Tim Knoll
Systems Integration Engineer
Intel
Server Security Technologies
Security in the Enterprise TrendsSecurity Concerns Growing for Data Center and Cloud
Trend: Changes in architectures require new protections
Virtualization and multi-tenancy
3rd party dependencies
Blurred boundary
Trend:Increased compliance concerns, costs
UK Data Protection Act, FedRAMP, Payment Card Industry (PCI), etc. require security enforcement and create audit needs
Trend: Shift in types of attack
Platform as a target, not just software
Stealth and control as objectives
Datacenter
Security Concerns Limit Cloud Benefits
Top Concerns:• Visibility and Control of Workload Location• Auditability and Regulatory Compliance• Verifiable End-to-End Workload Protection
Gain visibility
Maintain control
Prove compliance
Trusted Pools - Overview
Establishing and propagating a new security control attribute in Data Center – “Trust”
Aggregate Trusted systems and segregate them from untrusted resources
Tenant Visibility to“ Platform Trust”
Run sensitive workloads only on Trusted Servers (Policy Control)
Enable automated monitoring of Trust based policies
Platform Trust input to audit logs and compliance reporting
Additional Controls: Geo-Tag/Asset-Tags, Trusted VMs
APPAPP
Report
Cloud Tenant Cloud Provider
Intel® TXT + Remote Attestation are basis for Platform TrustIntel® TXT + Remote Attestation are basis for Platform Trust
Use or disclosure of the contents of this page is restricted by the terms on the notice page
Intel® Trusted Execution Technology (Intel® TXT)Intel TXT:
• Enables isolation and tamper detection in boot process
• Complements runtime protections
• Reduces support and remediation costs
• Hardware based trust provides visibility and verification useful in compliance
Intel TXT Hardens and Helps Control the Platform
TPMIntel® 5500/5520
Chipset
VT VMM/OS(MLE)
FlashBIOS
• Trust status usable by security and policy applications to control workloads
Trusted Compute, Storage, Network
TPMIntel®
5500/5520 Chipset
VTVMM/
OS
FlashBIOS
Platform Integrity, Trusted Compute Pools
Asset-/ Geo-Tags
Workload Integrity and Confidentiality
Run time Integrity
Capability
Assurance that your workloads run on trusted servers
Visibility into and control of your workload location
Control and protection of your workloads at launch
Assurance that your workloads are protected during execution
What does it give you?
Ch
ain
of
Tru
st
Intel TXT + TPM
Intel TXT Cloud Integrity Technology – leverages
Intel TXT
Trusted Launch Isolation and tamper detection at boot-time
Compliance Hardware-based verification
Trust status usable by security and policy applications, to control workloads
CIT 3.0
CIT 2.0
Cloud Integrity Technology 3.0Workload Integrity and Confidentiality with OpenStack
Extend trust from BIOS to workload• Boot-time integrity of workload• Workload can be a VM or container• Workload can be app, storage controller, network function ..
Enterprise Ownership and Control• Encrypt workload before moving it to cloud • Own and manage the encryption keys• Only release keys to CSP after integrity check succeeds
Deliver via OpenStack, or CSP cloud service
Trust Agent Value Proposition• Integrity assurance is being increasingly required in
private, public and hybrid cloud use cases• Build wide eco-system of security/ networking/ storage
vendors, and CSP-hosted trusted clouds• Our Differentiators:
Hardware-based Assurance Complete Chain of Trust – from BIOS to Workload Location Control
IT ApplicationScale-out Storage ControllerVirtual Network Function
Trusted Compute Pools Industry Support
Products and Solution Providers Customers
“Security in the cloud is paramount and Virtustream has adopted some of Intel technologies around security including Intel TXT.” Don Whittington, VP & CIO, Florida Crystals
DuPont deployed Intel TXT to ensure that the computing pools remained trusted, based on the original configurations across both Linux and Windows operating environments.
“Hardware-enhanced security provided by Intel TXT is critical to protect our sensitive data and was key in our selection of Virtustream for cloud services.” Joh F. Hill, CIO, Veyance Technologies
…address TWSE's business needs and increase the overall trust and security of its cloud infrastructure using Intel TXT and solutions from Cisco, HyTrust, McAfee and VMware.
…more >>
Server Systems
Software and Solutions
9
Disclaimers
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at www.intel.com.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other informationand performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.
For more information go to http://www.Intel.com/performance.
All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.
Copyright © 2017 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Inside, the Intel Inside logo, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
THIS SLIDE MUST BE USED WITH ANY SLIDES REMOVED FROM THIS PRESENTATION
10
Cloud Integrity Technology 1.0Platform Trust, Trusted Compute Pools
Uses Intel TXT/ TPM to verify the integrity of a platform (BIOS, OS, VMM) against a “known good state” or “whitelist” at boot time
Helps create logical groupings (pools) of trusted systems, separates them from untrusted systems
Cloud Integrity Technology 2.0Trusted Location and Boundary Control
Hardware-based Geo- and Asset Tags help control workload placement and migration
Boundary Control policy can be set for a workload, allowing or preventing its deployment
Delivered via OpenStack or integrated into Policy & Compliance products, e.g. HyTrust Cloud Control
12
Cloud Integrity Technology 1.0 and 2.0
CIT 1.0Platform Integrity
CIT 2.0Asset/ Geo-tagging
Trust Attestation Authority
(Virtual Appliance)
Request for Trust Assurance Request for Trust Assurance
Orchestrator (eg. OpenStack)
GRC, SIEM
Security Tools (HyTrust, Intel Sec)
Trusted Placement
Trust Audit & Compliance
Trust Policy & Control
Trust Subscribers
RESTFUL
API
Attestation Engine
Attestation Cache
Automation
Privacy CA
Whitelist Management
Credential Management
Linux/KVM
Citrix Xen
VM1
VM1
Linux/XenLinux/Xen
VM1
VM1
VMwar
vCenter
VMware
vCenter
ESXi HostESXi Host
ESXi HostESXi Host
VM1
Trust AgentTrust Agent
Trust AgentTrust Agent
Trust AgentTrust Agent
TPM
TPM
TPM
TPM
TPM
Data Center
Collects Trusted Measurements Collects Trusted Measurements
Provide Trust ReportProvide Trust Report
Evaluates for chain of trust Evaluates for chain of trust
Trust Attestation Appliance
Tag Management
Tag Provisioning
PTE Provision TXT, TPM and Asset Tag to TXT/ TPM capable hosts.Provision TXT, TPM and Asset Tag to TXT/ TPM capable hosts.
1
2
3
4
Cloud Integrity Technology 3.0 Components
Enterprise Data Center Cloud Service Provider
Key Server
OpenStack Barbican
Trust Director
OpenStack Nova
OpenStack Glance
OpenStack Horizon
App
OS
App
OS
App
OS
TPMTPM Intel Arch w/ TXT
Compute Node
Reporting
Policy Enforcement
Verifier
Trust Agent
Intel
Open Stack
OEMOEM
Attestation Server
KMS Proxy
Measurement
Typical Boot SequenceMem locked if BIOS measurement fails and Secrets in mem
Only launch if VMM verified by SINIT AC Module
15
X
System PowerON
UCode Validates BIOS ACM
ACM Validates BIOS Init
Code
Init TXT & Mem,
Load SMM
PCR0
Non-Critical Code
LockTXT &
Memory Config
Measure SMM & other
Trusted Code
PCR0+ ENTERACCS:LockConfig SENTER
LoadSINIT &
VMM code
SINIT Validates
VMM
PCR17
uCode Validates
SINIT
PCR18
BIOS ACM implements BIOS
LCP
SINIT ACM implements LCPMemory Locked if
BIOS measurement fails & Secrets in memory
XOption ROMs & other non-critical modules
PCR0 + SINIT Hash + …
Remainder of BIOS code including SMM
VMM
VMM executing SEXIT allows BIOS to launch another MLE without a reset
No Launch if LCP fails
LCP
BIOS
PCR0 PCR19+
Geo/Asset-tagging - Enabling Boundary Control
Geo/Asset descriptor (asset-tag) stored in the TPM of the Server.
Used to control placement & migration of workloads
Broad support across bare metal OS and hypervisors (ESX, XenServer, Xen, KVM).
Digital Signature
UUID of Host
Asset Certificate
TPMNVRAM Index
SHA-1 SHA-2
Asset Certificate
Asset Tag
TAG
NV Index Index used: index 0x40000010
Size of Index: TPM 1.2: 20 Bytes; TPM 2.0 (future): 32 Bytes (for 256) and 64 (for 512)
Data Format:20 Bytes of Binary data ;
Asset Tag used with Geo-Location attributes is a Geo-Tag
What is Asset Tag?
TPM
OS
Trust/ AttestationAgent
Attestation Authority
(Challenger)
Verifier
1. 160 bit Nonce, NC
2. T
PM
Qu
ote
Re
qu
est
(N
C, P
CR
lis
t)
3.
TP
M Q
uo
te R
esp
on
se
Sig
(P
CR
, N
C)
AIK
4. { Sig (PCR, NC), SML, AIKcert }AIK
5.
Inte
gri
tyV
eri
fica
tio
n
a. Ver (Sig (PCR, NC), AIK) = true / falseAIK pub
b. compare (PCR, SML == Golden Measurements)
How Does Remote Attestation Work?
VM Boundary Control With OpenStack* - How it works
Nova
AttestationAuthority
Glance
TrustedFilter,LocationFilterRequest
LocationAttestation
Challenge
Workload AWorkload ALaunch Policy
Challenge
API Server
Trust Verified.Geo=France
Upload Workload A to Glance with Launch Policy.
1
2 Launch VM A
3
55
6
AttestationReport
Workload A launchedwith appropriatepolicy
4
0OOB: Provision Geo-Tag on to Server TPMs
Kamal Natesan
Platform Solution ArchitectIntel
Trusted Infrastructure is Fundamental
TRUST
RESILIENCE
VISIBILITY/CONTROL
20
Agenda
One Touch Activation Overview and Value Proposition
Architecture Overview
Key Use Case and Demo Walkthrough
Business Opportunity/ Action Plan
Key Takeaway
Questions
21
Hardware Root of Trust - Current State
Manual/sequential process (1:1)
OEM/OS-dependent
Difficult to scale to cloud levels
Lack of automation tools
Direct BIOS Commands Reboot
Physical presenceBIOS Console
Manual Process
Automated Process
Setup PXE Network Deploy Automation Host Issue OEM/OS-specific Commands
Admin
Next command
Reboot
Next command
22
Solution Requirements
23
Remote Discovery of Intel® Trusted Execution Technology (Intel® TXT) / TPM support and enable status
One step TPM ownership clear and TXT/TPM activation operation
Eliminate the need of Multiple reboots which saves ample time
One Touch Activation (OTA) will address all above requirement and eliminate all dependencies and results in OEM/OS independent scalable automation
Key words Description
IB OS Dependent command
OOB OS Independent
Intel® TXT now made easier with One Touch Activation
DC Admin(Remote)
OEM Independent
Remote Rapid Provisioning
Scale out
Activate
Deactivate Clear
Discover
TXT/TPM/PTT
24
Architectural Diagram
25
Delivery Scheme with IPMI,IE,EFI Variable is validated
Delivery Part is Independent to IPMI/Redfish/DCMI/IE
PoC with Redfish interface is WIP
SOLUTION DEPENDENCY
[BMC/IE] & ME For OOB or EFI variable for In-band
Open source IPMI Tool ( BSD License) running in Mgmt. Client
SPI
SPS BIOS
IPMI Authentication
PPIX OOB CMD(TXT/TPM Enable)
SPS FILE
SYSTEM
HECI 1IPMI
Bridge
FLASH AREA WITH SPECIAL PCH KEY
1. {Storage Service Read}nonce2. (Storage Service Write}nonce
DC Admin1
2
3
4
After reboot
5
TPM
5
4
TBD
BMC*
Delivery Scheme Storage Scheme Provisioning Scheme
Key Use Cases
Use Case # Use Case Title
UC 1 Discover TXT/TPM status
UC 3 Enable TXT/dTPM
UC 4 dTPM Owner Clear only
UC 5 dTPM clear+TPM Activation
UC 6 dTPMClear + TXT/TPM Activation
UC 11 Enable TXT/PTT
UC 12 PTT Owner Clear only
UC 13 PTT Clear+PTT Activation
UC 14 PTT Clear + TXT +PTT Activation
UC 15 Disable TXT only
UC 16 Disable dTPM only ( This will not disable TXT)
UC 17 Disable PTT only
FAQs
27
FAQ ANSWERS
Does BMC know payload details ? No
What is the Default payload size ? No defined size. BIOS look for PPIx signature/checksum
Does SPS aware of Payload details ? No. SPS ME acts as a mail box.
Does BIOS responds with proper error code ? Yes
Is BIOS setup password is mandatory for PPIxoperation?
No, its optional
What is the Role of BMC? BMC is just acting as a user interface to carry the payload
What is the Role of SPS ME ? SPS ME is providing the option to store and retrieve the payload
What is the Role of BIOS ? BIOS acts on the payload instruction and send back the response
How ME Storage Service is protected ? Payload data read/write is associated with Nonce generated by SPS. Over HECI user need to know Nonce to reach PPI-x data after EOP
HECI i/f will be locked at the end of Post. After it is locked the only option is to through BMC/IPMI interface.
What is the Security Proprietary around Payload Data structure?
Signature, total length, header length, length of additional data, attribute, identifier, Checksum, BIOS administrator password. Each one is checked to determine the validity of
the data to address buffer overflow scenario.
What is the OOB payload protection Scheme? Payload is protected and transmitted by BMC/IPMI authorization scheme.
Supported Core BIOS version Beta release (v92D07)
Supported SPS version Beta release (SPS_E5_04.00.02.081.0 version )
Deployment Options
Full functional Instruction set
Platform Owner user guide (IBL #
569610)
Option to Built Custom Automation utility
CLI utility (IPMI Tool extension script)
Open sourced in http://01.org/opencit
OEM/ISV Integrate in to Proprietary (GUI) soln
(iDrac, iLO, vCenter, DCM,CIT, HTC,SUM,QCT)
28
DC AdminDC Admin Copy the Script to Linux Host where IPMITOOL is installed
Copy the Script to Linux Host where IPMITOOL is installed
Sky lake GenerationSky lake Generation
DC Admin Copy the Script to Linux Host where IPMITOOL is installed
Sky lake Generation
Linux Script that extends IPMITOOL utility to support OTA commands
V1.0 Released in http://01.org/opencit
One Touch Activation CLI Utility
29
30
Use cases PPI OOB Raw Commands using IPMITOOL ( GOOD) PPIx OOB utility ( BETTER)
Discover TXT/TPM status ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x90 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x20
./ppix_OOB_script discovery –H <BMC ipaddress> -U <username> -P <password>
Enable TXT/dTPM ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0xA2 0x03 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script enable-txt-dtpm –H <BMC ipaddress> -U <username> -P <password>
dTPM Owner Clear only ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0xA1 0x04 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script clear-dtpm –H <BMC ipaddress> -U <username> -P <password>
dTPM clear + TPM Activation ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0xA0 0x05 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script clear-activate-dtpm –H <BMC ipaddress> -U <username> -P <password>
dTPM Clear + TXT/TPMactivation
ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0x9f 0x06 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script clear-activate-dtpm-enable-txt –H <BMC ipaddress> -U <username> -P <password>
Enable TXT/PTT ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0x9a 0x0b 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script enable-txt-ptt –H <BMC ipaddress> -U <username> -P <password>
PTT Owner Clear Only ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0x99 0x0c 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script clear-ptt –H <BMC ipaddress> -U <username> -P <password>
PTT clear + PTT activation ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0x98 0x0d 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script clear-activate-ptt –H <BMC ipaddress> -U <username> -P <password>
PTT clear + TXT+PTTactivation
ipmitool – I lanplus –H <bmcip> -U <username> -P <password> -b 0x06 -t 0x2c raw 0x2e 0x91 0x57 0x01 0x00 0x00 0x00 0x00 0x00 0x01 0x20 0x00 0x00 0x00 0x24 0x4F 0x58 0x50 0x20 0x00 0x20 0x00 0x01 0x97 0x0e 0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00
./ppix_OOB_script clear-activate-ptt-enable-txt –H <BMC ipaddress> -U <username> -P <password>
Key Takeaways
Intel root of trust attestation solution through Intel TXT and CIT now made
easier with One Touch Activation
Easy discovery of current state of full data center
Cloud-Scale automated solution
Results in OEM/OS Independent automation solution
Reduces time to deploy (especially in case of Intel TXT/TPM re-provisioning)
31
CLICLI
32
Sample UI
33
34
Disclaimers
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at www.intel.com.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other informationand performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.
For more information go to http://www.Intel.com/performance.
All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.
Copyright © 2017 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Inside, the Intel Inside logo, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
THIS SLIDE MUST BE USED WITH ANY SLIDES REMOVED FROM THIS PRESENTATION
35
36
Steps Required per server # of Reboots
Out Of Box Configuration TPM ON > Reboot > TXT ON > Reboot > Install OS > Reboot 2
Production Server (TXT activation post OS installation)
TPM CLEAR > Reboot > TPM ON > Reboot > TXT ON > Reboot >
Install OS > tboot install > Reboot > launch the WL
2
TPM Retrofit Scenario Add TPM > reboot > boot to EFI > Provisioning > Reboot > TPM
enable > Reboot > TXT Enable > Reboot > Install OS /tboot>
Reboot
3
ASSET TAG Provisioning ESXi boot > Reboot > TPM Clear > Reboot > TPM/TXT ON > Reboot
> ATAG Prov > TPM Clear > Reboot > TPM/TXT ON> Reboot > ESXi
Boot
5-6
OS Reprovisioning ESXi boot > Reboot > TPM Clear > Reboot > TPM/TXT ON > Reboot
> OS install > Reboot
4
SAMPLE SCENARIO
Top Related