.

0 (hodnocen0 x )

EB

ONLINE

Berkeley, CA : Apress L. P., 2013

1 online resource (149 pages)

ISBN 9781430261490 (electronic bk.)

ISBN 9781430261483

Print version: Futral, William Intel Trusted Execution Technology for Server Platforms Berkeley, CA : Apress L. P.,c2013 ISBN 9781430261483

Intro -- Contents at a Glance -- Contents -- Foreword -- About the Authors -- Acknowledgments -- Introduction -- Chapter 1: Introduction to Trust and Intel Trusted Execution Technology -- Why More Security ? -- Types of Attacks -- What Is Trust? How Can Hardware Help? -- What Is Intel Trusted Execution Technology? -- Static Chain of Trust -- Dynamic Chain of Trust -- Virtualization -- Measured Launch Environment -- Finding Value in Trust -- Cloud Computing -- Attestation: The Founding Principle -- Value to System Software -- Cloud Service Provider/Cloud Service Client -- What Intel TXT Does Not Do -- Enhancements for Servers -- Including BIOS in the TCB -- Processor-Based CRTM -- Trusting the SMM -- Other Differences -- Impact of the Differences -- Roles and Responsibilities -- OEM -- Platform Owner -- Host Operating System -- Other Software -- Chapter 2: Fundamental Principles of Intel TXT -- What You Need: Definition of an Intel TXT-Capable System -- Intel TXT-Capable Platform -- Intel TXT Platform Components -- Processor -- Chipset -- Trusted Platform Module (TPM) -- BIOS -- Authenticated Code Module (ACM) -- The Role of the Trusted Platform Module (TPM) -- TPM Interface -- Localities -- Control Protocol -- Random Number Generator (RNG) -- SHA-1 Engine -- RSA Engine and Key Generation -- Platform Configuration Registers (PCRs) -- Nonvolatile Storage -- Attestation Identity Key (AIK) -- TPM Ownership and Access Enforcement -- Cryptography -- Symmetric Encryption -- Asymmetric Encryption -- Cryptographic Hash Functions -- Why It Works and What It Does -- Key Concepts -- Measurements -- Secure Measurements -- Static and Dynamic Measurements -- The Intel TXT Boot Sequence -- Measured Launch Process (Secure Launch) -- Protection Against Reset Attacks -- Launch Control Policy -- Platform Configuration (PCONF).

Trusted OS Measurements (MLE Element) -- Protecting Policies -- Sealing -- Attestation -- Summary -- Chapter 3: Getting It to Work: Provisioning Intel TXT -- Provisioning a New Platform -- BIOS Setup -- Enable and Activate the Trusted Platform Module (TPM) -- Enable Supporting Technology -- Enabling Intel TXT -- Summary of BIOS Setup -- Automating BIOS Provisioning -- Establish TPM Ownership -- What Is TPM Ownership ? Why Is This Important? -- How to Establish TPM Ownership -- Pass-Through TPM Model -- Remote Pass-Through TPM Model -- Management Server Model -- Protecting Authorization Values -- Install a Trusted Host Operating System -- VMware ESXi Example -- Linux Example (Ubuntu) -- Create Platform Owner’s Launch Control Policy -- How It Works -- What LCP Does -- Specifying Platform Configuration: The PCONF Element -- Specifying Trusted Operating Systems: The MLE Element -- Specifying Trusted ACMs -- Specifying a Policy of "ANY" -- Revoking Platform Default Policy -- Why Is PO Policy Important? -- Prevent Interference by the Platform Supplier Policy -- Establishing Trusted Pools -- Reduce the Need for Remote Attestation -- Reset Attack Protection -- Considerations -- Summary -- Chapter 4: Foundation for Control: Establishing Launch Control Policy -- Quick Review of Launch Control Policy -- When Is Launch Control Policy Needed? -- Remote Attestation -- What Does Launch Control Policy Deliver? -- PCR0: CRTM, BIOS, and Host Platform Extensions -- PCR1: Host Platform Configuration -- PCR2, 3: Option ROM Code and Configuration Data -- PCR4, 5: IPL Code and Configuration Data -- PCR6: State Transition and Wake Events -- PCR7: Host Platform Manufacturer Control -- Platform Configuration (PCONF) Policy -- Specifying Trusted Platform Configurations -- Tools Needed for Creating a PCONF Policy -- Difficulties with Using PCONF Policy.

Specifying Trusted Host Operating Systems -- Tools Needed for Creating MLE Policy -- Options and Tradeoffs -- Impact of SINIT Updates -- Impact of Platform Configuration Change -- Impact of a BIOS Update -- Impact of OS/VMM Update -- Managing Launch Control Policy -- Think Big -- Use a Signed List -- Make Use of Vendor-Signed Policies -- Use Multiple Lists for Version Control -- Using the Simplest Policy -- Other Tips -- Strategies -- Impact of Changing TPM Ownership -- Decision Matrix -- Chapter 5: Raising Visibility for Trust: The Role of Attestation -- Attestation: What It Means -- Attestation Service Components -- Endpoint, Service, and Administrative Components -- Attestation Service Component Capabilities -- Administrative Component Capabilities -- Attestation in the Intel TXT Use Models -- Enabling the Market with Attestation -- OpenAttestation -- Mt. Wilson -- How to Get Attestation -- Chapter 6: Trusted Computing: Opportunities in Software -- What Does "Enablement" Really Mean? -- Platform Enablement: The Basics -- Platform Enablement: Extended -- Provisioning -- Updates -- Attestation -- Reporting and Logging -- Operating System and Hypervisor Enablement -- Enablement at Management and Policy Layer -- Provisioning -- Updates -- Attestation -- Reporting and Logging -- Enablement at the Security Applications Layer -- Chapter 7: Creating a More Secure Datacenter and Cloud -- When Datacenter Meets the Cloud -- The Cloud Variants -- Cloud Delivery Models -- Intel TXT Use Models and the Cloud(s) -- The Trusted Launch Model -- Trusted Compute Pools: Driving the Market -- Extended Trusted Pools: Asset Tags and Geotags -- Compliance: Changing the Landscape -- Chapter 8: The Future of Trusted Computing -- Trust Is a Foundation -- More Protections and Assurance -- Is There Enough to Trust? -- Measures at Launch Time. -- What Intel TXT Measures.

The Whitelist Approach -- The Evolution of Trust -- Trusted Guest -- End-to-End Trust -- Runtime Trust -- The Trust and Integrity "Stack" -- Index.

001895181

express

Contents at a Glance // Foreword...xiii // About the Authors...xv // Acknowledgments...xvii // Introduction...xix // •Chapter 1: Introduction to Trust and Intel® Trusted Execution Technology...1 // I Chapter 2: Fundamental Principles of Intel® TXT...15 // I Chapter 3: Getting It to Work: Provisioning Intel® TXT...37 // Chapter 4: Foundation for Control: Establishing Launch Control Policy...61 // Chapter 5: Raising Visibility for Trust: The Role of Attestation...79 // Chapter 6: Trusted Computing: Opportunities in Software...89 // Chapter 7: Creating a More Secure Datacenter and Cloud...105 // Chapter 8: The Future of Trusted Computing...119 // Index...129 // V // Contents // J // Foreword...xiii // About the Authors...xv // Acknowledgments...xvii // Introduction...xix // Chapter 1: Introduction to Trust and Intel Trusted Execution Technology...1 // Why More Security?...2 // Types of Attacks...2 // What Is Trust? How Can Hardware Help?...3 // What Is Intel Trusted Execution Technology?...4 // Static Chain of Trust...5 // Dynamic Chain of Trust...5 // Virtualization...6 // Measured Launch Environment...6 // Finding Value in Trust...7 // Cloud Computing...7 // Attestation: The Founding Principle...8 // Value to System Software ...9 // Cloud Service Provider/Cloud Service Client...10 // What Intel TXT Does Not Do...11 // Enhancements for Servers...11 // Including BIOS in the TCB...11 // Processor-Based CRTM...11 // Trusting the SMM...12 // Other Differences...12 // Impact of the Differences...12 // Roles and Responsibilities...12 // OEM...12 // Platform Owner...12 // Host Operating System...13 // Other Software...13 // Chapter 2: Fundamental Principles of Intel TXT...15 // What You Need: Definition of an Intel TXT-Capable System...15 // Intel TXT-Capable Platform...16 // Intel TXT Platform Components...16 // The Role of the Trusted Platform Module (TPM)...18 //

TPM interface...19 // Random Number Generator (RNG)...20 // SHA-1 Engine...21 // RSA Engine and Key Generation...21 // Platform Configuration Registers (PCRs)...21 // Nonvolatile Storage...22 // Attestation Identity Key (AIK)...23 // TPM Ownership and Access Enforcement...23 // Cryptography...23 // Symmetric Encryption...24 // Asymmetric Encryption...24 // Cryptographic Hash Functions...24 // Why It Works and What It Does...26 // Key Concepts...26 // Measurements...26 // Secure Measurements...27 // Static and Dynamic Measurements...27 // The Intel TXT Boot Sequence...29 // Measured Launch Process (Secure Launch)...31 // Protection Against Reset Attacks...33 // Launch Control Policy...33 // Platform Configuration (PCONF)...34 // Trusted OS Measurements (MLE Element)...34 // Protecting Policies...35 // Sealing...35 // Attestation...35 // Summary...36 // Chapter 3: Getting It to Work: Provisioning Intel TXT...37 // Provisioning a New Platform...37 // BIOS Setup...38 // Enable and Activate the Trusted Platform Module (TPM)...38 // Enable Supporting Technology...38 // Enabling Intel TXT...39 // Summary of BIOS Setup...39 // Automating BIOS Provisioning...40 // Establish TPM Ownership...40 // What Is TPM Ownership? Why Is This Important?...40 // How to Establish TPM Ownership...40 // Pass-Through TPM Model...41 // Remote Pass-Through TPM Model ...41 // Management Server Model...42 // Protecting Authorization Values...43 // Install a Trusted Host Operating System...45 // VMware ESXi Example...45 // Linux Example (Ubuntu)...45 // Create Platform Owner’s Launch Control Policy...47 // How it Works...47 // What LCP Does...49 // ix // CONTENTS // Why Is PO Policy Important?...55 // Considerations...59 // Summary...60 // Chapter 4: Foundation for Control: Establishing Launch Control Policy...61 // Quick Review of Launch Control Policy...61 //

When Is Launch Control Policy Needed?...63 // Remote Attestation...63 // What Does Launch Control Policy Deliver?...64 // Platform Configuration (PCONF) Policy...64 // Specifying Trusted Platform Configurations...65 // Tools Needed for Creating a PCONF Policy...69 // Difficulties with Using PCONF Policy...70 // Specifying Trusted Host Operating Systems...71 // Tools Needed for Creating MLE Policy...71 // Options and Tradeoffs...72 // Impact of SINIT Updates...72 // Impact of Platform Configuration Change...73 // Impact of a BIOS Update...73 // Impact of OS/VMM Update...73 // Managing Launch Control Policy...73 // Think Big...73 // Use a Signed List...74 // Make Use of Vendor-Signed Policies...74 // Use Multiple Lists for Version Control...74 // Using the Simplest Policy...75 // Other Tips...75 // Strategies...75 // Impact of Changing TPM Ownership...77 // Decision Matrix...77 // Chapter 5: Raising Visibility for Trust: The Role of Attestation...79 // Attestation: What It Means...79 // Attestation Service Components...80 // Endpoint, Service, and Administrative Components...81 // Attestation Service Component Capabilities...82 // 63 Administrative Component Capabilities...83 // Attestation in the Intel TXT Use Models...83 // ... 64 Enabling the Market with Attestation...85 // OpenAttestation...86 // Mt. Wilson...87 // How to Get Attestation...88 // Chapter 6: Trusted Computing: Opportunities in Software...89 // What Does “Enablement” Really Mean?...89 // Platform Enablement: The Basics...91 // Platform Enablement: Extended...93 // Provisioning...94 // Updates...94 // Attestation...94 // Reporting and Logging...95 // Operating System and Hypervisor Enablement...95 // Enablement at Management and Policy Layer...97 // Provisioning...100 // Updates...100 // Attestation...100 // Reporting and Logging...100 // Enablement at the Security Applications Layer...101 //

Chapter 7: Creating a More Secure Datacenter and Cloud...105 // When Datacenter Meets the Cloud...105 // The Cloud Variants...106 // Cloud Delivery Models...107 Intel TXT Use Models and the Cloud(s)...110 // The Trusted Launch Model...110 // Trusted Compute Pools: Driving the Market...112 // Extended Trusted Pools: Asset Tags and Geotags...114 // Compliance: Changing the Landscape...116 // Chapter 8: The Future of Trusted Computing...119 // Trust Is a Foundation...119 // More Protections and Assurance...120 // Is There Enough to Trust?...122 // Measures at Launch Time...122 // What Intel TXT Measures...123 // The Whitelist Approach...123 // The Evolution of Trust...123 // Trusted Guest...124 // End-to-End Trust...124 // Runtime Trust...125 // The Trust and Integrity “Stack"...125 // Index...129

(Au-PeEL)EBL6422761

(MiAaPQ)EBC6422761

(OCoLC)1113481075