Systems that support isolated execution of code within protected hardware partitions are now available using Intel® Trusted Execution Technology. This set of capabilities helps guard sensitive data from other operations occurring on the same system. As it becomes deployed on mainstream systems, software providers that prepare their solutions to execute on protected partitions can offer their customers functionality that differentiates those products within their market segments.
Intel® Trusted Execution Technology (Intel® TXT) is a component of Intel® vPro™ processor technology, a set of innovative technologies from Intel that provide next-generation manageability and security for the business PC. Other key features of this platform include Intel® Active Management Technology (Intel® AMT) and Intel® Virtualization Technology (Intel® VT).
By providing a hardware-based security foundation, Intel TXT provides greater protection for information that is used and stored on the business PC. A key aspect of that protection is the provision of an isolated execution environment and associated sections of memory where operations can be conducted on sensitive data, invisibly to the rest of the system. Likewise, Intel TXT provides for a sealed portion of storage where sensitive data such as encryption keys can be kept, helping to shield them from being compromised during an attack by malicious code. To make sure that code is, in fact, executing in this protected environment, attestation mechanisms verify that the system has correctly invoked Intel TXT. These capabilities complement other key features of Intel vPro processor technology, including Intel AMT and Intel VT.
Intel AMT enhances the security and central remote management of business PCs by providing a firmware-based out-of band communication channel through which a management console can reach the PC even when it is powered off or the operating system (OS) is non-functional or missing. A management engine within the PC chipset stores authentication information in non-volatile memory that it uses to pass information across the same physical network interface used by the host OS, but with its own logical identity and IP address. This mechanism allows system administrators to dramatically extend their management reach, including the ability to remotely discover hardware and software, power machines up and down, and deploy security patches and other software, regardless of system state. Using Intel AMT, support organizations can also isolate PCs from the rest of the network if they become compromised by malware.
Intel VT allows simpler and more robust virtualization than software-only solutions by means of a new hardware layer that provides a hardware assist to virtualization. This layer reduces the complexity of the virtual machine monitor (VMM) and eliminates compute-intensive software translations in the virtualization software by enabling a new, higher privilege mode for VMM operation. This innovation directly benefits Intel TXT by reducing the overhead associated with system virtualization and allowing the guest operating system (OS) and a pplications to run in their intended mode. Intel VT is fully supported by leading providers of virtual machine monitor software. Intel VT offers software vendors reduced costs and risk, improved reliability and availability, enhanced security, and simpler VMM development.
Security threats are increasing in volume, diversity, and sophistication at the same time that high-value, sensitive data is more commonly being generated, used, and stored on standard business PCs. These client PCs are typically lightly protected in comparison to servers and network access devices, where the traditional focus of network protection has been. Coupled with the fact that a compromised PC may offer the means to obtain access to servers and other network assets, these characteristics have created an incentive for hackers to focus their efforts on client computing platforms.
Attack tools are widely available on the Internet, and IT organizations too often find themselves in a reactive mode in trying to fend off malicious intruders. The diversity and flexibility of intrusion attempts has largely outpaced the ability of today's protection models to cope with them. As vulnerabilities in popular operating systems and application software are publicized, exploits are generated, often before security patches can be created to guard against them.
Even when such patches are available, organizations typically must test them for compatibility with their business systems to ensure that they will not interfere with day-to-day operations. This requirement increases the window of vulnerability to attack. Moreover, even if security patches have been applied to guard against a particular exploit, variants of the original attack may be developed very rapidly, reducing the ability of defenses to counter them.
Financial incentives associated with the theft of data will continue to grow and encourage attempts to breach system defenses. Because of the increasing significance of the business PC in overall security, it has become necessary for IT organizations to look beyond perimeter defenses in protecting their networks. Those factors have created the need and opportunity for a hardened client system architecture that provides hardware-level support for security.
The primary goal of Intel TXT is to provide the ability for software to define a safe, isolated execution space within the larger system. Controls on this execution space disallow any unauthorized software from observing or interacting with the operations being performed there. Multiple such execution spaces may exist on the system at once, and each has dedicated resources that are managed by the processor, chipset, and OS kernel. The architecture that underlies this capability encompasses features within a number of system components:
IT departments typically face challenges in trying to control cost of ownership while maintaining robust security practices. At the same time, it is clear that the cost of preventing a malware exploit is far less than remediation after the fact. Proactive security that can guard against resources being compromised depends upon the use of policies to automate the process of systems protection.
The implementation of proactive security in the context of Intel TXT begins before the system boots, in the form of policies that are put into place in order to ensure that system integrity is intact during the boot process. Intel TXT provides mechanisms that can be used to establish a system as trusted. At a very high level, the mechanism consists of starting trusted code and using it to establish that the next piece of code to be run is good code, which establishes the integrity of the next piece of code, ad so on throughout the boot process. The mechanism can be conceptualized as incorporating four steps: measure, extend, verify, and execute.
Using this chain of verification processes, Intel TXT can ensure that system integrity is intact, and that the operating environment is trustworthy.
The primary advantage of Intel TXT from the end-user perspective is that it provides more secure computing by means of protected launch of the operating environment and applications. That increase in security helps to protect sensitive information, which in turn protects the organization as a whole. This capability can reduce the overall support burden on the IT organization by preventing security breaches that may lead to costly and time-consuming remediation activities. Organizations as a whole may realize benefits such as the following:
By supporting these capabilities, software makers can differentiate their products in their market segments, identifying themselves as security leaders and establishing new usage models for security-conscious user groups, such as government, financial, and research institutions. It also provides the basis for innovative solutions that deliver increased levels of protection and trustworthiness to their customers, enabling more unconstrained growth of computing resources.
Note that Intel TXT is an 'opt-in' technology, and Intel will continue to provide CPUs and chipsets both with and without these capabilities. Capabilities also exist to programmatically identify whether Intel TXT capabilities exist and are enabled on a given system.
Many usage models associated with Intel TXT involve the use of an Intel VT-enabled VMM. VMMs provide isolation for OSs and applications that will make use of Intel TXT. That scenario allows for running a number of protected partitions, each in its own virtual machine (VM). It should be noted, however, that Intel TXT can launch an environment other than a VMM. This section captures some noteworthy considerations associated with the use of Intel TXT with and without a VMM:
Potential usages of the MLE in the absence of a VMM include the following:
While these and other models are possible in the absence of widely-deployed VMMs, the real value of Intel TXT to be realized by software makers will be seen in the next generation of software, to be deployed in the 2008-2009 timeframe. As virtualization continues to become a mainstream technology that is more widely deployed by businesses of all sizes, software solutions that can take advantage of it to provide a trusted execution environment using Intel TXT stand to gain a competitive advantage in their market segments as they differentiate themselves from their competitors.
Intel Trusted Execution Technology is available today on selected platforms, to encourage software developers to use it in research environments to assist in creating the next generation of security innovation. The growing community of developers working to create the first generation of software for Intel TXT consist of large and small security, management, and virtualization software makers.
As the ecosystem surrounding this technology continues to develop, Intel will work with those software vendors who take an interest in moving it forward. Please direct inquiries about engineering assistance and development issues to email@example.com.
The following materials provide a point of departure for further research on this topic:
Matt Gillespie is an independent technical author and editor working out of the Chicago area and specializing in emerging hardware and software technologies. Before going into business for himself, Matt developed training for software developers at Intel Corporation and worked in Internet Technical Services at California Federal Bank. He spent his early years as a writer and editor in the fields of financial publishing and neuroscience.
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Notice revision #20110804