Xen project Mailing List

[Xen-devel] [PATCH] txt: 0/3 - Xen domain S3 integrity protection

To: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "xense-devel@xxxxxxxxxxxxxxxxxxx" <xense-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir.fraser@xxxxxxxxxxxxx>

From: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>

Date: Mon, 2 Mar 2009 12:38:40 -0800

Accept-language: en-US

Acceptlanguage: en-US

Cc: "Wang, Shane" <shane.wang@xxxxxxxxx>

Delivery-date: Mon, 02 Mar 2009 12:39:08 -0800

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Thread-index: Acmbdt75QuAo33BORt2TCv01kZko2Q==

Thread-topic: [PATCH] txt: 0/3 - Xen domain S3 integrity protection

During a launch using Intel(r) Trusted Execution Technology (Intel(r) TXT), TXT provides memory integrity until Xen installs page tables, VT-d mappings, etc. However, in order to put the system into S3 the TXT environment must be torn down (and protections lost). On resume, the TXT environment will be re-launched. During resume, code that was not measured and is not trusted may execute prior to the re-establishment of the TXT environment. This would include BIOS code and DMA from devices (possibly with malicious/corrupted firmware). Importantly, the BIOS code used during S3 resume is typically the RAM copy and thus it could also have been modified by any code that ran during the initial boot before TXT (e.g. option ROMs, bootloader). In order to ensure that nothing has altered the memory image during this window, memory integrity checks must be made on all of the hypervisor, domain, and heap pages. The initial integrity values (MACs = message authentication codes) are calculated prior to entering S3 when protections are still in place. tboot uses the TPM to seal these (encrypt and bind to PCRs). On resume, after the TXT environment has been restored, they are unsealed (which will only succeed if the environment is the same as it was during seal). Then MACs are re-calculated and compared to the saved values. This MAC'ing is done in Xen in order to provide the per-domain support as well as because tboot runs in protected mode and so wouldn't have access to memory >4GB. tboot already MACs the hypervisor/bitmap/etc. Unofficial timing shows that the MAC algorithm used (VMAC; see the code for references) takes ~900ms to MAC 2GB memory. While this is very good, we made the choice of MAC'ing a domain configurable (default to 'yes') for those usage models that want faster S3 and have other methods of domain protection (e.g. introspection, agentry, etc.). Domain 0 is always MAC'ed. As with other TXT code, the MACs are only performed when Xen is booted using tboot. These patches are against the current xen-unstable tip, c/s 19238. They work for 32b and 64b, debug and ndebug builds. Joe & Shane _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.