Menu
▾
▴
Re: [tboot-devel] late launch
|
From: Cihula, J. <jos...@in...> - 2008-11-20 19:35:15
|
Well said. The tboot project's primary purpose is to be reference code for the use of Intel(R) TXT. And since TXT is mostly about launching a trusted environment, most of the code for its use is about preparing for and executing the launch. There is some subsequent code for verifying the launched environment. This aspect of TXT is not really dependent on early and late launch models--the same process is required for all uses of TXT. In addition to providing reference code, tboot is also a production-quality MLE (measured launched environment). This was done in order to provide a functioning, runable example of TXT use that could be integrated into products or deployments. For a variety of reasons, it is extremely valuable to have a practical, runable TXT "application". We wanted tboot to serve as an example of TXT use, not as a complete virtualization/separation kernel/high-security kernel/etc. solution. So tboot is designed to work in conjunction with a VMM (e.g. Xen) or OS (e.g. Linux) to provide the TXT-related security functionality. The VMM or OS is responsible for extending or maintaining the trusted environment that tboot launched it in. This is also why tboot is designed to be fairly VMM/OS agnostic and with minimal VMM/OS changes needed for full support (as opposed to being tightly integrated into it). And by releasing tboot with an open source license, we wanted to facilitate others who work in open source to apply TXT to their projects and release the results. Hopefully this will give the community a range of usage models that a single company like Intel could not have developed on its own. Joe P.S. We will be posting SINIT AC Modules for the new mobile and desktop systems very soon. > -----Original Message----- > From: Hal Finney [mailto:hal...@gm...] > Sent: Thursday, November 20, 2008 11:01 AM > To: Mike Hearn > Cc: Cihula, Joseph; tbo...@li...; Lil Evil > Subject: Re: [tboot-devel] late launch > > On Thu, Nov 20, 2008 at 8:33 AM, Mike Hearn <mi...@pl...> wrote: > > What's the rationale for tboot not being a late launch project? My > > understanding was that the whole point of TXT was to enable late launch. > > It seems that the problem with late launch is not so much launching > something like tboot, it's what happens next. > > The simplest case would be to just abandon the original OS from which > you performed the late launch, and to go ahead and do what tboot does > now, measure and launch a VM monitor like Xen, which then launches a > new set of VMs from scratch. But that doesn't give you any advantages > over simply rebooting into today's tboot. > > Jon McCune's Flicker project does a late launch of a small executable > program that performs secure functions for a relatively brief moment > (a flicker of time, hence the name), and then tears down the secure > environment and returns to the original OS. This has also required > substantial work and research to accomplish, and seems to require OS > specific code. > > A very ambitious possibility would be to encapsulate the state of the > OS you were running before launching tboot, and to transfer it into a > VM, allowing it to continue to run under a VMM launched by tboot. > Ideally the user would hardly notice that the late launch had happened > and that his OS had gone from running on the real hardware, to running > in a VM managed by a measured VMM that tboot had started. I think this > was the original idea of Microsoft's Palladium project, renamed NGSCB > and then seemingly abandoned in the face of a firestorm of criticism. > Clearly it would be extremely challenging to accomplish, and would > very likely be OS specific. The "Blue Pill" project, > http://bluepillproject.org/ , is a sort of root kit which does > something similar, not using tboot but wrapping the OS in a VM and > keeping it running, maybe without the user noticing. It could probably > be modified to use tboot and might be a good starting point for this > kind of late launch architecture. > > Hal Finney |
