Below:


From: Martin Thiim [mailto:martin@thiim.net]
Sent: Wednesday, February 20, 2008 12:08 AM
To: Cihula, Joseph
Cc: Wei, Gang; tboot-devel@lists.sourceforge.net
Subject: Re: [tboot-devel] Question on feature control bits andsomeobservations

Hello,
 
thanks for your reply, my comments below:

> The intention of disabling VMX outside of SMX when TXT has been enabled
> is that by enabling TXT the user is signalling that they wish to use the
> platform in a secure mode.  And by disabling VMX outside of SMX, then
> once a launch control policy has been established, the system is
> protected from a blue-pill type of attack (or if a launch control policy
> is not present then at least blue-pill must perform a measured launch
> and will be detectable in the PCR state).
 
I don't see how disabling VMX outside SMX adds any security, since full virtualization is still possible in software, it just can't take advantage of VMX. VMWare and others have offered "near native" virtualization performance even before VMX. So it would still be possible to do a full (in software) virtualization of the CPU, including SMX features, opening up for a "blue-pill" attack.  
 
[JC]  While there is certainly SW-based virtualization, it is much harder for SW virt. to be completely transparent and undetectable.  And while I can't say for sure that HW-based virt. is undetectable, there are those that make the claim that it can be (and those that claim it can't).  SW-based virt. is also more complex than HW-based virt.  So preventing the use of HW-based virt. does provide some level of protection from hyperjacking. 
 
 Of course, it wouldn't be possible to "fake" the PCR registers on the true TPM so it wouldn't be able to extract any secrets from here. If it attempts to software-emulate a TPM a third party would be able to verify that it wasn't manufactured by a "well-known" TPM manufacturer. But these two limitations would also apply if the blue pill had used VMX. 
 
[JC]  In the actual blue-pill attack, the hypervisor is loaded/injected after (static) measurements have occured, so just using a TPM and a static root of trust would not detect it.  Perhaps something like IMA where every module and executable gets measured, in addition to the boot chain, could but this is a very complex solution to implement in practice.
 
Regarding this launch control policy, I've seen it mentioned here and there but has it been documented yet? I haven't been able to find much information on it in Intel's manuals but maybe it is in a different manual? 
 
[JC]  TXT Launch Control Policy will be documented in the next revision of the TXT spec.  In the meantime, the data structures and processes can be seen in the lcptools code in the tboot project.
 
Best regards,
 
Martin Thiim