Re: [tboot-devel] late launch

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thu, Nov 20, 2008 at 8:33 AM, Mike Hearn <mi...@pl...> wrote:
> What's the rationale for tboot not being a late launch project? My
> understanding was that the whole point of TXT was to enable late launch.

It seems that the problem with late launch is not so much launching
something like tboot, it's what happens next.

The simplest case would be to just abandon the original OS from which
you performed the late launch, and to go ahead and do what tboot does
now, measure and launch a VM monitor like Xen, which then launches a
new set of VMs from scratch. But that doesn't give you any advantages
over simply rebooting into today's tboot.

Jon McCune's Flicker project does a late launch of a small executable
program that performs secure functions for a relatively brief moment
(a flicker of time, hence the name), and then tears down the secure
environment and returns to the original OS. This has also required
substantial work and research to accomplish, and seems to require OS
specific code.

A very ambitious possibility would be to encapsulate the state of the
OS you were running before launching tboot, and to transfer it into a
VM, allowing it to continue to run under a VMM launched by tboot.
Ideally the user would hardly notice that the late launch had happened
and that his OS had gone from running on the real hardware, to running
in a VM managed by a measured VMM that tboot had started. I think this
was the original idea of Microsoft's Palladium project, renamed NGSCB
and then seemingly abandoned in the face of a firestorm of criticism.
Clearly it would be extremely challenging to accomplish, and would
very likely be OS specific. The "Blue Pill" project,
http://bluepillproject.org/ , is a sort of root kit which does
something similar, not using tboot but wrapping the OS in a VM and
keeping it running, maybe without the user noticing. It could probably
be modified to use tboot and might be a good starting point for this
kind of late launch architecture.

Hal Finney