Flicker is a project to execute security-sensitive code in isolation from an operating system such as Windows or Linux. Flicker works on x86-class systems from AMD and Intel with support for dynamic root of trust.
Flicker is a technique leveraging new features of CPUs from AMD and Intel, including support for dynamic root of trust, to execute application-specific code with an extremely small TCB, while maintaining compatibility with a legacy operating system. We propose an architecture that allows a Piece of Application Logic (PAL) to execute in complete isolation from other software while trusting only a tiny software base that is orders of magnitude smaller than even minimalist virtual machine monitors. Our technique also enables more meaningful attestation than previous proposals, since only measurements of the security-sensitive portions of an application need to be included. We achieve these guarantees by leveraging hardware support provided by commodity processors from AMD and Intel that are shipping today.
To use Flicker, a PC platform supporting dynamic root of trust is needed. AMD and Intel have implemented this differently. A v1.2 TPM is also required (and it must be enabled and activated in the BIOS).
The AMD version of Flicker requires a processor supporting the SKINIT instruction, a v1.2 TPM, and a chipset which provides memory protection for the Flicker code. The SKINIT instruction is available with newer AMD64 processors. Look for 'svm' in /proc/cpuinfo. In the BIOS, you must enable hardware virtualization support.
The Intel version of Flicker requires a processor supporting the GETSEC[SENTER] instruction, a v1.2 TPM, and a chipset which provides memory protection for the Flicker code. These features are available on vPro-branded systems supporting Intel Trusted eXecution Technology (TXT). Look for 'smx' and 'vmx' in /proc/cpuinfo. In BIOS, you must enable hardware virtualization support (VT), Trusted eXecution Technology (TXT), and VT-d. There are known-bad (really bad; you could RUIN YOUR MOTHERBOARD) BIOSes out there for TXT. Upgrade your BIOS to the newest available version.
To verify that your system has a v1.2 TPM:
$ modprobe tpm_tis force=1 interrupts=0 $ cat `find /sys -name pcrs`
You should have 24 PCRs listed (0-23). If you have only 16 PCRs (0-15), then you have a v1.1b TPM, and Flicker won't work.
Flicker is currently compatible with 32-bit, non-PAE Windows 7 and Linux. Most of the testing that is done currently is run on Ubuntu 12.04 LTS. Note that you will need to install a "-generic" kernel to ensure that it is non-PAE. The default installed kernel often ends in "-generic-pae", which will not work.
Q: I want to buy a machine to run Flicker. What should I buy?
Q: Hardware that "should" work but doesn't
Q: Is Flicker bug-free?