1、Trusted Computing TPM Trusted Boot,1,Outline,可信平台的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Trusted Boot,2,Trusted Computing,An object is trusted if and only if it operates as expected. An object is trustworthy if and only if it is proven to operate as expected.,3,TCG Architecture,4,Agenda,可信平台
2、的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Trusted Boot,5,Fundamental Trusted Platform Features,Protected Capabilities Attestation Integrity Measurement, Storage and Reporting,6,保护能力(Protected Capability),保护区域: 可信平台模块中存放敏感信息的存储区,如平台配置寄存器(PCR)。 保护能力: 可信平台模块提供的可以对保护区域进行访问的功能,以命令的形式提供,即TPM命令。,7,对外
3、证明(Attestation)(Cont),TPM的身份标识 真实身份: 唯一地标识一个确定的TPM的一对密钥真实身份密钥(EK), EK公钥 + EK私钥 工作身份: 与某个TPM的EK关联的一对密钥工作身份密钥(AIK), AIK公钥 + AIK私钥,8,对外证明(Attestation),对平台进行的证明 可信的第三方告诉外部实体:“该平台与一个确定的TPM相关联,你可以相信它提供的完整性度量报告”。 由平台进行的证明 平台告诉外部实体:“某某完整性度量结果是我提供的”。用平台上的TPM的AIK对PCR寄存器的值进行签名。,9,完整性度量,完整性度量: 获取影响平台完整性(可信性)的平台
4、特性的度量值,并把该度量值的摘要存放到PCR中。 被度量的值: 程序代码或内嵌数据的表示 度量产生的摘要: 被度量的值的哈希值,10,完整性存储和报告,PCR寄存器保存度量产生的摘要的方法 PCRn SHA1 ( PCRn + M_data ) 对外证明记录在PCR中的度量结果。,11,Agenda,可信平台的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Trusted Boot,12,可信计算平台的信任根,13,RTM,RTM是一个可靠地进行完整性度量的计算引擎,以CRTM (core root of trust for measurement
5、)为度量根。CRTM是系统启动后执行的第一段代码,它初始化系统启动后的执行顺序,执行最初的可信度量,然后引导TPM开始工作。CRTM是平台执行RTM时的执行代码,一般存储在BIOS中。,14,RTS,RTS是一个准确的记录完整度量的摘要值和顺序计算引擎,它将完整性度量保存在日志中,将它们的散列值保存在PCR中。 PCR/RTM act as RTS,15,RTR,RTR是一个可信的实体来精确和正确的报告信息。使用PCR和RSA以不可伪造的方式向外界报告平台状态。 EK/TPM act as RTR,16,Trusted Building Blocks (TBB),可信构件块(TBB):平台中必
6、须纳入到信任根之中的部件,处于保护区域和保护能力的范围之外。 The CRTM, Connection of the CRTM storage to a motherboard, The connection of the TPM to a motherboard mechanisms for determining Physical Presence,17,Example of a TBB,18,信任边界(The Trust Boundary),TBB和根信任的组合形成了一个可信边界 在该范围内,可以完成对平台的最小配置的完整性的度量、存储和报告 信任边界的扩充 把通过度量的组件纳入到信任范
7、围之中,19,信任链(Transitive Trust),20,建立过程,可信计算平台将BIOS引导块作为完整性度量可信根, TPM作为完整性报告可信根。 从平台加电开始,BIOS的引导模块度量BIOS的完整性值并将该值存储在TPM上,同时在自己可写的那块内存中记录日志; 接着BIOS度量硬件和ROMS,将度量得到的完整性值存在TPM中,在内存中记日志; 接着OS Loader度量OS,OS度量应用和新的OS组件。 当操作系统启动后,由用户决定是否继续信任这个平台系统。这样一个信任链的建立过程保证了系统平台的可信性。,21,完整性测量(Integrity Measurement),measur
8、ement events measured values - a representation of embedded data or program codemeasurement digests - a hash of measured values storage The measurement digest is stored in the TPM using RTR and RTS functionality. measured values may be stored in Stored Measurement Log,22,Stored Measurement Log (SML)
9、,SML记录了摘要值的序列,TPM将这些摘要值保存在相应的PCR。 updates to a PCR PCRn SHA-1 (PCRn + measured data) SML does not reside in the TPM.,23,procedure,24,Measurement on Linux,An example from a Linux based implementation of trusted computing,25,Linux Application Measurements,26,Integrity Reporting Protocol,27,协议说明,请求方发出获
10、取一个或多个PCR寄存器值的请求; 平台上的度量机制采集SML记录信息; 度量机制从TPM中获取PCR寄存器的值; TPM用AIK对PCR寄存器的值进行签名; 平台的度量机制采集与TPM关联的凭证,并把SML记录信息、凭证和经过签名的PCR寄存器的值提供给请求方; 请求方验证请求的响应结果:它计算度量产生的摘要,将其与PCR寄存器的值进行对比,并评估平台的凭证,检查签名信息。,28,信息交换保护功能(1),绑定(Binding) 发送方用接收方的公钥对信息进行加密 设实体ES拟把信息M发送给实体ER,ER的公钥和私钥分别是KPUB-ER和KPRI-ER,用KPUB-ER对M进行加密得到KPUB
11、-ERM,就相当于把M和ER绑定在一起,因为只有用KPRI-ER才能对KPUB-ERM进行解密,而只有ER才拥有PPRI-ER。 如果实体ER是一个TPM,则以上绑定就是把信息M绑定到特定的TPM上,29,信息交换保护功能(2),签名(Signing) 计算被签名的数据的哈希值,并用私钥对该哈希值进行加密 设实体ES的公钥和私钥分别为KPUB-ES和KPRI-ES,ES对信息M进行签名的方法是:首先计算M的哈希值H(M),然后用KPRI-ES对该哈希值进行加密,得到的结果H(M)KPRI-ES就称为ES对M的签名 如果实体ES是一个TPM,则以上签名就是特定的TPM对信息M的签名。,30,信息
12、交换保护功能(3),封装(Sealing) 选择一组PCR寄存器的值,用一个公钥对该组PCR寄存器的值和一个对称密钥进行加密,然后用该对称密钥对待封装的信息进行加密,31,Procedure for Sealing/Unsealing,32,信息交换保护功能(4),封装的签名(Sealed-Signing) 先把一组特定的PCR寄存器的值组合到待签名的信息之中,再进行签名,33,密钥和数据的存储保护方法,34,Comments(Cont),TPM中的RTS负责保护存储在TPM中的信息的安全,特别是保护TPM生成的密钥的安全。 TPM中的存储空间非常有限,存放不下多少密钥,大量的密钥只能存放在T
13、PM外的存储介质中。 TPM中存放密钥的存储区称为密钥槽,TPM外的存储介质中存放密钥的存储区称为密钥槽的缓存,简称密钥缓存。,35,Comments,TPM外称为KCM的软件负责密钥缓存的管理,管理密钥在TPM与缓存之间的传送 存储保护服务除了保护密钥以外,也可以保护数据。如果实体E无法识别数据D,则对于实体E而言,D属于不透明数据。 受保护的信息(包括密钥和数据)从TPM内传送到TPM外之前,需要进行加密,SRK是用于进行这样的加密的根密钥。在为TPM建立属主的过程中,可以创建SRK。如果为TPM创建新的SRK,那么由原来的SRK加密的信息就难以再解密了。,36,密钥属性,可迁移 在一个T
14、PM中生成的密钥可以传送到另一个TPM中使用。 不可迁移 在一个TPM中生成的密钥只限在该TPM中使用。,37,密钥类型 (1),Signing keys Signing keys are asymmetric general purpose keys used to sign application data and messages. Signing keys can be migratable or non-migratable. Storage keys Storage keys are asymmetric general purpose keys used to encrypt d
15、ata or other keys. Storage keys are used for wrapping keys and data managed externally,38,密钥类型 (2),Identity Keys Identity Keys (a.k.a. AIK keys) are non-migratable signing keys that are exclusively used to sign data originated by the TPM Endorsement Key Endorsement Key (EK) is a non-migratable decry
16、ption key for the platform. It is used to decrypt owner authorization data at the time a platform owner is established and to decrypt messages associated with AIK creation.,39,密钥类型(3),Bind keys Bind keys may be used to encrypt small amounts of data (such as a symmetric key) on one platform and decry
17、pt it on another Legacy Keys Legacy Keys are keys created outside the TPM. They are imported to the TPM after which may be used for signing and encryption operations. They are by definition migratable. Authentication Keys Authentication Keys are symmetric keys used to protect transport sessions invo
18、lving the TPM.,40,Loading TPM Keys(1),41,Loading TPM Keys(2),42,Loading TPM Keys(3),43,Loading TPM Keys(4),44,Agenda,可信平台的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Trusted Boot,45,TPM组件体系结构,46,Comments,输入/输出组件:对通信总线上的信息流进行管理 非易失性存储器:存放真实身份密钥(EK)、存储根密钥(SRK)、属主的授权数据和永久的标记。 PCR寄存器:供操作系统和应用软件使用 工作身
19、份密钥(AIK):永久型密钥,存放在TPM之外 程序代码:对平台设备进行完整性度量的固件,是度量的核心信任根(CRTM) 随机数生成器:生成密钥、创建即时随机量 SHA-1消息摘要引擎:计算签名、创建密钥块 RSA密钥生成引擎:创建签名密钥和存储密钥 RSA引擎:使用签名密钥进行签名、使用存储密钥进行加密和解密、使用EK进行解密 功能开关组件:禁用或启用TPM模块 执行引擎:执行TPM初始化操作和完整性度量操作,47,PCRPlatform Configuration Register,1.1版本设置8个PCR,1.2版最少设置16个; PCR放置在Shield Location; PCR的使
20、用方式由平台的体系结构(PC/服务器/PDA等)来确定; PCR为160bits值; PCR主要用来存储在信任链建立过程中各模块完整性度量数值; PCR存储数值方式:PCRi New = Hash(PCRi Old value | value to add) PCR must be in the RTS(Root of Trusted Storage),48,PCR Usage,49,Endorsement Key (EK),一个RSA(2048bits)公私钥对(PUBEK , PRIVEK ); EK是TCM的唯一性密码学身份标识; EK创建: 内部创建使用TCM_CreateEndosr
21、eKey命令; 外部创建:需要保证同样的安全性; EK一般由厂商生成,同时由生成EK的实体负责创建EK的Credential; EK一旦生成,不允许再产生。 Access to PRIVEK内部严格受限,它影响整个系统的安全性; Access to PUBEK外部严格受限,不为安全性而因私有性; EK 只参与两个操作: Taking TPM ownership Creation of Attestation Identity Keys,50,证明身份密钥-AIK(Attestation Identity Keys),是RSA(2048bits)公私钥对,是EK的别称; AIK由TCM的Owne
22、r来创建和激活,数量不限制; 由AIK(公钥部分)制作的Credential可以包含特定应用信息; AIK替代EK来完成签名功能,主要用来对TCM内部产生的数据进行签名,这些数据包括PCR值、其它密钥、TCM状态信息; AIK创建涉及三个命令: TCM_MakeIdentity: 创建AIK密钥对,并向AIK Credential创建服务商透露AIK与EK的绑定关系 TCM_ActivateIdentity: 对被加密的AIK Credential进行解密 TCM_RecoverIdentity:,51,TPM Startup,52,TPM States,53,Enabled/Disabled
23、,54,Active/Deactive,55,Physical Presence,56,Agenda,可信平台的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Trusted Boot,57,可信计算平台软件层次结构,58,Layers,TCG Service Provider (TSP) TSP Interface (TSPI) TSP Context Manager (TSPCM) TSP Cryptographic Functions (TSPCF) TCG Core Services (TCS) TCS Interface (Tcsi) T
24、CS Context Manager (TCSCM) TCS Key & Credential Manager (TCSKCM) TCS Event Manager (TCSEM) TCS TPM Parameter Block Generator (TcsipBG) TCG Device Driver Library (TDDL) TPM Device Driver (TDD),59,TDDL接口,处于用户模式 TDDL提供了系统从用户模式到核心模式的转换 优点: 确保以不同方式实现的TSS能够与任何TPM通信。 为TPM应用程序提供一个与操作系统无关的软件接口。 允许TPM厂商提供一个TP
25、M软件模拟器作为其用户模式的组件。 单线程访问 由于TPM不支持多线程并行操作,因此每个平台将只能通过唯一的入口TDDL来实现对TPM的单线程访问。,60,TCS接口,核心服务 上下文管理 实现对TPM的单线程访问。 证书和密钥管理存储与平台有关的证书和密钥。 测量事件管理 管理事件日志和对相关PCR寄存器的访问。 参数模块生成 负责接收上层的同步请求,并排队、处理TPM命令。 作为一个系统进程运行,61,TSP接口,提供一个基于面向对象体系结构的C语言编程接口 驻留在与用户应用程序相同的进程地址空间。 用户可以通过编程直接访问TSP,62,会话:用于验证执行TPM命令的授权,63,A mes
26、sage in an authorized session,Message Container identifies message type, size and formatting TPM Command command name input/output parameters and return code Session State session ID, control flags and digest value of session messages,64,Agenda,可信平台的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Tru
27、sted Boot,65,Naming Conventions,Command discrete functionality of the TPM exposed externally and recognizable by TPMs command processor. Function discrete functionality of non-TPM modules having programmatic interfaces. Operation Interface The set of command or function entry points, including param
28、eters and return codes, to a particular module. When used in singular context, Interface may refer to a single entry point.,66,消息格式,request-response model Request/Response Message,67,Command Ordinals,Command Call: Command Reply:,68,包长与字节次序,TPM处理的包的最大长度:4096字节。 包中值的字节次序:与值在网络中传输时的字节次序相同。,69,发送命令包和接收响
29、应包,70,向TPM发TPM_Reset()命令,71,向TPM发TPM_GetCapability()命令,72,TPM open source software,Available Open Source Software: TrustedGRUB TrouSerS TSS TPM-Tools OpenSSL TPM-Engine TPM-Manager TPM Emulator,73,Open Source Software high-level hierarchy,74,TPM-Manager,75,TPM-Manager,76,TPM-Manager,77,TPM-Manager,7
30、8,TPM-Manager,79,TPM-Manager,80,TPM commands,The current TCG specification 1.2 rev. 116 has 100 TPM commands TPM commands are classified into 5 categories Mandatory Optional Deprecated Deleted Vendor-specific The TCG spec. part 3 defines all input and output parameters for the available commands The
31、 TCG spec. part 2 defines the actual values for the parameters, structures, commands etc.,81,Some TPM_Commands,82,TPM_PCRRead,Incoming Operands and Sizes,83,TPM_PCRRead,Outgoing Operands and Sizes,84,Agenda,可信平台的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Trusted Boot,85,Trusted Boot,86,TCG BIOS
32、Interface,87,Stage1.s,88,Trusted GRUB,89,Trusted GRUB,90,Trusted GRUB,91,Agenda,可信平台的基本特性 可信计算平台的基本体系 可信平台模块(TPM)部件 软件接口和服务 TCG编程接口 Trusted Boot Trusted Execution Technology,92,tboot,Trusted Boot (tboot) is an open source, pre- kernel/VMM module that uses Intel Trusted Execution Technology (Intel TX
33、T) to perform a measured and verified launch of an OS kernel/VMM.,93,94,static chain of trust,platform powers on / platform is reset reset all PCRs to their default value first measurementhardware (i.e., the processor) to measure a digitally signed module (ACM) Authenticated Code Module (ACM) provid
34、ed by the chipset manufacturer The processor validates the signature and integrity of the signed module before executing it,95,static chain of trust,second measurement ACM then measures the first BIOS code module The measurements of the ACM and BIOS code modules are extended to PCR0 the static core
35、root of trust measurement (CRTM) Third measurement BIOS (other firmware code) makes additional measurements,96,shortcomings of SRTM,Scalability and Inclusivity patching and updating the variety of configuration different orders Time of measurement only gives load-time guarantee not run-time guarante
36、e (Launch time protection vs. runtime protection),97,dynamic chain of trust,OS invokes a special security instructionreset dynamic PCRs (PCR17-22) to their default value first dynamic measurement hardware (i.e., the processor) to measure another digitally signed module (referred to as the SINIT ACM)
37、 also provided by the chipset manufacturer the Dynamic Root of Trust Measurement (DRTM) PCR17 DRTM and launch control policy,98,dynamic chain of trust,second dynamic measurement SINIT ACM then measures the first operating system code module referred to as the measured launch environment MLE PCR18 Tr
38、usted OS start-up code (MLE) third dynamic measurement MLE executes,99,dynamic PCRs,PCR17 DRTM and launch control policy PCR18 Trusted OS start-up code (MLE) PCR19 Trusted OS (for example OS configuration) PCR20 Trusted OS (for example OS Kernel and other code) PCR21 as defined by the Trusted OS PCR
39、22 as defined by the Trusted OS,100,How TXT works,101,TXT components,102,TXT integrity checking,the tboot “trusted boot“ hypervisorAuthenticated Code Module (ACM) often referred to as the “SINIT AC“ a binary-only object signed by Intel,103,Launch Sequence,MLE (tboot) authenticated code (AC) module d
40、igital signature in the header load into internal RAM (referred to as authenticated code execution area) - isolation GETSECSENTER Broadcast cleanup wait executes the AC module Test chipset and configurations measures and launches the MLEILP stores MLE measurement in TPM MLE completes system configur
41、ation changesincluding redirecting INITs, SMIs, interrupts, etc. wakes up RLPs bring them into the measured environment,104,MLE Architecture Overview,Initialization setup the MLE on the ILP and join code to initialize the RLPs dispatch routine like the unmeasured version would have shutdown. again s
42、ynchronizing the processors, clearing any state and executing the GETSECSEXIT instruction,105,MLE Launch,TXT detection and processor preparation Loading the SINIT AC module Loading the MLE and processor rendezvous Performing a measured launch,106,TXT detection,This action is only performed by the IL
43、P,107,Loading the SINIT AC Module,LT.SINIT.BASE register - locationLT.SINIT.SIZE register - size 128 KBytes of physically contiguous memory BIOS reserve,108,Matching an AC Module,109,TXT Heap Initialization,system software SINIT AC system software MLE SINIT AC MLE TXT Heap Memory OsMleData OsMleData
44、Size specifying regions of memory to protect from DMA (PMR Low/High Base/Size) using VT-d. OsSinitData OsSinitDataSizeMLE Header data structure whose address is specified in the OsSinitData entry,110,Rendezvousing Processors and Saving State,111,MTRR Setup,112,executes the GETSECSENTER instruction,2
45、9.EBX = Physical Base Address of SINIT AC Module 30.ECX = size of the SINIT AC Module in bytes 31.EDX = 0 32.GETSECSENTER,113,Definitions,Modern CPUs have more than one processor Multi-core CPUs Hyperthreading Initiating Logic Processor (ILP) Starts the GETSEC SENTER sequence Must be the boot-strap
46、processor Responding Logic Processor (RLP) Any other processor on the platform that is not the ILP Reacts to the ILP, hence the name Broadcast Mechanism used by ILP to send messages to all RLPs Sleep When a processor sleeps it does nothing but wait for a wakeup call,114,GETSEC SENTER Sequence,115,Thank you,116,
