[Xen-devel] [PATCH] txt: 0/3 - Xen domain S3 integrity protectio

To:	"xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "xense-devel@xxxxxxxxxxxxxxxxxxx" <xense-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir.fraser@xxxxxxxxxxxxx>
Subject:	[Xen-devel] [PATCH] txt: 0/3 - Xen domain S3 integrity protection
From:	"Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Date:	Mon, 2 Mar 2009 12:38:40 -0800
Accept-language:	en-US
Acceptlanguage:	en-US
Cc:	"Wang, Shane" <shane.wang@xxxxxxxxx>
Delivery-date:	Mon, 02 Mar 2009 12:39:08 -0800
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index:	Acmbdt75QuAo33BORt2TCv01kZko2Q==
Thread-topic:	[PATCH] txt: 0/3 - Xen domain S3 integrity protection

During a launch using Intel(r) Trusted Execution Technology (Intel(r) TXT), TXT 
provides memory integrity until Xen installs page tables, VT-d mappings, etc.  
However, in order to put the system into S3 the TXT environment must be torn 
down (and protections lost).  On resume, the TXT environment will be 
re-launched.  During resume, code that was not measured and is not trusted may 
execute prior to the re-establishment of the TXT environment.  This would 
include BIOS code and DMA from devices (possibly with malicious/corrupted 
firmware).  Importantly, the BIOS code used during S3 resume is typically the 
RAM copy and thus it could also have been modified by any code that ran during 
the initial boot before TXT (e.g. option ROMs, bootloader).

In order to ensure that nothing has altered the memory image during this 
window, memory integrity checks must be made on all of the hypervisor, domain, 
and heap pages.  The initial integrity values (MACs = message authentication 
codes) are calculated prior to entering S3 when protections are still in place. 
 tboot uses the TPM to seal these (encrypt and bind to PCRs).  On resume, after 
the TXT environment has been restored, they are unsealed (which will only 
succeed if the environment is the same as it was during seal).  Then MACs are 
re-calculated and compared to the saved values.

This MAC'ing is done in Xen in order to provide the per-domain support as well 
as because tboot runs in protected mode and so wouldn't have access to memory 
>4GB.  tboot already MACs the hypervisor/bitmap/etc.

Unofficial timing shows that the MAC algorithm used (VMAC; see the code for 
references) takes ~900ms to MAC 2GB memory.  While this is very good, we made 
the choice of MAC'ing a domain configurable (default to 'yes') for those usage 
models that want faster S3 and have other methods of domain protection (e.g. 
introspection, agentry, etc.).  Domain 0 is always MAC'ed.

As with other TXT code, the MACs are only performed when Xen is booted using 
tboot.

These patches are against the current xen-unstable tip, c/s 19238.  They work 
for 32b and 64b, debug and ndebug builds.

Joe & Shane


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

[Xen-devel] [PATCH] txt: 0/3 - Xen domain S3 integrity protection