Secure Execution Environments

Trusted Computing Platform Alliance (TCPA)

TCPA uses the following definition of trust:

  • “A trusted component, operation, or process is one whose behaviour is predictable under almost any operating condition and which is highly resistant to subversion by application software, viruses, and a given level of physical interference.”

Desirable trustworthiness

The platform owner and user should be able to trust the configuration of the platform.

  • e.g., that it is not running malicious or unauthorized software that could compromise sensitive information.

Remote attestation

  • A platform should be able to attest information about its current configuration to another platform in a manner that the second platform can trust.

  • It allows an entity to authenticate the software configuration of a platform that is not under its control.

TCPA-related architectural modifications

Trusted Platform Module (TPM)

Cryptographic component in the platform.

Provides a range of cryptographic primitives.

  • Random number generation

  • Hashing

  • Symmetric encryption/decryption

  • Asymmetric key pair generation, enc/dec, sign/verify

  • Protected storage for keys

TPM types

Discrete

Implemented by a discrete chip.

Chip designed, built and evaluated for the highest level of security.

  • Can resist tampering with the chip.

  • Can resist probing and freezing with all sorts of sophisticated attacks.

Highest level of security.

Integrated

A hardware TPM.

  • But integrated into a chip that provides other functions.

Resistant to software bugs.

  • But not designed to be tamper-resistant.

Security is very high.

Firmware

Implemented in protected software.

  • The code runs on the main CPU.

    • A separate chip is not required.

  • The code runs in a protected execution environment.

    • Trusted Execution Environment (TEE).

    • The TEE separates it from the rest of the programs running on the CPU.

  • Secrets needed by the TPM can be kept in the TEE.

    • Creating a more difficult path for hackers.

No tamper resistance.

  • Depends on many additional aspects to keep it secure (e.g. TEE).

Security is high.

Software

Implemented in software.

Good for developing a TPM-based prototype.

Its security is not an issue.

Virtual

For cloud environments.

Provided by the hypervisor

Security is high

TPM types and needs

Trust elementSecurity levelSecurity featuresRelative CostTypical application

Discrete

Highest

Tamper resistant HW

$$$$$

Critical system

Integrated

Higher

HW

$$$$

Gateways

Firmware

High

TEE

$$$

Entertainment systems

Software

N/A

N/A

$$

Testing & prototyping

Virtual

High

Hypervisor

$

Cloud environment

TCPA root of trust

Core Root of Trust for Measurement (CRTM).

  • BIOS trust boot block.

The CRTM takes a hash of the BIOS before executing code other than CRTM.

  • The result is stored in a TPM register.

  • Platform Configuration Register (PCR)

TPM PCR (Platform Configuration Register)

A register that can not be deleted or set, can only be cleaned on power-on or extended.

Its value results from a hash chain. Each new value stored is hashed with its value.

  • Becoming the new value.

  • PCRi+1PCR_{i+1}=hash(PCRiPCR_i, value to extend)

  • All stored values are logged for validation.

The goal of a PCR is to act as a log validator.

TPM PCR banks

Groups of PCR registers per hashing function.

The BIOS can deactivate banks. The BIOS can only use banks for which it knows (implements) the hash functions.

Bank's allocation (24 PCR).

  • 0-7: SRTM

  • 8-15: OS measurements

  • 16-23: DTRM

TPM authorization PCR

An authorization PCR is one in which the value is used to unlock a TPM secret.

  • e.g. a disk encryption key.

  • e.g. VPN endpoint authentication key.

It allows a system that boots as expected to access secrets without human intervention.

Example

Microsoft BitLocker

  • BitLocker encrypts the file system.

  • The secret key can be stored inside TPM.

  • The secret key can be automatically recovered upon a boot performed as expected.

    • It is recovered by the Microsoft boot loader.

  • Otherwise, the Windows OS will not launch.

Boot Modes

Secure boot

  • The boot is terminated if a PCR value does not match an expected value.

Authenticated boot (or trusted boot)

  • Values are stored in PCR registers along the boot.

  • These values can be checked a posteriori

  • The platform can end up in any arbitrary state.

MS Windows measured boot

Authenticated boot.

TPM records the chain of measurements of software components and configuration information through the initialization of the Windows operating system.

  • Previously the measurement chain stopped at the Windows Boot Manager component.

  • The measurements in the TPM did not help understand the starting state of Windows.

Measured information.

  • Software: kernel, early-launch anti-malware drivers, and boot drivers.

  • Configuration settings: malware signatures, Windows security features.

Remote attestation

Remote verification that a host booted properly

  • The boot process ran as expected

  • It does not mean the system is secure!

It relies on authenticated boots.

  • The TPM provides all PCR values of the last boot.

  • The TPM device signs this data set

  • PCR quote

    • Singed PCR report

    • Includes a nonce provided to ensure freshness

PreviousRoot of Trust MeasurementsNextTPM-based attestation

Last updated