Intel® Trusted Execution Technology (Intel® TXT) is a collection of hardware-based security technologies built into Intel’s silicon. They address the security threats across physical and virtual infrastructure by complementing runtime protections like anti-virus software. Intel TXT is also a hardware-based method of verification in compliance efforts such as trusted computing environment. Intel TXT is designed to harden platforms from the emerging threats of hypervisor attacks, BIOS, or other firmware attacks, malicious root kit installations, or other software-based attacks.
Intel TXT allows software to define a safe, isolated execution space within the larger system. Controls on this execution space allow operations to be executed without being observed or influenced by unauthorized software. Multiple of these execution spaces may exist on the system at once, and each has dedicated resources that are managed by the processor, chipset, and OS kernel. There are many parts that make Intel TXT work within a server. But there isn’t a good publicly-available utility to validate that all these components are available and functional for server systems. In this blog, I will provide a brief overview of the components and the reference information, address the how-to setup Intel TXT supported environment, and the availability of hardware and software.
Figure 1 –Intel TXT Components
A Brief Overview of Intel TXT Described Here:
- Intel® Xeon® processor with Intel TXT - provides simultaneous support for a standard partition, and one or more protected partitions. The standard partition corresponds to the traditional execution environment on PCs that do not support Intel TXT. The partition allows conventional applications to execute normally without being modified. Protected partitions provide hardened access to memory and other system resources, and isolate execution from other processes.
- Measured Launched Environment (MLE) – a software verification process of all the critical components of the launch environment against a known good source.
- Intel chipset with Intel VT that provides the isolation capabilities for measured launch. Memory protection policy is enforced by means of extensions to the chipset, along with various enhancements to data-access mechanisms that help to ensure the protection of that data. The chipset also provides protected channels to graphics hardware and input/output devices on behalf of the protected partitions, protecting the transfer of data throughout the system.
- Intel TXT enabled BIOS, Authenticated Code Modules (ACM) created and signed by Intel inside the BIOS, and Trusted Platform Modules (TPM) integrated onto the motherboard that provides securely-generated cryptographic keys. This is a hardware-based mechanism that stores cryptographic keys and other data related to Intel TXT within the platform. It also provides hardware support for the attestation process to confirm the successful invocation of the Intel TXT environment. The attestation process uses the TPM to establish mutual trust between parties regarding execution environment during runtime.
Virtual Machine Monitor (VMM) – an Intel TXT aware hypervisor provides isolation for the OSs and applications that will make use of Intel TXT.
At this point, you should understand the components. The following is an example of a high level Intel TXT setup capable system:
- A server with Intel® Xeon processor 5600 series and Intel chipset that support the TXT (refer to the Intel® Trusted Execution Technology Server Platform Availability Matrix)
- Sufficient memory and hard disk space to support a virtual environment
- Requirements: VMware*5.1, a HYTRUST* Security Appliance that installs as a virtual machine in a virtual environment to validate and enforce a secure environment
Setting up the environment
- BIOS setup:
- Under the processor configuration in the system BIOS, select Intel TXT
- Enable and set admin password
- Under security, enable TPM to “on” and “functioning”
- Save the settings
- Reboot the system
- Hypervisor setup:
- For VMotion operation, install and set up VMware 5.1 and your virtual machines (VMs)
- Ensure that you have the latest HyTrust appliance 2.5.3 or later
- Set up VMotion policies (ensuring that VMs don’t migrate to untrusted hosts without going through the HyTrust appliance first)
- Under Linux:
- Run the tboot installation package – Trusted Boot (tboot) is an open source, pre- kernel/VMM module that uses Intel TXT to perform a measured and verified launch of an OS kernel/VMM
- Download the SINIT ACM for the system (from Intel® Trusted Execution Technology)
- Move the SINIT file to the “/boot/directory”
- Example: >mv <SINIT FILE>/boot
- Run the TCSD Daemon
- Example: >/etc/init.d/tcsd start
- Install the TCG software stack – open source software stack
- Modify the “GRUB” file to boot to the new tboot kernel
- Verify that the platform configuration registers(PCRs) are populating and Intel TXT measured launch equals “true”
- Security Appliance Setup
- Add the HYTRUST* appliance as VM within the VMware environment
Note: Depending on the environment, the setup for security policy configuration and HyTrust configuration can be complex and time consuming.
The next two sections have references to help you setup an Intel TXT environment for your server. The references can help you determine the type of environment and what hardware/software that you will need to setup.
What hardware and software options are available today? Looking for the right combination of HW and SW were a challenge for me; thus, I thought that it would useful to centralize the information in a quick blog and share it for general public consumption.
- Intel® Trusted Execution Technology Server Platform Availability Matrix - this list will help you to determine which platforms and operating environments support Intel TXT.
- SINIT ACM kit: http://software.intel.com/en-us/articles/intel-trusted-execution-technology/ - This list provides a hardware- based root of trust to ensure that a platform boots with a known good configuration of firmware, BIOS, virtual machine monitor, and operating system.
How to setup Intel TXT-compliant environment? There are a variety of solutions available for setting up Intel TXT environment using the Intel architecture. The reference guides below can help with the setup. The OEM you choose can further assist in verifying that your system is Intel TXT-compliant and contains all required components:
- Trusted Computing and Security with HyTrust* and VMware
- Guide: Cloud Design, Deployment, and Enhanced Security
- Intel® Cloud Builders Guide: Power Management & Security within Open Source Private Cloud with Intel & OpenStack
- Intel® Cloud Builders Guide: Enhancing Cloud Platform Security with Enomaly ECP* HAE and Dell PowerEdge* Servers
- Intel® Cloud Builders Guide: Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services
Intel Trusted Execution Technology is available today on selected platforms. The platform availability matrix and the builder guides are for your reference. They are there to help you design and setup your secure environment. If you have other solutions, I would encourage you to share them, so we can learn as a community.
- All about TXT: http://www.intel.com/txt
- Intel® Trusted Execution Technology Server Platform Availability Matrix
- Malware Protection with Intel® Trusted Execution Technology
- Intel® Trusted Execution Technology
- Intel® Trusted Execution Technology Programmer Guide
- Intel® Trusted Execution Technology Evolves Integrity
- Cloud Builders: Enhanced Cloud Security with HyTrust*, VMware*
- Intel® TXT overview animation
- Get your questions answered: email to firstname.lastname@example.org