-
7/29/2019 How to Build Hardware Support for Secure Startup
1/34
How To Build Hardware Support ForSecure Startup
Steve Heil & Mark Williams
Program ManagersWindows SecurityMicrosoft Corporation
Manny Novoa
Security StrategistPersonal Systems Group
Hewlett-Packard
-
7/29/2019 How to Build Hardware Support for Secure Startup
2/34
Session Outline
Quick overview of Windows codenamed
Longhorn Secure Startup featureOverview of Longhorn TPM Services architecture
Developing applications that work with TPMServices
Windows Longhorn Logo Program proposedrequirements for Secure Startup & TPM Services
Hewlett-Packard presents options & trade-offs for
building Secure Startup-capable systemsResources & Call to Action
-
7/29/2019 How to Build Hardware Support for Secure Startup
3/34
Session Goals
This session answers the system builders
question, How do I build PC client SKUs thatsupport Secure Startup?
Attendees should leave this session withthe following:
Guidelines for developing software for TPM Services
A better understanding of why and how to build SecureStartup-capable system SKUs
Knowledge of where to find resources for meeting
the Secure Startup system Windows Logo Programrequirements and building Secure Startup-capableplatforms
-
7/29/2019 How to Build Hardware Support for Secure Startup
4/34
Quick Overview of Secure Startup
Technology providing higher security through use
of Trusted Platform Module (TPM)Addresses the lost or stolen laptop scenarios withTPM-rooted boot integrity and encryption
Provides secure system startup and full volumeencryption built on TPM services
Attackers are stopped from using software toolsto get at data
-
7/29/2019 How to Build Hardware Support for Secure Startup
5/34
What is a TPM?
Module on the motherboard that:
Protects secrets from attackersPerforms cryptographic functions
For example, RSA, SHA-1, RNG
Meets encryption export requirements
Can create, protect and manage cryptographic keysProvides a unique Endorsement Key (EK)
Performs digital signature operations
Holds Platform Measurements (hashes)
Anchors chain of trust for keys, digital certificates andother credentials
To see industry standard specs for TPM 1.2,go to www.trustedcomputinggroup.org
http://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/ -
7/29/2019 How to Build Hardware Support for Secure Startup
6/34
TPM Services Design Requirements
Create an environment where the TPM can
be sharedProvide an appropriate level of abstraction forconstrained resources
Protect applications from each other
Provide infrastructure for 3rd party developersand system manufacturers to add value
A single driver to support a variety of v1.2-compliant TPMs in the market
Provide mechanisms to support the right to opt-inand the right to privacy
-
7/29/2019 How to Build Hardware Support for Secure Startup
7/34
TPM Services Architecture Simplified
* = TCG Software Stack
-
7/29/2019 How to Build Hardware Support for Secure Startup
8/34
TPM Services Application Development
Write code using the Trusted Service Provider
layer of a TCG v1.2 TSS that has been built uponthe TPM Base Services (TBS)
Some commands are blocked by default
Command blocking is configurable by the administrator
The Storage Root Key authorization data is zero
Access TPM functionality through the Microsoftfeatures
WMI Interface
Key Storage Provider (KSP)
-
7/29/2019 How to Build Hardware Support for Secure Startup
9/34
TCG Stack vs. TPM Services Stack
TPM applications use theTCG Service Provider(TSP) interfaces
The TCG Core Servicescomponent (TCS) isported to communicate
with the TBS instead ofthe TCG Device DriverLayer (TDDL)
TPM applications are
more agile and betterprotected whenusing TBS
-
7/29/2019 How to Build Hardware Support for Secure Startup
10/34
Introducing
Mark Williams
Program ManagerWindows SecurityMicrosoft Corporation
-
7/29/2019 How to Build Hardware Support for Secure Startup
11/34
Secure Startup & Windows LonghornLogo Program
The two proposed Windows Longhorn LogoProgram requirements for Secure Startup are
SYS-SEC-1 System supports Secure Startupvia v1.2 TPM
SYS-SEC-2 System supports Secure Startup by usingsystem firmware security enhancements
These are If implemented requirements
Based on industry-standard specsTCG TPM Specification Version 1.2, atwww.trustedcomputinggroup.org/home
TCG TPM Interface Specification v1.2, Revision RC26 or later,at www.trustedcomputinggroup.org/members
TCG PC Client Specific Implementation Spec for ConventionalBIOS v1.2, Revision 0.98 or later, at
www.trustedcomputinggroups.org/members
http://www.trustedcomputinggroup.org/homehttp://www.trustedcomputinggroup.org/membershttp://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroup.org/membershttp://www.trustedcomputinggroup.org/home -
7/29/2019 How to Build Hardware Support for Secure Startup
12/34
Secure Startup & Core Logic Chipset
Secure Startup code uses memory-mapped I/O
to communicate with TPMPlatform core logic chipset MUST implementmemory-mapped I/O to TPM 1.2 over LPC bus
Memory region maps to TPM 1.2 Locality 0
TPM 1.2 Locality 0 system memory address is 0xFED4_0xxx
This memory region MAY be protected
Details about TPM 1.2 memory-mapped LPCinterface is in an industry-standard specification
TCG TPM Interface Specification v1.2, Revision RC26 or later,at www.trustedcomputinggroup.org/members
http://www.trustedcomputinggroup.org/membershttp://www.trustedcomputinggroup.org/members -
7/29/2019 How to Build Hardware Support for Secure Startup
13/34
How Does Secure Startup Use The TPM?
Secure Startup code uses TPM 1.2 to
Measure software components of system boot process; for eachsystem boot event:
Performs hash of component code and/or data
Adds entry to Event Log
Extends appropriate PCR with hash value
Later seals secrets against those PCR valuesTo protect secrets on the next platform reset
Mapping of the PCR usage to system boot events is in anindustry-standard specification
TCG PC Client Specific Implementation Spec for Conventional
BIOS v1.2, Revision 0.98 or later, atwww.trustedcomputinggroups.org/members
TCG draft specification for PCR usage on EFI-based platformsunder development
http://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroups.org/members -
7/29/2019 How to Build Hardware Support for Secure Startup
14/34
Why Are Firmware Extensions Required?
Secure Startup code runs in the pre-OS
environment that is controlled by firmwareSecure Startup code must be able to usefirmware to access the TPM
BIOS must expose INT 1Ah interface
This INT1A interface is specified in the TCG v1.2 PC ClientImplementation Specification
Secure Startup code uses a subset of the INT1Ahfunctions in the TCG spec
TCG_StatusCheck
TCG_PassThroughToTPM
TCG_CompactHashLogExtendEvent
Draft TCG EFI Protocol Spec contains these samethree functions
-
7/29/2019 How to Build Hardware Support for Secure Startup
15/34
Secure Startup ArchitectureStatic Root of Trust Measurement of early boot components
-
7/29/2019 How to Build Hardware Support for Secure Startup
16/34
Example Firmware Requirements
Requirements for BIOS usage of TPM 1.2 PCR[4]
The BIOS MUST measure into PCR[4] each IPL that isattempted and executed; if IPL code returns control back toBIOS then each IPL MUST subsequentlybe measured
The BIOS MUST NOT measure portions of the IPL
pertaining to the specific configuration of the platform intoPCR[4]
For example, the disk geometry data in the MBR would not bemeasured into PCR[4]
To measure the content of an MBR style disk, the BIOS would
measure 0000-01B7h into PCR[4] and 01B8-01FFh intoPCR[5]
These requirements are from TCG spec,proposed for testing in the Windows Longhorn
Logo Program
-
7/29/2019 How to Build Hardware Support for Secure Startup
17/34
EFI Architectures & Requirements
Security-enhanced firmware MAY be conventional BIOS,EFI, or a combination of BIOS and EFI
TCG currently drafting two industry-standardEFI specs
EFI Protocol Spec common to PC Clients and Servers
EFI Implementation Spec for PC Clients
Includes mapping of TPM PCR event measurements to EFI bootcomponents
Microsoft is contributing to these specs
Planned support for EFI support in Longhorn OS loader
Draft TCG EFI specs are currently available to TCGmember companies, atwww.trustedcomputinggroup.com/members
http://www.trustedcomputinggroup.com/membershttp://www.trustedcomputinggroup.com/members -
7/29/2019 How to Build Hardware Support for Secure Startup
18/34
Building a Secure Startup System
After system builder has:
Chosen a TPM 1.2 vendorCommitted a BIOS team to working on the extensions
What else is needed?
Build a TCG-defined Host Platform which includes
Motherboard
Host processor(s)
TPM
Immutable part of firmware called the Static Core Root of Trust
for Measurement (S-CRTM)Other devices that connect directly to the CPU and interactdirectly with the CPU
-
7/29/2019 How to Build Hardware Support for Secure Startup
19/34
Example Motherboard Requirement
The platform MUST perform a Host Platform Resetwhich may be:
Cold Boot Host Platform Reset,
Hardware Host Platform Reset, or
Warm Boot Host Platform Reset
Boot Strap Host processor MUST be reset & begin
execution with the S-CRTMAll remaining Host Processors MUST be reset
The TPM MUST be reset
Execution of TPM_Init signal
TPM MUST NOT be reset without a HostPlatform Reset
See TCG PC Client Specific Implementation Spec forConventional BIOS v1.2, Revision 0.98 or later, atwww.trustedcomputinggroups.org/members
http://www.trustedcomputinggroups.org/membershttp://www.trustedcomputinggroups.org/members -
7/29/2019 How to Build Hardware Support for Secure Startup
20/34
Options And Trade-offs
After the Secure Startup functional requirements
are met, the system builder has options toconsider, including:
1:1 binding of TPM to platform
BIOS & CRTM architectures
Operational states of TPM & customer deploymentscenarios
-
7/29/2019 How to Build Hardware Support for Secure Startup
21/34
Longhorn Secure Startup
An OEM Cookbook
Manny Novoa
Security StrategistPersonal Systems Group
Hewlett-Packard
-
7/29/2019 How to Build Hardware Support for Secure Startup
22/34
TPM V1.2 Platform Requirement
1:1 binding of TPM to platform
System builders desire common motherboards acrossmultiple platforms (may span consumer/commercial)
Modular TPM facilitates build process and serviceability
HOWEVER
TCG Specification clearly dictates binding requirement
TPM bound to 1 and only 1 platform
Soldered to motherboard is well understood
Modular add-in requires cryptographic bindingSecurity target implication to demonstrate how TPM can not beused on another platform! This is not trivial!
Choice of binding has implications on platform costand maintenance/serviceability!
-
7/29/2019 How to Build Hardware Support for Secure Startup
23/34
TPM BIOS Impacts: CRTM
Two CRTM options for PC ArchitectureBoot Block as CRTMImmutable (fixed) code per TCG Specification
or
Prove secure update process in conformancesecurity target
Entire BIOS as CRTM
Prove secure update process in conformancesecurity target
Challenge for most flash mechanismsin the runtime state!
-
7/29/2019 How to Build Hardware Support for Secure Startup
24/34
TPM BIOS Impacts: Size Implications
S-CRTM TPM interface codeadds 3KB to 6KB to boot block
F000 segment size limitationrequires creative mapping of
BIOS coreBIOS Setup must include TPM functions includingenable/disable and factory reset (ForceClear)
RTM TPM interface code is now 32-bit
Mechanism required to transition from natural BIOSstate to 32-bit mode
-
7/29/2019 How to Build Hardware Support for Secure Startup
25/34
Physical Presence
Remote Deployment Consideration
Customers demand automated mechanism to activate and takeownership of TPM
However
TCG specification conflicts in its physical presence requirements
New process is under review by PC Client Workgroup
Conduit to BIOS for command sequences requiring physicalpresence
S-CRTM must detect user presence (i.e. button press, etc.), otherwisephysical presence is locked
e.g. BIOS must distinguish a SW initiated warm/coldboot from a physical pressing of the power button
Value add opportunity in requiring platformadministration credential
Platform builder action: ensure any existingremote deployment scripts migrate to supportnew physical presence process
-
7/29/2019 How to Build Hardware Support for Secure Startup
26/34
TPM Ownership
TPM Services will handle the process of TPM ownership
Current TCG V1.1 implementations each have specifictools for ownership, which integrate to TSS stack
Ownership Blobs are NOT universally compatible
Blob exchange/process mechanism is currently in definition
Migration from TCG-enabled Windows XP andWindows 2000 platforms?
TCG defined Migration/Maintenance facility may suffice wheretreat Longhorn installation as a new device/platform
Mechanism under evaluation/creation at Microsoft
Fresh Longhorn/Secure Startup installationPlatform builder must ensure only a single GUIfor ownership (via the OS)
Information gathered must be provided seamlesslyto TSS software layer
-
7/29/2019 How to Build Hardware Support for Secure Startup
27/34
HP ProtectTools focus areas:
Pre-boot security
Single sign-on convenience
Multifactor authentication
Leverage infrastructurecomponents (e.g. TPM)
Migration to Longhorn SecureStartup only affects EmbeddedSecurity & BIOS modules
Update to TPM V1.2
BIOS Integration of INT 1A,PCR measurements &
physical presenceSecuring CRTM
Other value-add modulesfocus on pre-boot or viawell defined OS interfaces
(CAPI, PKCS11, TSS)
Case Study: HP ProtectTools & Longhorn
HP ProtectTools Security Manager
for client PCs
Smart Card
Securityfor HP ProtectTools
Credential
Managerfor HP ProtectTools
BIOS
Configurationfor
HP ProtectTools
EmbeddedSecurity
for
HP ProtectTools
only
-
7/29/2019 How to Build Hardware Support for Secure Startup
28/34
ProtectTools Platform Lessons
Use highest level API whenever possible
CSP for CAPI allows TPM to functionas any other crypto device/token
S/Mime support, IE integration forcerts, etc.
PKCS#11 module for TPM
RSA SecureID, smart card support,USB crypto token support, etc.
Enhance Secure Startupwith TPM and Smart Card pre-bootauthentication
Independent of Secure Startup to preventsystem boot without strong user authentication
Offers strong pre-OS credential storage
Enhanced by Secure Startup in offline scenario
App 1 App 2 App N
PKCS
#11
CAPI
CSP
TSS/TCS
TBS
-
7/29/2019 How to Build Hardware Support for Secure Startup
29/34
Recap For System Builder (OEM)
Begin TPM 1.2 integration process
Standalone chip: Atmel, Infineon, ST Micro,
Integrated: BroadCom (NIC), National (SIO),
Ensure 1-1 binding of TPM to platform/motherboard
BIOS Implications
Immutable S-CRTM or define secure flash process
Support physical presence detection within CRTM
Space requirements to add Integrity measurement code and TPMinterface code to S-CRTM and RTM
INT 1A support for runtime environment
Leverage TPM in tools/applicationsExample: HP ProtectTools Credential Manager uses TPM toprotect SSO store
Design value add to highest API level possible
-
7/29/2019 How to Build Hardware Support for Secure Startup
30/34
Call to Action
Develop TPM applications using a TSS thats
been ported to TBSGet on the list to receive Secure Startup DesignGuide publication from Microsoft
Send e-mail to [email protected]
System builders send your reference platforms toSecure Startup test team at Microsoft for evaluation
Review the v1.2 TCG specifications atwww.trustedcomputinggroup.org
mailto:[email protected]://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/mailto:[email protected] -
7/29/2019 How to Build Hardware Support for Secure Startup
31/34
Secure Startup Resources
For answers to questions about Secure Startup
and related TPM [email protected]
TCG Web Site
http://www.trustedcomputinggroup.org
mailto:[email protected]://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/mailto:[email protected] -
7/29/2019 How to Build Hardware Support for Secure Startup
32/34
Community Resources
Windows Hardware & Driver Central (WHDC)
www.microsoft.com/whdc/default.mspx
Technical Communities
www.microsoft.com/communities/products/default.mspx
Non-Microsoft Community Sites
www.microsoft.com/communities/related/default.mspx
Microsoft Public Newsgroups
www.microsoft.com/communities/newsgroups
Technical Chats and Webcasts
www.microsoft.com/communities/chats/default.mspx
www.microsoft.com/webcasts
Microsoft Blogs
www.microsoft.com/communities/blogs
http://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/communities/related/default.mspxhttp://www.microsoft.com/communities/newsgroupshttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/webcastshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/communities/blogshttp://www.microsoft.com/webcastshttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/communities/newsgroupshttp://www.microsoft.com/communities/related/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspxhttp://www.microsoft.com/whdc/default.mspx -
7/29/2019 How to Build Hardware Support for Secure Startup
33/34
-
7/29/2019 How to Build Hardware Support for Secure Startup
34/34
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.