Trusted Execution Technology

Last updated December 26, 2024

Intel Trusted Execution Technology (Intel TXT, formerly known as LaGrande Technology) is a computer hardware technology of which the primary goals are:

Intel TXT uses a Trusted Platform Module (TPM) and cryptographic techniques to provide measurements of software and platform components so that system software as well as local and remote management applications may use those measurements to make trust decisions. It complements Intel Management Engine. This technology is based on an industry initiative by the Trusted Computing Group (TCG) to promote safer computing. It defends against software-based attacks aimed at stealing sensitive information by corrupting system or BIOS code, or modifying the platform's configuration.

Details

The Trusted Platform Module (TPM) as specified by the TCG provides many security functions including special registers (called Platform Configuration Registers – PCRs) which hold various measurements in a shielded location in a manner that prevents spoofing. Measurements consist of a cryptographic hash using a hashing algorithm; the TPM v1.0 specification uses the SHA-1 hashing algorithm. More recent TPM versions (v2.0+) call for SHA-2.^[1]^[2]

A desired characteristic of a cryptographic hash algorithm is that (for all practical purposes) the hash result (referred to as a hash digest or a hash) of any two modules will produce the same hash value only if the modules are identical.

Measurements

Measurements can be of code, data structures, configuration, information, or anything that can be loaded into memory. TCG requires that code not be executed until after it has been measured. To ensure a particular sequence of measurements, hash measurements in a sequence are not written to different PCRs, but rather a PCR is "extended" with a measurement. This means that the TPM takes the current value of the PCR and the measurement to be extended, hashes them together, and replaces the content of the PCR with that hash result. The effect is that the only way to arrive at a particular measurement in a PCR is to extend exactly the same measurements in exactly the same order. Therefore, if any module being measured has been modified, the resulting PCR measurement will be different and thus it is easy to detect if any code, configuration, data, etc. that has been measured had been altered or corrupted. The PCR extension mechanism is crucial to establishing a Chain of trust in layers of software (see below).

Chain of trust

The technology supports both a static chain of trust and a dynamic chain of trust. The static chain of trust starts when the platform powers on (or the platform is reset), which resets all PCRs to their default value. For server platforms, the first measurement is made by hardware (i.e., the processor) to measure a digitally signed module (called an Authenticated Code Module or ACM) provided by the chipset manufacturer. The processor validates the signature and integrity of the signed module before executing it. The ACM then measures the first BIOS code module, which can make additional measurements.

The measurements of the ACM and BIOS code modules are extended to PCR0, which is said to hold the static core root of trust measurement (CRTM) as well as the measurement of the BIOS Trusted Computing Base (TCB). The BIOS measures additional components into PCRs as follows:

PCR0 – CRTM, BIOS code, and Host Platform Extensions^[a]
PCR1 – Host Platform Configuration
PCR2 – Option ROM Code
PCR3 – Option ROM Configuration and Data
PCR4 – IPL (Initial Program Loader) Code (usually the Master Boot Record – MBR)
PCR5 – IPL Code Configuration and Data (for use by the IPL Code)
PCR6 – State Transition and Wake Events
PCR7 – Host Platform Manufacturer Control

The dynamic chain of trust starts when the operating system invokes a special security instruction, which resets dynamic PCRs (PCR17–22) to their default value and starts the measured launch. The first dynamic measurement is made by hardware (i.e., the processor) to measure another digitally signed module (referred to as the SINIT ACM) which is also provided by the chipset manufacturer and whose signature and integrity are verified by the processor. This is known as the Dynamic Root of Trust Measurement (DRTM).

The SINIT ACM then measures the first operating system code module (referred to as the measured launch environment – MLE). Before the MLE is allowed to execute, the SINIT ACM verifies that the platform meets the requirements of the Launch Control Policy (LCP) set by the platform owner. LCP consists of three parts:

Verifying that the SINIT version is equal or newer than the value specified
Verifying that the platform configuration (PCONF) is valid by comparing PCR0–7 to known-good values (the platform owner decides which PCRs to include)
Verifying that the MLE is valid, by comparing its measurement to a list of known-good measurements.

The integrity of the LCP and its lists of known-good measurements are protected by storing a hash measurement of the policy in the TPM in a protected non-volatile location that can only be modified by the platform owner.

Execute as a Trusted OS

Once the LCP is satisfied, the SINIT ACM allows the MLE to execute as a Trusted OS by enabling access to special security registers and enabling TPM Locality 2 level access. The MLE is now able to make additional measurements to the dynamic PCRs. The dynamic PCRs contain measurement of:

PCR17 – DRTM and launch control policy
PCR18 – Trusted OS start-up code (MLE)
PCR19 – Trusted OS (for example OS configuration)
PCR20 – Trusted OS (for example OS Kernel and other code)
PCR21 – as defined by the Trusted OS
PCR22 – as defined by the Trusted OS

The technology also provides a more secure way for the operating system to initialize the platform. In contrast to the normal processor initialization [which involved the boot-strap-processor (BSP) sending a Start-up Inter-Processor Interrupt (SIPI) to each Application Processor, thus starting each processor in "real mode" and then transitioning to "virtual mode" and finally to "protected mode"], the operating system avoids that vulnerability by performing a secure launch (a.k.a. measured launch) which puts the Application Processors in a special sleep state from which they are directly started in protected mode with paging on, and are not allowed to leave this state.^[3]

Application

PCR values are available both locally and remotely. Furthermore, the TPM has the capability to digitally sign the PCR values (i.e., a PCR Quote) so that any entity can verify that the measurements come from, and are protected by, a TPM, thus enabling Remote Attestation to detect tampering, corruption, and malicious software. Additionally, those values can be used to identify the execution environment (the particular BIOS version, OS level, configuration, etc.) and compare them to their own lists of known-good values to further categorize the platform. This ability to evaluate and assign trust levels to platforms is known as Trusted Compute Pools.

Some examples of how Trusted Compute Pools are used:

Isolation – the ability to control if a platform connects to the production network or is quarantined based on its trust level or failure to pass its launch control policy.
Trust Based Policy – such as restricting critical apps to only execute on platforms that meet a specified trust level
Compliance and Auditing – demonstrating that critical, personal, or sensitive data has only been processed on platforms that meet trust requirements

Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, and VMware. Open-source projects also utilize the TXT functionality; for example, tboot provides a TXT-based integrity system for the Linux kernel and Xen hypervisor.^[4]^[5]

Windows 10 PCs with PCR7 Binding have the ability to enable or disable full device encryption.^[6]

Terminology

ACM: Authenticated Code Module
CRTM: Core Root of Trust Measurement
DRTM: Dynamic Root of Trust Measurement
LCP: Launch Control Policy
MLE: Measured Launch Environment
PCR: Platform Configuration Registers
TCB: Trusted Computing Base
TCG: Trusted Computing Group
TPM: Trusted Platform Module

Notes

↑ CRTM is measured by the processor and initial BIOS code is measured by the ACM (all other measurements made by BIOS or other firmware code) but only after that code had been measured.

Related Research Articles

PCR or pcr may refer to:

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.

<span class="mw-page-title-main">Next-Generation Secure Computing Base</span> Software architecture by Microsoft

The Next-Generation Secure Computing Base is a software architecture designed by Microsoft which claimed to provide users of the Windows operating system with better privacy, security, and system integrity. NGSCB was the result of years of research and development within Microsoft to create a secure computing solution that equaled the security of closed platforms such as set-top boxes while simultaneously preserving the backward compatibility, flexibility, and openness of the Windows operating system. Microsoft's primary stated objective with NGSCB was to "protect software from software."

Unified Extensible Firmware Interface is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system. Examples include AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.

In software engineering, profiling is a form of dynamic program analysis that measures, for example, the space (memory) or time complexity of a program, the usage of particular instructions, or the frequency and duration of function calls. Most commonly, profiling information serves to aid program optimization, and more specifically, performance engineering.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.

System Management Mode is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's firmware, or a hardware-assisted debugger, is then executed with high privileges.

The Apple–Intel architecture, or Mactel, is an unofficial name used for Macintosh personal computers developed and manufactured by Apple Inc. that use Intel x86 processors, rather than the PowerPC and Motorola 68000 ("68k") series processors used in their predecessors or the ARM-based Apple silicon SoCs used in their successors. As Apple changed the architecture of its products, they changed the firmware from the Open Firmware used on PowerPC-based Macs to the Intel-designed Extensible Firmware Interface (EFI). With the change in processor architecture to x86, Macs gained the ability to boot into x86-native operating systems, while Intel VT-x brought near-native virtualization with macOS as the host OS.

Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro brand was launched, it was identified primarily with AMT, thus some journalists still consider AMT to be the essence of vPro.

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Direct Anonymous Attestation (DAA) is a cryptographic primitive which enables remote authentication of a trusted computer whilst preserving privacy of the platform's user. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification to address privacy concerns. ISO/IEC 20008 specifies DAA, as well, and Intel's Enhanced Privacy ID (EPID) 2.0 implementation for microprocessors is available for licensing RAND-Z along with an open source SDK.

Electronic systems’ power consumption has been a real challenge for Hardware and Software designers as well as users especially in portable devices like cell phones and laptop computers. Power consumption also has been an issue for many industries that use computer systems heavily such as Internet service providers using servers or companies with many employees using computers and other computational devices. Many different approaches have been discovered by researchers to estimate power consumption efficiently. This survey paper focuses on the different methods where power consumption can be estimated or measured in real-time.

CRTM may refer to:

A trusted execution environment (TEE) is a secure area of a main processor. It helps the code and data loaded inside it be protected with respect to confidentiality and integrity. Data confidentiality prevents unauthorized entities from outside the TEE from reading data, while code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which may also be the computer owner itself as in certain DRM schemes described in Intel SGX.

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

VeraCrypt is a free and open-source utility for on-the-fly encryption (OTFE). The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication.

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

"Serverless computing is a cloud service category in which the customer can use different cloud capabilities types without the customer having to provision, deploy and manage either hardware or software resources, other than providing customer application code or providing customer data. Serverless computing represents a form of virtualized computing." according to ISO/IEC 22123-2 Function as a service and serverless database are two forms of serverless computing.

Azure Sphere is an application platform with integrated communications and security features developed and managed by Microsoft for Internet Connected Devices.

Confidential computing is a security and privacy-enhancing computational technique focused on protecting data in use. Confidential computing can be used in conjunction with storage and network encryption, which protect data at rest and data in transit respectively. It is designed to address software, protocol, cryptographic, and basic physical and supply-chain attacks, although some critics have demonstrated architectural and side-channel attacks effective against the technology.

References

↑ "SHA-1 Uses in TPM v1.2". Trusted Computing Group. Retrieved 2014-03-14.
↑ "TPM 2.0 Library Specification FAQ". Trusted Computing Group. Retrieved 2014-03-14.
↑ "Chapter 2.2: MLE Launch". Intel Trusted Execution Technology (Intel® TXT) Software Development Guide (PDF). Intel.
↑ "tboot (Trusted Boot)". sourceforge.net. October 6, 2014. Retrieved November 16, 2014.
↑ Joseph Cihula (February 28, 2011). "Trusted Boot: Verifying the Xen Launch" (PDF). xenproject.org. Archived from the original (PDF) on October 13, 2016. Retrieved November 16, 2014.
↑ "Windows 8.1 includes seamless, automatic disk encryption—if your PC supports it". Ars Technica. 17 October 2013. Retrieved 18 October 2013.

External links

"Trusted Execution", Technology, Intel.
"Trusted Execution", Technology (PDF) (overview), Intel.
"Trusted Execution", Technology (PDF) (architectural overview), Intel.
Intel Trusted Execution Technology Software Development Guide (PDF), Intel.
"Virtualization", Technology, Intel.
Intel TXT Overview, part of Linux kernel documentation, December 1, 2014
Integrity management using Intel TXT, LWN.net, April 1, 2009, by Jake Edge
Attacking Intel Trusted Execution Technology, Black Hat Briefings, February 2009, by Rafal Wojtczuk and Joanna Rutkowska
Trusted Computing Technologies, Intel Trusted Execution Technology, Sandia National Laboratories, January 2011, by Jeremy Daniel Wendt and Max Joseph Guise

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[3] CRTM is measured by the processor and initial BIOS code is measured by the ACM (all other measurements made by BIOS or other firmware code) but only after that code had been measured.

[1] "SHA-1 Uses in TPM v1.2". Trusted Computing Group. Retrieved 2014-03-14.

[2] "TPM 2.0 Library Specification FAQ". Trusted Computing Group. Retrieved 2014-03-14.

[4] "Chapter 2.2: MLE Launch". Intel Trusted Execution Technology (Intel® TXT) Software Development Guide (PDF). Intel.

[5] "tboot (Trusted Boot)". sourceforge.net. October 6, 2014. Retrieved November 16, 2014.

[6] Joseph Cihula (February 28, 2011). "Trusted Boot: Verifying the Xen Launch" (PDF). xenproject.org. Archived from the original (PDF) on October 13, 2016. Retrieved November 16, 2014.

[ars-deviceencryption-7] "Windows 8.1 includes seamless, automatic disk encryption—if your PC supports it". Ars Technica. 17 October 2013. Retrieved 18 October 2013.

[1]

[2]

[a]

[3]

[4]

[5]

[6]

v t e Intel technology
Platforms	Centrino Centrino 2 Viiv MID Tablet CULV Ultrabook Skulltrail NUC Galileo Edison Curie Evo
Discontinued	Common Building Block MultiProcessor Specification Intel Communication Streaming Architecture Intel Inboard 386 Intel Play MMC-1 MMC-2
Current	Advanced Programmable Interrupt Controller CNVi Intel Turbo Boost vPro Intel Secure Key Intel Management Engine Active Management Technology AMT versions High-bandwidth Digital Content Protection High Definition Audio Hub Architecture Rapid Storage Technology SpeedStep Serial Digital Video Out Host Embedded Controller Interface Hyper-threading Omni-Path Platform Environment Control Interface QuickPath Interconnect Platform Controller Hub System Management Bus Thunderbolt Ultra Path Interconnect
Upcoming	Silicon Photonics Link