LaGrande Overview and Technical Insights

R. A. Hettinga rah at shipwright.com
Thu Sep 25 23:16:42 EDT 2003


There are screenshots at the link below...

Cheers,
RAH
------

<http://www.extremetech.com/print_article/0,3998,a=107418,00.asp>

š


Inside Intel's Secretive 'LaGrande' Project

September 19, 2003
By:šNick Stam


After being introduced at IDF in Fall 2002 with sparse details, Intel
finally disclosed a fair amount of technical information regarding its
upcoming LaGrande safe computing initiative. LaGrande defines hardware and
chipset modifications required to support secure computing environments
such as Microsoft's Next Generation Secure Computing Base (NGSCB) formerly
known as Palladium (check out www.microsoft.com/ngscb ).  A few months ago
at the WinHEC trade show, Microsoft released in-depth information regarding
NGSCB (pronounced ing-scub), and we still owe you a deep explorative. In
this story, I'll provide a quick review of the need for secure computing
(though it is quite obvious), and delve into key functional aspects of both
NGSCB and LaGrande, with emphasis on LaGrande-specific components.

The Need for Safe, Protected Computing

It clear we live in a hacker's world. Legions of hackers seem to have
little else to do with their time than harass the rest of us, sometimes for
kicks, sometimes to prove a cause, and sometimes to do serious damage. Some
hacking might be aimed at specific companies or governments, or possibly be
terrorist-related, but the nastiest of the hacker attacks steal our
personal information and/or sensitive data by a variety of snooping
methods. Viruses, worms, and trojans that exploit security holes in
operating system software have infected millions of systems, causing
significant headaches, cleanup time, and financial loss. Microsoft, Intel,
and many others are developing protected computing environments to combat
hacker attacks, while also providing secure computing for sensitive data
processing and e-commerce transactions. Platform stability is improved when
applications are run in a protected partition.

While protection methods are not foolproof, NGSCB and LaGrande have well
thought-out frameworks, and are highly-engineered defensive systems that
once deployed, should protect the majority of end users and businesses from
software attacks. In fact, Intel and Microsoft stress these technologies
protect against software attacks, not hardware attacks. Many attacks waged
on our computers are from anonymous sources and are software-based.
Certainly your system may be physically compromised or stolen, and
operating system and/or internal hardware protection systems are of little
help beyond encrypting your critical data, if you choose to use such
features. As Intel security architect David Grawrock mentioned during his
LaGrande architecture course at IDF, you won't see too many people snooping
your front-side bus with a logic analyzer.

In the interest of timeliness and accuracy, I'll replay many slides from
two IDF presentations - "LaGrande Technology and Safer Computing Overview"
by Mike Ferron-Jones, Intel's Desktop Security Technologies Marketing
Manager, and Luke Girard, Intel's Desktop Security Technologies Product
Marketing Engineer, and "LaGrande Architecture" delivered by David Grawrock.

Below we see the levels of security and protection typically installed in a
corporate computing environment. You may relate to similar levels of
protection in your clients. Numerous hacking tools can be used to gain
access to client data within firewalls, and various methods of infiltration
exist to get through network barriers in many businesses. Home systems may
be open to many more exploits.

click on image for full view

Layers or levels of protection are required to secure a computing platform.
Software methods must be supplemented by hardware security. You're likely
familiar with smart cards, and you'll soon hear a lot more about the
"Trusted Platform Module" or TPM, which is a chip that stores unique
platform information and encryption keys, and includes a random number
generator for encryption algorithms. LaGrande is hardware-based protection,
and it raises the overall level of protection significantly.

Safer Computing Initiative

Here's a great slide showing the vulnerabilities of today's PCs, and the
need to protect input and output. We'll see that protection from DMA
attacks requires chipset support, since DMA transactions do not need to use
the processor.

click on image for full view

Below we can see where LaGrande technology will be most useful. Note on the
y-axis that "LT" means LaGrande Technology, not Lawrence Taylor. Clearly,
the techies or marketing types at Intel who developed this acronym are not
NY Giant fans, and did not expect people to visualize a linebacker, instead
of a security technology, every time the term LT was presented. But you can
see that software-based attacks are the prime focus, and most of the
expected areas (data, mail, e-commerce) can be protected.

click on image for full view

Let's take a look at LaGrande objectives in more detail.

LaGrande Objectives and Components

At the highest level, the following slide discusses LaGrande objectives.
Note that compatibility and performance are not supposed to be compromised.
We'll understand if this is true when we see operating systems interacting
with processors implementing LaGrande technology a few years from now. The
upcoming Prescott processor is supposed to have LaGrande features built-in,
but not activated (similar to the way initial P4s had Hyper-Threading
embedded but not activated). Intel does not expect to activate LaGrande
technology in processors for a few more years.

click on image for full view

And here's a more detailed look at LaGrande uses for business security and
protected computing.

click on image for full view

As discussed previously, to provide complete platform security and
protection, hardware mechanisms must supplement software systems. While
NGSCB provides a secure "nexus" or protected kernel, and NGSCB computing
agents (programs) execute in a secured manner, certain hardware protections
are required. The term attestation means that the system can validate that
a process or system is who it says it is, or that you are who you say you
are. While Microsoft discusses attestation, sealed storage, protected
execution, and protected input/graphics in much detail related to NGSCB in
their white papers and presentations, they did not discuss specific
processor features required to make the whole thing work. And neither did
Intel in the past, until this week.

Understand that Intel could have given much more detail, but they are
saving it for future public disclosures. Clearly AMD is also working on
such technology, and Intel only gives as much info publicly as they believe
developers need to know in an open forum. Developers likely can receive
much more information under non-disclosure agreements (NDAs).

click on image for full view

The following graphic shows Intel's more generic version of Microsoft's
left-hand/right-hand domain separation and partitioning defined by NGSCB.

click on image for full view

And here's a slide Microsoft presented at IDF showing NGSCB's general
partitioning.

click on image for full view

Recall the earlier slide showing PC vulnerabilities, and you can see below
how LaGrande claims to mitigate such vulnerabilities with its chipset
features to protect memory. Note the DMA access protection in particular.

click on image for full view

LaGrande Policy, Target Markets, and Rollout

Reminding us of Intel's ill-received "processor ID" feature when the
Pentium III was first rolled out in early 1999, where legions of users
rebelled thinking the hard-coded ID provided the foundation for massive
invasions of privacy, Intel's Mike Ferron-Jones stated Intel learned a
valuable lesson. With LaGrande, Intel will provide various levels of opt-in
capabilities. At the highest level, Intel will provide processors with and
without LT technology. Plain and simple. If you complain about LT, Intel
will simply say, "then don't buy it!". If you want more secure computing,
and much better protection from hackers, then get a processor with LT. And
if you buy an LT processor but want to disable the feature, go right ahead
and do so. The upcoming Longhorn version of Windows will automatically
detect whether you have a hardware platform capable of running NGSCB and
allow you to decide whether you want to run the protected environment or
not.

Intel will be exposing many more details of LT over time, and they
ultimately want clear visibility and transparency into the technology so it
is accepted by the majority of users. Users must be able to fully control
any storage and disclosure of their personal information. While a bit
unclear at this time, it seems users may be able to invoke LT technology on
an application or OS basis (assuming you run multiple OSs on your system).
When asked how LT would work with multi-core CPUs, Intel stated they would
not disclose such information today.

Similar to Microsoft, Intel is keenly aware of end-user reluctance in
accepting LaGrande at face value. Specifically, users believe technologies
like NGSCB and LT will help enforce digital rights management (DRM) to the
point where fair use no longer exists. Also like Microsoft, Intel has
stated that LT will first be targeted at helping businesses secure their
computing environments, protecting billions of dollars of business assets.
Over time, we'll see LT roll into home computing environments.

Here's a slide showing rollout and target markets. The asterisk footnote
stated that all dates are for planning purposes and subject to change, so
we may not see LT running in actual business systems for quite some time.
And if Microsoft keeps delaying Longhorn, it will be longer yet in the
majority of future systems (notebooks, desktops, and servers).

click on image for full view

Trusted Platform Architecture Review

Intel reviewed the core features of a trusted computing environment to
prepare us for more details of LaGrande hardware features. The slides below
are similar to what Microsoft presented at WinHEC when discussing the
platform attributes of NGSCB, and we'll present the slides here for your
review.

First, let's look at the LT security feature overview, which includes
protected execution, attestation, sealed storage, and protected
input/output. Essentially the same stuff as with NGSCB.

click on image for full view

And here's a review of some common forms of attack, and what's needed to
protect your computer.

click on image for full view

The following slides describe each of the security features in more detail.

click on image for full view

click on image for full view

click on image for full view

click on image for full view

click on image for full view

I missed photographing the slide detailing protected graphics , but
needless to say, the graphics frame buffer must be protected from
unauthorized access, and transmissions to and from the graphics buffer must
be encrypted and protected from snooping.

LaGrande is OS-agnostic per Intel, as you can see in the comments in the
slide below.

click on image for full view

Turn the page to see the CPU and chipset modifications needed for LaGrande
to do its thing!

Inside LaGrande CPU and Chipset Modifications

Here's what you've no doubt been waiting to see. What exactly is LaGrande
doing at the CPU and chipset level?

First up is a LaGrande hardware architecture overview slide.

click on image for full view

Can You Say Ring -1 ?
Looking at the above slide, you can see that CPU extensions were required
to ensure domain separation, and to provide a secure space for the
protected kernel and domain manager (DM) software. This means that the
protected kernel and domain manager must be able to operate at a privilege
level that is more privileged than Ring 0 in today's x86 CPUs. You may
recall that many core OS services, kernel functions, and device drivers
generally operate at Ring 0. Application software operates at Ring 3, and
Rings 1 and 2 in x86 chips aren't really used much, though available if
intermediate levels are desired. The problem in today's x86 architecture is
that hacking programs can compromise Ring 0 security, and therefore a
safer, restricted-access, unhackable (one hopes) protection level is
required.

While Intel did not formally name this highest protection level yet, I saw
a few references to "Ring -1" in a few foreign tech Web sites earlier this
year, though they were simply concocting a logical name based on what
little was disclosed about LaGrande at the time. It is supposed to be near
impossible (though we know we might eat these words someday) for a hacker
or errant application to set itself running at this highly privileged
privilege level, or access other protected code residing and/or executing
at that level. I'll soon describe how the trusted execution environment is
set up based on Grawrock's class material.

You can also see in the graphics above that the CPU sets up policy for
memory protection (it can define what regions of memory are off limits to
all but the protected execution elements), and the chipset (memory
controller logic) assists in enforcing memory access policy. Apparently,
front-side bus communications can be protected (encrypted), though it's
unlikely anything but logic analyzers would be able to compromise your
system at the chip interconnects, or system and I/O bus levels.
Chipset-level protection is required to protect against sneaky DMA agents
(boards or devices plugged into an expansion bus that allows them to be DMA
bus masters) attempting to access protected memory spaces.

Only USB mice and keyboards are covered by LT technology as protected input
devices as defined today, not PS/2 mice and keyboards. Also, graphics
adapters must be re-architected to support a secure channel from the system
to the frame buffer. The ICH (I/O controller hub) has protected access to
the TPM for reading and writing information. Finally, in order to be
considered a LaGrande-compliant platform, the system must include an LT
CPU, LT compatible chipset, and the new TPM version 1.2. The TPM v1.2
specification is not available yet, but to get familiar with the technology
you can download the latest public TPM 1.1b spec . Note that the Trust
Computing Group's TPM spec provides a superset of TPM capabilities required
by LT.

Protected Environment Setup - Initial Steps

Now things get down to the brass tacks. The key questions -- how does the
system load a protected operating system component and ensure it is stored
in a protected area, and how is that protected area created? First, a
protected memory space is required, along with a protected means to load
the protected operating systems components, and a means to verify those
components are the correct components and not some imposters. We won't get
into the gory details which would take pages and pages to describe, and a
lot more research on this author's part (this is only trade-show writing!),
but here's the main flow2

An application or operating system component existing in the left-hand side
of the quadrant described in earlier slides (the standard application
space) would trigger the need to load the protected operating system
components, and once loaded, the protected operating system component would
ultimately load one or more protected programs. Maybe it's an e-commerce or
banking scenario that requires secure computing.

During the load of the trusted operating system components, the system
stores characteristics (unique identifiers) about the operating system
components (such as the domain manager and kernel) that can be used at a
later time for authentication by entities such as a database server, to see
if the expected protected kernel is running. The protected components are
loaded into protected memory, where they operate at the new super-secure
protection ring. The unique identifiers are stored securely (sealed
storage), and protected methods are used to write the attributes into
non-volatile memory inside the TPM (Trusted Platform Module) silicon.

However, in order for the system to work, there must have been an initial
trust established to let the system and/or user believe that the protected
environment code loaded in the system is the proper protected environment
code! Intel reviewed many ways to establish initial trust as you can see in
the slides below. Maybe you trust the system as delivered? I think not.
Maybe a smartcard is used? Or maybe a third party service with out-of-band
responses?

click on image for full view

click on image for full view

click on image for full view

If we assume we have an initial trust mechanism that works, the next step
is to have a secure means to load the protected environment, verifying each
memory page of the environment as it's loaded into hardware-protected
memory space against hash data (attributes) stored in the TPM. Also, there
must be no other system processes running when the trusted environment
loads. This calls for both a new processor instruction to stop all other
system activity, and permit the secure loading to commence, and a secure
software process that actually loads the trusted operating system
environment into "Ring -1".

Protected Environment Setup - Launching Protected Domain

The following slide shows the basic sequence to launch a protected domain,
and you can see that the domain manager (the software that manages the left
and right hand environments) is first loaded, and then the protected kernel
follows. Initially, it might be an app that requests the protected
environment to be loaded, but it's likely the OS that requests the vast
majority of times.

click on image for full view

Only one domain manager can be loaded at a single time. Different domain
managers can be loaded and taken down sequentially, but not run at the same
time. And the domain manager runs at the higher privilege level.

The use of authenticated code (AC) is required to ensure protected
operations, and one such set of AC modules are called ENTERACCS and EXITAC,
which load and take down the protected domain manager. It's likely the
chipset vendor will create ENTERACCS and EXITAC code.

click on image for full view

A new processor instruction called SENTER will be included in future
LaGrande-compatible processors, and it performs key operations, such as
ensuring all other CPU activity is halted when protected environments are
loaded, and it stores the initial unique identifiers (key) for the
ENTERACCS software into a platform configuration register (PCR) inside the
TPM.  SENTER loads and verifies the identity of the ENTERACCS code against
the pre-stored key. You can see that SENTER halts all other system activity
in the slide below, and then it initiates load of the ENTERACCS
authenticated code, which in turn loads and validates the domain manager
(DM).

click on image for full view

Another view of protected domain launch events, and possible issues that
may surface and need to be resolved by various processes is shown below.

click on image for full view

The process below details how the domain manager and ENTERACCS
initialization code are identified.

click on image for full view

Protected Environment Setup - Handling Special Cases

Intel also presented some interesting information on how various events
such as unintended resets or sleep modes are handled that could otherwise
cause problems with the protected code execution process, or the ability to
protect sensitive data loaded in memory. If a protected environment is
established, and the system is reset deliberately or via power loss, it's
possible that memory could still retain data, but policies that were in
force to keep certain blocks of memory protected is lost. Upon determining
an unexpected reset event (possibly by checking non-volatile or protected
memory-based flags at bootup), the system can automatically zero out memory
before loading the OS. In the case of sleep events, the domain manager
might encrypt all protected memory regions, and decrypts the regions upon
wakeup.

click on image for full view

click on image for full view

In summary, we've merely scratched the surface of a highly complex
technology that will be embedded in most new personal computers in a few
years. While Intel is working on LaGrande, AMD is also working on a similar
technology to provide necessary hardware features that assist secure
operating system functionality. As we learn more details, we'll present
them over time.

Copyright (c) 2003  Ziff Davis Media Inc. All Rights Reserved.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list