how to build hardware support for secure startup steve heil & mark williams program managers...
TRANSCRIPT
How To Build Hardware Support For Secure Startup
Steve Heil & Mark WilliamsProgram ManagersWindows SecurityMicrosoft Corporation
Manny Novoa Security StrategistPersonal Systems GroupHewlett-Packard
Session OutlineSession Outline
Quick overview of Windows codenamed “Longhorn” Secure Startup feature
Overview of Longhorn TPM Services architecture
Developing applications that work with TPM Services
Windows Longhorn Logo Program proposed requirements for Secure Startup & TPM Services
Hewlett-Packard presents options & trade-offs for building Secure Startup-capable systems
Resources & Call to Action
Session GoalsSession Goals
This session answers the system builder’s question, “How do I build PC client SKUs that support Secure Startup?”
Attendees should leave this session with the following:
Guidelines for developing software for TPM Services
A better understanding of why and how to build Secure Startup-capable system SKUs
Knowledge of where to find resources for meeting the Secure Startup system Windows Logo Program requirements and building Secure Startup-capable platforms
Quick Overview of Secure StartupQuick Overview of Secure Startup
Technology providing higher security through use of Trusted Platform Module (TPM)
Addresses the lost or stolen laptop scenarios with TPM-rooted boot integrity and encryption
Provides secure system startup and full volume encryption built on TPM services
Attackers are stopped from using software tools to get at data
What is a TPM?What is a TPM?
Module on the motherboard that:Protects secrets from attackers
Performs cryptographic functionsFor example, RSA, SHA-1, RNG
Meets encryption export requirements
Can create, protect and manage cryptographic keys
Provides a unique Endorsement Key (EK)
Performs digital signature operations
Holds Platform Measurements (hashes)
Anchors chain of trust for keys, digital certificates and other credentials
To see industry standard specs for TPM 1.2, go to www.trustedcomputinggroup.org
TPM Services – Design RequirementsTPM Services – Design Requirements
Create an environment where the TPM can be shared
Provide an appropriate level of abstraction for constrained resources
Protect applications from each other
Provide infrastructure for 3rd party developers and system manufacturers to add value
A single driver to support a variety of v1.2-compliant TPMs in the market
Provide mechanisms to support the right to opt-in and the right to privacy
TPM Services Architecture SimplifiedTPM Services Architecture Simplified
* = TCG Software Stack
TPM Services – Application DevelopmentTPM Services – Application Development
Write code using the Trusted Service Provider layer of a TCG v1.2 TSS that has been built upon the TPM Base Services (TBS)
Some commands are blocked by default
Command blocking is configurable by the administrator
The Storage Root Key authorization data is zero
Access TPM functionality through the Microsoft features
WMI Interface
Key Storage Provider (KSP)
TCG Stack vs. TPM Services StackTCG Stack vs. TPM Services Stack
TPM applications use the TCG Service Provider (TSP) interfaces
The TCG Core Services component (TCS) is ported to communicate with the TBS instead of the TCG Device Driver Layer (TDDL)
TPM applications are more agile and better protected when using TBS
Introducing…
Mark WilliamsProgram ManagerWindows SecurityMicrosoft Corporation
Secure Startup & Windows Longhorn Secure Startup & Windows Longhorn Logo Program Logo Program
The two proposed Windows Longhorn Logo Program requirements for Secure Startup are
SYS-SEC-1 System supports Secure Startup via v1.2 TPMSYS-SEC-2 System supports Secure Startup by using system firmware security enhancements
These are “If implemented” requirementsBased on industry-standard specs
TCG TPM Specification Version 1.2, at www.trustedcomputinggroup.org/homeTCG TPM Interface Specification v1.2, Revision RC26 or later, at www.trustedcomputinggroup.org/membersTCG PC Client Specific Implementation Spec for Conventional BIOS v1.2, Revision 0.98 or later, at www.trustedcomputinggroups.org/members
Secure Startup & Core Logic ChipsetSecure Startup & Core Logic Chipset
Secure Startup code uses memory-mapped I/O to communicate with TPM
Platform core logic chipset MUST implement memory-mapped I/O to TPM 1.2 over LPC bus
Memory region maps to TPM 1.2 Locality 0TPM 1.2 Locality 0 system memory address is 0xFED4_0xxx
This memory region MAY be protected
Details about TPM 1.2 memory-mapped LPC interface is in an industry-standard specification
TCG TPM Interface Specification v1.2, Revision RC26 or later, at www.trustedcomputinggroup.org/members
How Does Secure Startup Use The TPM?How Does Secure Startup Use The TPM?
Secure Startup code uses TPM 1.2 to“Measure” software components of system boot process; for each system boot event:
Performs hash of component code and/or data
Adds entry to Event Log
Extends appropriate PCR with hash value
Later seals secrets against those PCR valuesTo protect secrets on the next platform reset
Mapping of the PCR usage to system boot events is in an industry-standard specification
TCG PC Client Specific Implementation Spec for Conventional BIOS v1.2, Revision 0.98 or later, at www.trustedcomputinggroups.org/members
TCG draft specification for PCR usage on EFI-based platforms under development
Why Are Firmware Extensions Required? Why Are Firmware Extensions Required?
Secure Startup code runs in the pre-OS environment that is controlled by firmware
Secure Startup code must be able to use firmware to access the TPM
BIOS must expose INT 1Ah interfaceThis INT1A interface is specified in the TCG v1.2 PC Client Implementation Specification
Secure Startup code uses a subset of the INT1Ah functions in the TCG spec
TCG_StatusCheck
TCG_PassThroughToTPM
TCG_CompactHashLogExtendEvent
Draft TCG EFI Protocol Spec contains these same three functions
Secure Startup ArchitectureSecure Startup ArchitectureStatic Root of Trust Measurement of early boot componentsStatic Root of Trust Measurement of early boot components
Example Firmware Requirements Example Firmware Requirements
Requirements for BIOS usage of TPM 1.2 PCR[4]The BIOS MUST measure into PCR[4] each IPL that is attempted and executed; if IPL code returns control back to BIOS then each IPL MUST subsequently be measured
The BIOS MUST NOT measure portions of the IPL pertaining to the specific configuration of the platform into PCR[4]
For example, the disk geometry data in the MBR would not be measured into PCR[4]
To measure the content of an MBR style disk, the BIOS would measure 0000-01B7h into PCR[4] and 01B8-01FFh into PCR[5]
These requirements are from TCG spec, proposed for testing in the Windows Longhorn Logo Program
EFI Architectures & Requirements EFI Architectures & Requirements
Security-enhanced firmware MAY be conventional BIOS, EFI, or a combination of BIOS and EFI
TCG currently drafting two industry-standard EFI specs
EFI Protocol Spec common to PC Clients and Servers
EFI Implementation Spec for PC ClientsIncludes mapping of TPM PCR event measurements to EFI boot components
Microsoft is contributing to these specs
Planned support for EFI support in Longhorn OS loader
Draft TCG EFI specs are currently available to TCG member companies, at www.trustedcomputinggroup.com/members
Building a Secure Startup SystemBuilding a Secure Startup System
After system builder has:Chosen a TPM 1.2 vendor
Committed a BIOS team to working on the extensions
What else is needed?Build a TCG-defined “Host Platform” which includes
Motherboard
Host processor(s)
TPM
Immutable part of firmware called the Static Core Root of Trust for Measurement (S-CRTM)
Other devices that connect directly to the CPU and interact directly with the CPU
Example Motherboard Requirement Example Motherboard Requirement
The platform MUST perform a “Host Platform Reset” which may be:
Cold Boot Host Platform Reset,
Hardware Host Platform Reset, or
Warm Boot Host Platform Reset
Boot Strap Host processor MUST be reset & begin execution with the S-CRTM
All remaining Host Processors MUST be reset
The TPM MUST be resetExecution of TPM_Init signal
TPM MUST NOT be reset without a Host Platform Reset
See TCG PC Client Specific Implementation Spec for Conventional BIOS v1.2, Revision 0.98 or later, at www.trustedcomputinggroups.org/members
Options And Trade-offs Options And Trade-offs
After the Secure Startup functional requirements are met, the system builder has options to consider, including:
1:1 binding of TPM to platform
BIOS & CRTM architectures
Operational states of TPM & customer deployment scenarios
Longhorn Secure Startup
An OEM Cookbook…
Manny Novoa Security StrategistPersonal Systems GroupHewlett-Packard
TPM V1.2 Platform RequirementTPM V1.2 Platform Requirement
1:1 binding of TPM to platform System builders desire common motherboards across multiple platforms (may span consumer/commercial)Modular TPM facilitates build process and serviceability
HOWEVER…
TCG Specification clearly dictates binding requirementTPM bound to 1 and only 1 platform
Soldered to motherboard is well understood
Modular add-in requires cryptographic bindingSecurity target implication to demonstrate how TPM can not be used on another platform! This is not trivial!
Choice of binding has implications on platform cost and maintenance/serviceability!
TPM BIOS Impacts: CRTMTPM BIOS Impacts: CRTM
Two CRTM options for PC ArchitectureBoot Block as CRTM
Immutable (fixed) code per TCG Specification
or…
Prove secure update process in “conformance” security target
Entire BIOS as CRTMProve secure update process in “conformance” security targetChallenge for most flash mechanisms in the runtime state!
TPM BIOS Impacts: Size ImplicationsTPM BIOS Impacts: Size Implications
S-CRTM TPM interface codeadds 3KB to 6KB to boot block
F000 segment size limitationrequires creative mapping of BIOS core
BIOS Setup must include TPM functions including enable/disable and factory reset (ForceClear)
RTM TPM interface code is now 32-bit• Mechanism required to transition from natural BIOS
state to 32-bit mode
Physical PresencePhysical Presence
Remote Deployment ConsiderationCustomers demand automated mechanism to activate and take ownership of TPM
However…
TCG specification conflicts in its physical presence requirements
New process is under review by PC Client WorkgroupConduit to BIOS for command sequences requiring physical presence
S-CRTM must detect user presence (i.e. button press, etc.), otherwise physical presence is locked
e.g. BIOS must distinguish a SW initiated warm/coldboot from a physical pressing of the power button
Value add opportunity in requiring platformadministration credential
Platform builder action: ensure any existingremote deployment scripts migrate to supportnew physical presence process
TPM OwnershipTPM Ownership
TPM Services will handle the process of TPM ownership
Current TCG V1.1 implementations each have specific tools for ownership, which integrate to TSS stack
Ownership Blobs are NOT universally compatible
Blob exchange/process mechanism is currently in definition
Migration from TCG-enabled Windows XP and Windows 2000 platforms?
TCG defined Migration/Maintenance facility may suffice where treat Longhorn installation as a new device/platform
Mechanism under evaluation/creation at Microsoft
Fresh Longhorn/Secure Startup installationPlatform builder must ensure only a single GUIfor ownership (via the OS)
Information gathered must be provided seamlesslyto TSS software layer
HP ProtectTools focus areas:Pre-boot security
Single sign-on convenience
Multifactor authentication
Leverage infrastructure components (e.g. TPM)
Migration to Longhorn Secure Startup only affects Embedded Security & BIOS modules
Update to TPM V1.2
BIOS Integration of INT 1A, PCR measurements & physical presence
Securing CRTM
Other value-add modules focus on pre-boot or via well defined OS interfaces (CAPI, PKCS11, TSS)
Case Study: HP ProtectTools & LonghornCase Study: HP ProtectTools & Longhorn
HP ProtectTools Security Managerfor client PCs
HP ProtectTools Security Managerfor client PCs
Smart Card Security
for HP ProtectTools
Credential Manager
for HP ProtectTools
BIOS Configuration
for HP ProtectTools
Embedded Security
for HP ProtectTools
only
ProtectTools Platform LessonsProtectTools Platform Lessons
Use highest level API whenever possibleCSP for CAPI allows TPM to function as any other crypto device/token
S/Mime support, IE integration for certs, etc.
PKCS#11 module for TPMRSA SecureID, smart card support, USB crypto token support, etc.
Enhance Secure Startupwith TPM and Smart Card pre-boot authentication
Independent of Secure Startup to preventsystem boot without strong user authentication
Offers strong pre-OS credential storage
Enhanced by Secure Startup in offline scenario
App 1App 1 App 2App 2 App NApp N
PKCS#11
PKCS#11
CAPICAPI
CSPCSP
TSS/TCSTSS/TCS
TBS
Recap For System Builder (OEM)Recap For System Builder (OEM)
Begin TPM 1.2 integration processStandalone chip: Atmel, Infineon, ST Micro, …
Integrated: BroadCom (NIC), National (SIO), …
Ensure 1-1 binding of TPM to platform/motherboard
BIOS ImplicationsImmutable S-CRTM or define secure flash process
Support physical presence detection within CRTM
Space requirements to add Integrity measurement code and TPM interface code to S-CRTM and RTM
INT 1A support for runtime environment
Leverage TPM in tools/applicationsExample: HP ProtectTools Credential Manager uses TPM to protect SSO store
Design value add to highest API level possible
Call to ActionCall to Action
Develop TPM applications using a TSS that’s been ported to TBS
Get on the list to receive “Secure Startup Design Guide” publication from Microsoft
Send e-mail to [email protected]
System builders send your reference platforms to Secure Startup test team at Microsoft for evaluation
Review the v1.2 TCG specifications at www.trustedcomputinggroup.org
Secure Startup ResourcesSecure Startup Resources
For answers to questions about Secure Startup and related TPM Services
TCG Web Sitehttp://www.trustedcomputinggroup.org
Community ResourcesCommunity Resources
Windows Hardware & Driver Central (WHDC)www.microsoft.com/whdc/default.mspx
Technical Communitieswww.microsoft.com/communities/products/default.mspx
Non-Microsoft Community Siteswww.microsoft.com/communities/related/default.mspx
Microsoft Public Newsgroupswww.microsoft.com/communities/newsgroups
Technical Chats and Webcastswww.microsoft.com/communities/chats/default.mspx
www.microsoft.com/webcasts
Microsoft Blogswww.microsoft.com/communities/blogs
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.