There are screenshots at the link below... Cheers, RAH ------
<http://www.extremetech.com/print_article/0,3998,a=107418,00.asp> � Inside Intel's Secretive 'LaGrande' Project September 19, 2003 By:�Nick Stam After being introduced at IDF in Fall 2002 with sparse details, Intel finally disclosed a fair amount of technical information regarding its upcoming LaGrande safe computing initiative. LaGrande defines hardware and chipset modifications required to support secure computing environments such as Microsoft's Next Generation Secure Computing Base (NGSCB) formerly known as Palladium (check out www.microsoft.com/ngscb ). A few months ago at the WinHEC trade show, Microsoft released in-depth information regarding NGSCB (pronounced ing-scub), and we still owe you a deep explorative. In this story, I'll provide a quick review of the need for secure computing (though it is quite obvious), and delve into key functional aspects of both NGSCB and LaGrande, with emphasis on LaGrande-specific components. The Need for Safe, Protected Computing It clear we live in a hacker's world. Legions of hackers seem to have little else to do with their time than harass the rest of us, sometimes for kicks, sometimes to prove a cause, and sometimes to do serious damage. Some hacking might be aimed at specific companies or governments, or possibly be terrorist-related, but the nastiest of the hacker attacks steal our personal information and/or sensitive data by a variety of snooping methods. Viruses, worms, and trojans that exploit security holes in operating system software have infected millions of systems, causing significant headaches, cleanup time, and financial loss. Microsoft, Intel, and many others are developing protected computing environments to combat hacker attacks, while also providing secure computing for sensitive data processing and e-commerce transactions. Platform stability is improved when applications are run in a protected partition. While protection methods are not foolproof, NGSCB and LaGrande have well thought-out frameworks, and are highly-engineered defensive systems that once deployed, should protect the majority of end users and businesses from software attacks. In fact, Intel and Microsoft stress these technologies protect against software attacks, not hardware attacks. Many attacks waged on our computers are from anonymous sources and are software-based. Certainly your system may be physically compromised or stolen, and operating system and/or internal hardware protection systems are of little help beyond encrypting your critical data, if you choose to use such features. As Intel security architect David Grawrock mentioned during his LaGrande architecture course at IDF, you won't see too many people snooping your front-side bus with a logic analyzer. In the interest of timeliness and accuracy, I'll replay many slides from two IDF presentations - "LaGrande Technology and Safer Computing Overview" by Mike Ferron-Jones, Intel's Desktop Security Technologies Marketing Manager, and Luke Girard, Intel's Desktop Security Technologies Product Marketing Engineer, and "LaGrande Architecture" delivered by David Grawrock. Below we see the levels of security and protection typically installed in a corporate computing environment. You may relate to similar levels of protection in your clients. Numerous hacking tools can be used to gain access to client data within firewalls, and various methods of infiltration exist to get through network barriers in many businesses. Home systems may be open to many more exploits. click on image for full view Layers or levels of protection are required to secure a computing platform. Software methods must be supplemented by hardware security. You're likely familiar with smart cards, and you'll soon hear a lot more about the "Trusted Platform Module" or TPM, which is a chip that stores unique platform information and encryption keys, and includes a random number generator for encryption algorithms. LaGrande is hardware-based protection, and it raises the overall level of protection significantly. Safer Computing Initiative Here's a great slide showing the vulnerabilities of today's PCs, and the need to protect input and output. We'll see that protection from DMA attacks requires chipset support, since DMA transactions do not need to use the processor. click on image for full view Below we can see where LaGrande technology will be most useful. Note on the y-axis that "LT" means LaGrande Technology, not Lawrence Taylor. Clearly, the techies or marketing types at Intel who developed this acronym are not NY Giant fans, and did not expect people to visualize a linebacker, instead of a security technology, every time the term LT was presented. But you can see that software-based attacks are the prime focus, and most of the expected areas (data, mail, e-commerce) can be protected. click on image for full view Let's take a look at LaGrande objectives in more detail. LaGrande Objectives and Components At the highest level, the following slide discusses LaGrande objectives. Note that compatibility and performance are not supposed to be compromised. We'll understand if this is true when we see operating systems interacting with processors implementing LaGrande technology a few years from now. The upcoming Prescott processor is supposed to have LaGrande features built-in, but not activated (similar to the way initial P4s had Hyper-Threading embedded but not activated). Intel does not expect to activate LaGrande technology in processors for a few more years. click on image for full view And here's a more detailed look at LaGrande uses for business security and protected computing. click on image for full view As discussed previously, to provide complete platform security and protection, hardware mechanisms must supplement software systems. While NGSCB provides a secure "nexus" or protected kernel, and NGSCB computing agents (programs) execute in a secured manner, certain hardware protections are required. The term attestation means that the system can validate that a process or system is who it says it is, or that you are who you say you are. While Microsoft discusses attestation, sealed storage, protected execution, and protected input/graphics in much detail related to NGSCB in their white papers and presentations, they did not discuss specific processor features required to make the whole thing work. And neither did Intel in the past, until this week. Understand that Intel could have given much more detail, but they are saving it for future public disclosures. Clearly AMD is also working on such technology, and Intel only gives as much info publicly as they believe developers need to know in an open forum. Developers likely can receive much more information under non-disclosure agreements (NDAs). click on image for full view The following graphic shows Intel's more generic version of Microsoft's left-hand/right-hand domain separation and partitioning defined by NGSCB. click on image for full view And here's a slide Microsoft presented at IDF showing NGSCB's general partitioning. click on image for full view Recall the earlier slide showing PC vulnerabilities, and you can see below how LaGrande claims to mitigate such vulnerabilities with its chipset features to protect memory. Note the DMA access protection in particular. click on image for full view LaGrande Policy, Target Markets, and Rollout Reminding us of Intel's ill-received "processor ID" feature when the Pentium III was first rolled out in early 1999, where legions of users rebelled thinking the hard-coded ID provided the foundation for massive invasions of privacy, Intel's Mike Ferron-Jones stated Intel learned a valuable lesson. With LaGrande, Intel will provide various levels of opt-in capabilities. At the highest level, Intel will provide processors with and without LT technology. Plain and simple. If you complain about LT, Intel will simply say, "then don't buy it!". If you want more secure computing, and much better protection from hackers, then get a processor with LT. And if you buy an LT processor but want to disable the feature, go right ahead and do so. The upcoming Longhorn version of Windows will automatically detect whether you have a hardware platform capable of running NGSCB and allow you to decide whether you want to run the protected environment or not. Intel will be exposing many more details of LT over time, and they ultimately want clear visibility and transparency into the technology so it is accepted by the majority of users. Users must be able to fully control any storage and disclosure of their personal information. While a bit unclear at this time, it seems users may be able to invoke LT technology on an application or OS basis (assuming you run multiple OSs on your system). When asked how LT would work with multi-core CPUs, Intel stated they would not disclose such information today. Similar to Microsoft, Intel is keenly aware of end-user reluctance in accepting LaGrande at face value. Specifically, users believe technologies like NGSCB and LT will help enforce digital rights management (DRM) to the point where fair use no longer exists. Also like Microsoft, Intel has stated that LT will first be targeted at helping businesses secure their computing environments, protecting billions of dollars of business assets. Over time, we'll see LT roll into home computing environments. Here's a slide showing rollout and target markets. The asterisk footnote stated that all dates are for planning purposes and subject to change, so we may not see LT running in actual business systems for quite some time. And if Microsoft keeps delaying Longhorn, it will be longer yet in the majority of future systems (notebooks, desktops, and servers). click on image for full view Trusted Platform Architecture Review Intel reviewed the core features of a trusted computing environment to prepare us for more details of LaGrande hardware features. The slides below are similar to what Microsoft presented at WinHEC when discussing the platform attributes of NGSCB, and we'll present the slides here for your review. First, let's look at the LT security feature overview, which includes protected execution, attestation, sealed storage, and protected input/output. Essentially the same stuff as with NGSCB. click on image for full view And here's a review of some common forms of attack, and what's needed to protect your computer. click on image for full view The following slides describe each of the security features in more detail. click on image for full view click on image for full view click on image for full view click on image for full view click on image for full view I missed photographing the slide detailing protected graphics , but needless to say, the graphics frame buffer must be protected from unauthorized access, and transmissions to and from the graphics buffer must be encrypted and protected from snooping. LaGrande is OS-agnostic per Intel, as you can see in the comments in the slide below. click on image for full view Turn the page to see the CPU and chipset modifications needed for LaGrande to do its thing! Inside LaGrande CPU and Chipset Modifications Here's what you've no doubt been waiting to see. What exactly is LaGrande doing at the CPU and chipset level? First up is a LaGrande hardware architecture overview slide. click on image for full view Can You Say Ring -1 ? Looking at the above slide, you can see that CPU extensions were required to ensure domain separation, and to provide a secure space for the protected kernel and domain manager (DM) software. This means that the protected kernel and domain manager must be able to operate at a privilege level that is more privileged than Ring 0 in today's x86 CPUs. You may recall that many core OS services, kernel functions, and device drivers generally operate at Ring 0. Application software operates at Ring 3, and Rings 1 and 2 in x86 chips aren't really used much, though available if intermediate levels are desired. The problem in today's x86 architecture is that hacking programs can compromise Ring 0 security, and therefore a safer, restricted-access, unhackable (one hopes) protection level is required. While Intel did not formally name this highest protection level yet, I saw a few references to "Ring -1" in a few foreign tech Web sites earlier this year, though they were simply concocting a logical name based on what little was disclosed about LaGrande at the time. It is supposed to be near impossible (though we know we might eat these words someday) for a hacker or errant application to set itself running at this highly privileged privilege level, or access other protected code residing and/or executing at that level. I'll soon describe how the trusted execution environment is set up based on Grawrock's class material. You can also see in the graphics above that the CPU sets up policy for memory protection (it can define what regions of memory are off limits to all but the protected execution elements), and the chipset (memory controller logic) assists in enforcing memory access policy. Apparently, front-side bus communications can be protected (encrypted), though it's unlikely anything but logic analyzers would be able to compromise your system at the chip interconnects, or system and I/O bus levels. Chipset-level protection is required to protect against sneaky DMA agents (boards or devices plugged into an expansion bus that allows them to be DMA bus masters) attempting to access protected memory spaces. Only USB mice and keyboards are covered by LT technology as protected input devices as defined today, not PS/2 mice and keyboards. Also, graphics adapters must be re-architected to support a secure channel from the system to the frame buffer. The ICH (I/O controller hub) has protected access to the TPM for reading and writing information. Finally, in order to be considered a LaGrande-compliant platform, the system must include an LT CPU, LT compatible chipset, and the new TPM version 1.2. The TPM v1.2 specification is not available yet, but to get familiar with the technology you can download the latest public TPM 1.1b spec . Note that the Trust Computing Group's TPM spec provides a superset of TPM capabilities required by LT. Protected Environment Setup - Initial Steps Now things get down to the brass tacks. The key questions -- how does the system load a protected operating system component and ensure it is stored in a protected area, and how is that protected area created? First, a protected memory space is required, along with a protected means to load the protected operating systems components, and a means to verify those components are the correct components and not some imposters. We won't get into the gory details which would take pages and pages to describe, and a lot more research on this author's part (this is only trade-show writing!), but here's the main flow2 An application or operating system component existing in the left-hand side of the quadrant described in earlier slides (the standard application space) would trigger the need to load the protected operating system components, and once loaded, the protected operating system component would ultimately load one or more protected programs. Maybe it's an e-commerce or banking scenario that requires secure computing. During the load of the trusted operating system components, the system stores characteristics (unique identifiers) about the operating system components (such as the domain manager and kernel) that can be used at a later time for authentication by entities such as a database server, to see if the expected protected kernel is running. The protected components are loaded into protected memory, where they operate at the new super-secure protection ring. The unique identifiers are stored securely (sealed storage), and protected methods are used to write the attributes into non-volatile memory inside the TPM (Trusted Platform Module) silicon. However, in order for the system to work, there must have been an initial trust established to let the system and/or user believe that the protected environment code loaded in the system is the proper protected environment code! Intel reviewed many ways to establish initial trust as you can see in the slides below. Maybe you trust the system as delivered? I think not. Maybe a smartcard is used? Or maybe a third party service with out-of-band responses? click on image for full view click on image for full view click on image for full view If we assume we have an initial trust mechanism that works, the next step is to have a secure means to load the protected environment, verifying each memory page of the environment as it's loaded into hardware-protected memory space against hash data (attributes) stored in the TPM. Also, there must be no other system processes running when the trusted environment loads. This calls for both a new processor instruction to stop all other system activity, and permit the secure loading to commence, and a secure software process that actually loads the trusted operating system environment into "Ring -1". Protected Environment Setup - Launching Protected Domain The following slide shows the basic sequence to launch a protected domain, and you can see that the domain manager (the software that manages the left and right hand environments) is first loaded, and then the protected kernel follows. Initially, it might be an app that requests the protected environment to be loaded, but it's likely the OS that requests the vast majority of times. click on image for full view Only one domain manager can be loaded at a single time. Different domain managers can be loaded and taken down sequentially, but not run at the same time. And the domain manager runs at the higher privilege level. The use of authenticated code (AC) is required to ensure protected operations, and one such set of AC modules are called ENTERACCS and EXITAC, which load and take down the protected domain manager. It's likely the chipset vendor will create ENTERACCS and EXITAC code. click on image for full view A new processor instruction called SENTER will be included in future LaGrande-compatible processors, and it performs key operations, such as ensuring all other CPU activity is halted when protected environments are loaded, and it stores the initial unique identifiers (key) for the ENTERACCS software into a platform configuration register (PCR) inside the TPM. SENTER loads and verifies the identity of the ENTERACCS code against the pre-stored key. You can see that SENTER halts all other system activity in the slide below, and then it initiates load of the ENTERACCS authenticated code, which in turn loads and validates the domain manager (DM). click on image for full view Another view of protected domain launch events, and possible issues that may surface and need to be resolved by various processes is shown below. click on image for full view The process below details how the domain manager and ENTERACCS initialization code are identified. click on image for full view Protected Environment Setup - Handling Special Cases Intel also presented some interesting information on how various events such as unintended resets or sleep modes are handled that could otherwise cause problems with the protected code execution process, or the ability to protect sensitive data loaded in memory. If a protected environment is established, and the system is reset deliberately or via power loss, it's possible that memory could still retain data, but policies that were in force to keep certain blocks of memory protected is lost. Upon determining an unexpected reset event (possibly by checking non-volatile or protected memory-based flags at bootup), the system can automatically zero out memory before loading the OS. In the case of sleep events, the domain manager might encrypt all protected memory regions, and decrypts the regions upon wakeup. click on image for full view click on image for full view In summary, we've merely scratched the surface of a highly complex technology that will be embedded in most new personal computers in a few years. While Intel is working on LaGrande, AMD is also working on a similar technology to provide necessary hardware features that assist secure operating system functionality. As we learn more details, we'll present them over time. Copyright (c) 2003 Ziff Davis Media Inc. All Rights Reserved. -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
