Intel® Trusted Execution Technology (Intel® TXT) is a collection of hardware-based security technologies built into Intel’s silicon. They address the security threats across physical and virtual infrastructure by complementing runtime protections like anti-virus software. Intel TXT is also a hardware-based method of verification in compliance efforts such as trusted computing environment. Intel TXT is designed to harden platforms from the emerging threats of hypervisor attacks, BIOS, or other firmware attacks, malicious root kit installations, or other software-based attacks.
Intel TXT allows software to define a safe, isolated execution space within the larger system. Controls on this execution space allow operations to be executed without being observed or influenced by unauthorized software. Multiple of these execution spaces may exist on the system at once, and each has dedicated resources that are managed by the processor, chipset, and OS kernel. There are many parts that make Intel TXT work within a server. But there isn’t a good publicly-available utility to validate that all these components are available and functional for server systems. In this blog, I will provide a brief overview of the components and the reference information, address the how-to setup Intel TXT supported environment, and the availability of hardware and software.
Figure 1 –Intel TXT Components
At this point, you should understand the components. The following is an example of a high level Intel TXT setup capable system:
- BIOS setup:
- Hypervisor setup:
- Under Linux:
- Security Appliance Setup
The next two sections have references to help you setup an Intel TXT environment for your server. The references can help you determine the type of environment and what hardware/software that you will need to setup.
What hardware and software options are available today? Looking for the right combination of HW and SW were a challenge for me; thus, I thought that it would useful to centralize the information in a quick blog and share it for general public consumption.
How to setup Intel TXT-compliant environment? There are a variety of solutions available for setting up Intel TXT environment using the Intel architecture. The reference guides below can help with the setup. The OEM you choose can further assist in verifying that your system is Intel TXT-compliant and contains all required components:
Intel Trusted Execution Technology is available today on selected platforms. The platform availability matrix and the builder guides are for your reference. They are there to help you design and setup your secure environment. If you have other solutions, I would encourage you to share them, so we can learn as a community.
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Notice revision #20110804