thanks for your reply, my comments below:
> The intention of
disabling VMX outside of SMX when TXT has been enabled
> is that by
enabling TXT the user is signalling that they wish to use the
in a secure mode. And by disabling VMX outside of SMX, then
once a launch control policy has been established, the system is
protected from a blue-pill type of attack (or if a launch control
> is not present then at least blue-pill must perform a measured
> and will be detectable in the PCR state).
I don't see how disabling VMX outside SMX adds any security, since
full virtualization is still possible in software, it just can't take
advantage of VMX. VMWare and others have offered "near native"
virtualization performance even before VMX. So it would still be possible to
do a full (in software) virtualization of the CPU, including SMX features,
opening up for a "blue-pill" attack.
[JC] While there is certainly SW-based virtualization, it is
much harder for SW virt. to be completely transparent and undetectable.
And while I can't say for sure that HW-based virt. is undetectable, there are
those that make the claim that it can be (and those that claim
it can't). SW-based virt. is also more complex than HW-based
virt. So preventing the use of HW-based virt. does provide some level of
protection from hyperjacking.
Of course, it wouldn't be
possible to "fake" the PCR registers on the true TPM so it wouldn't be able to
extract any secrets from here. If it attempts to software-emulate a TPM a
third party would be able to verify that it wasn't manufactured by a
"well-known" TPM manufacturer. But these two limitations would also apply if
the blue pill had used VMX.
[JC] In the actual blue-pill attack, the hypervisor is
loaded/injected after (static) measurements have occured, so just using a TPM
and a static root of trust would not detect it. Perhaps something like
IMA where every module and executable gets measured, in addition to the boot
chain, could but this is a very complex solution to implement in
Regarding this launch control policy, I've seen it mentioned here and
there but has it been documented yet? I haven't been able to find much
information on it in Intel's manuals but maybe it is in a different
[JC] TXT Launch Control Policy will be documented in the
next revision of the TXT spec. In the meantime, the data
structures and processes can be seen in the lcptools code in the tboot