators. Whenever an administrative request is submitted to the infrastructure, the appliance determines whether that request complies with the organization's security policies before permitting or denying it accordingly. By logging all requests, records are produced that can be used for regulatory compliance and auditing, troubleshooting, and forensic analysis. The company also provides private cloud , logging, active directory, root access , two-factor authentication, VI segmentation, host hardening, multi-tenant policy enforcement, secondary approval services, encryption, and key management and advises organizations on how to manage their virtualized and cloud computing environments. HyTrust partnered with Intel in 2014 to create HyTrust BoundaryControl. The technology lets companies set policies to control access to cloud and virtualized IT where data can be stored. BoundaryCountrol

2600-504: Was criticised, especially random number generation. Trusted Platform Module (TPM) was conceived by a computer industry consortium called Trusted Computing Group (TCG). It evolved into TPM Main Specification Version 1.2 which was standardized by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889:2009. TPM Main Specification Version 1.2

2652-468: Was finalized on 3 March 2011 completing its revision. On 9 April 2014 the Trusted Computing Group announced a major upgrade to their specification entitled TPM Library Specification 2.0 . The group continues work on the standard incorporating errata, algorithmic additions and new commands, with its most recent edition published as 2.0 in November 2019. This version became ISO/IEC 11889:2015. When

SECTION 50

#1732779984096

2704-512: Was proposed, which has been adopted in the specifications for TPM 2.0. In 2009, the concept of shared authorisation data in TPM 1.2 was found to be flawed. An adversary given access to the data could spoof responses from the TPM. A fix was proposed, which has been adopted in the specifications for TPM 2.0. In 2015 as part of the Snowden revelations , it was revealed that in 2010 a US CIA team claimed at an internal conference to have carried out

#95904