Intel Trusted Execution Technology for Server Platforms : A Guide to More Secure Datacenters.
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | eBook |
| Language: | English |
| Published: |
Berkeley, CA :
Apress L. P.,
2013.
|
| Edition: | 1st ed. |
| Subjects: | |
| Online Access: | Click to View |
Table of Contents:
- Intro
- Contents at a Glance
- Contents
- Foreword
- About the Authors
- Acknowledgments
- Introduction
- Chapter 1: Introduction to Trust and Intel ® Trusted Execution Technology
- Why More Security ?
- Types of Attacks
- What Is Trust? How Can Hardware Help?
- What Is Intel® Trusted Execution Technology?
- Static Chain of Trust
- Dynamic Chain of Trust
- Virtualization
- Measured Launch Environment
- Finding Value in Trust
- Cloud Computing
- Attestation: The Founding Principle
- Value to System Software
- Cloud Service Provider/Cloud Service Client
- What Intel TXT Does Not Do
- Enhancements for Servers
- Including BIOS in the TCB
- Processor-Based CRTM
- Trusting the SMM
- Other Differences
- Impact of the Differences
- Roles and Responsibilities
- OEM
- Platform Owner
- Host Operating System
- Other Software
- Chapter 2: Fundamental Principles of Intel ® TXT
- What You Need: Definition of an Intel ® TXT-Capable System
- Intel® TXT-Capable Platform
- Intel TXT Platform Components
- Processor
- Chipset
- Trusted Platform Module (TPM)
- BIOS
- Authenticated Code Module (ACM)
- The Role of the Trusted Platform Module (TPM)
- TPM Interface
- Localities
- Control Protocol
- Random Number Generator (RNG)
- SHA-1 Engine
- RSA Engine and Key Generation
- Platform Configuration Registers (PCRs)
- Nonvolatile Storage
- Attestation Identity Key (AIK)
- TPM Ownership and Access Enforcement
- Cryptography
- Symmetric Encryption
- Asymmetric Encryption
- Cryptographic Hash Functions
- Why It Works and What It Does
- Key Concepts
- Measurements
- Secure Measurements
- Static and Dynamic Measurements
- The Intel TXT Boot Sequence
- Measured Launch Process (Secure Launch)
- Protection Against Reset Attacks
- Launch Control Policy
- Platform Configuration (PCONF).
- Trusted OS Measurements (MLE Element)
- Protecting Policies
- Sealing
- Attestation
- Summary
- Chapter 3: Getting It to Work: Provisioning Intel ® TXT
- Provisioning a New Platform
- BIOS Setup
- Enable and Activate the Trusted Platform Module (TPM)
- Enable Supporting Technology
- Enabling Intel® TXT
- Summary of BIOS Setup
- Automating BIOS Provisioning
- Establish TPM Ownership
- What Is TPM Ownership ? Why Is This Important?
- How to Establish TPM Ownership
- Pass-Through TPM Model
- Remote Pass-Through TPM Model
- Management Server Model
- Protecting Authorization Values
- Install a Trusted Host Operating System
- VMware ESXi Example
- Linux Example (Ubuntu)
- Create Platform Owner's Launch Control Policy
- How It Works
- What LCP Does
- Specifying Platform Configuration: The PCONF Element
- Specifying Trusted Operating Systems: The MLE Element
- Specifying Trusted ACMs
- Specifying a Policy of "ANY"
- Revoking Platform Default Policy
- Why Is PO Policy Important?
- Prevent Interference by the Platform Supplier Policy
- Establishing Trusted Pools
- Reduce the Need for Remote Attestation
- Reset Attack Protection
- Considerations
- Summary
- Chapter 4: Foundation for Control: Establishing Launch Control Policy
- Quick Review of Launch Control Policy
- When Is Launch Control Policy Needed?
- Remote Attestation
- What Does Launch Control Policy Deliver?
- PCR0: CRTM, BIOS, and Host Platform Extensions
- PCR1: Host Platform Configuration
- PCR2, 3: Option ROM Code and Configuration Data
- PCR4, 5: IPL Code and Configuration Data
- PCR6: State Transition and Wake Events
- PCR7: Host Platform Manufacturer Control
- Platform Configuration (PCONF) Policy
- Specifying Trusted Platform Configurations
- Tools Needed for Creating a PCONF Policy
- Difficulties with Using PCONF Policy.
- Specifying Trusted Host Operating Systems
- Tools Needed for Creating MLE Policy
- Options and Tradeoffs
- Impact of SINIT Updates
- Impact of Platform Configuration Change
- Impact of a BIOS Update
- Impact of OS/VMM Update
- Managing Launch Control Policy
- Think Big
- Use a Signed List
- Make Use of Vendor-Signed Policies
- Use Multiple Lists for Version Control
- Using the Simplest Policy
- Other Tips
- Strategies
- Impact of Changing TPM Ownership
- Decision Matrix
- Chapter 5: Raising Visibility for Trust: The Role of Attestation
- Attestation: What It Means
- Attestation Service Components
- Endpoint, Service, and Administrative Components
- Attestation Service Component Capabilities
- Administrative Component Capabilities
- Attestation in the Intel TXT Use Models
- Enabling the Market with Attestation
- OpenAttestation
- Mt. Wilson
- How to Get Attestation
- Chapter 6: Trusted Computing: Opportunities in Software
- What Does "Enablement" Really Mean?
- Platform Enablement: The Basics
- Platform Enablement: Extended
- Provisioning
- Updates
- Attestation
- Reporting and Logging
- Operating System and Hypervisor Enablement
- Enablement at Management and Policy Layer
- Provisioning
- Updates
- Attestation
- Reporting and Logging
- Enablement at the Security Applications Layer
- Chapter 7: Creating a More Secure Datacenter and Cloud
- When Datacenter Meets the Cloud
- The Cloud Variants
- Cloud Delivery Models
- Intel TXT Use Models and the Cloud(s)
- The Trusted Launch Model
- Trusted Compute Pools: Driving the Market
- Extended Trusted Pools: Asset Tags and Geotags
- Compliance: Changing the Landscape
- Chapter 8: The Future of Trusted Computing
- Trust Is a Foundation
- More Protections and Assurance
- Is There Enough to Trust?
- Measures at Launch Time.
- What Intel TXT Measures.
- The Whitelist Approach
- The Evolution of Trust
- Trusted Guest
- End-to-End Trust
- Runtime Trust
- The Trust and Integrity "Stack"
- Index.