Trusting The Trusted Platform Module, Continued
The TPM can also store measurements from the boot loader, BIOS and master boot records, to act as a "fingerprint" for your computer; this can identify your computer to a server, but it also proves that the computer and the boot components haven't been tampered with, so it acts as a "root" of trust for the system. The TPM calculates the hash of the configuration information and stores it in the Platform Configuration Registers, so it can compare the measurements each time you boot, asked to by the operating system, or encryption software like BitLocker. Just because there's a TPM in the PC, that doesn't mean it will interfere in the boot process if you haven't configured it to monitor the system. Also, some TPM functions, like reading the TPM's endorsement key, can only be performed when the system is booting, so malware can't extract the key and transfer it to another PC.
The configuration measurements can also be used to "seal" keys inside the TPM, so they can only be unsealed and used If the Platform Configuration Register confirms that your system is in the same state. If the system seals the keys that you've used to encrypt files, and a virus has changed the maser boot record or someone is trying to boot your PC into a different OS from an external drive, the hash in the Platform Configuration Register won't match and the key won't be unsealed, protecting your files.
As virtualization becomes more common - so you're running multiple operating systems on top of a hypervisor - the root of trust will be far more important, because there could be no visual clues that your hypervisor had been tampered with or even replaced. The hypervisor needs to get the CPU into a known state, running known code, and must be able to defend itself against attacks that could affect that code. You can do that by resetting the hardware - this is called a static root of trust - but the more virtual machines you're running, the less often you'll want that to happen.
Future versions of operating systems, virtual machine managers and hypervisors will use CPU instructions that can put the CPU back into that known state, by sending the code that will be run to the TPM to be measured. That way, you can check that the instruction will do what it's supposed to, and be sure there isn't a malicious application running that will try to intercept it. This is called a dynamic root of trust, and it means you will be able to restart a virtual machine securely without rebooting the whole system.
The first step towards this goal is Intel's Trusted Execution Technology (TXT), which uses the TPM to generate a signature for a virtual machine, so you can tell if applications have been installed since the time that you created the VM. Intel's VT lets a virtual machine run with more privileges; if you choose, any virtual machine that doesn't match the list stored in the TPM by TXT won't get that higher level of privileges, or won't run at all. TXT can also isolate the memory used by an application or a virtual machine so that it can't be changed by other applications, or even the OS. And if an application crashes, if TXT is protecting the memory it has been using, it will clear the pages in RAM and in the processor cache, so malware can't force an application to crash so it can get access to the data it had in memory.
The idea is to create a secure area on the PC for running applications or virtual machines, and more than just the CPU is involved. There are extensions to the chipset to enable the memory protection, and to provide protected channels to graphics hardware and I/O for applications running in the secure area. Data going to and from the mouse and keyboard is protected by a cryptographic key shared between the input device and an input manager. The graphics subsystem has a secure pathway from the application running in the secure area to the graphics frame buffer and then on to the window in which it's displayed, again making sure nothing can snoop the data.
None of the currently shipping virtualization tools use TXT, but Parallels is working with Intel to use VT and TXT in Parallels Desktop, to create a virtual machine monitor that can guarantee it hasn't been infected. Expect other VM vendors to include support for TXT during 2008 and 2009.
