DOCSLIB.ORG

Thin Hypervisor-Based Security Architectures for Embedded Platforms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Thin Hypervisor-Based Security Architectures for Embedded Platforms Heradon Douglas The Royal Institute of Technology, Stockholm, Sweden Advisor: Christian Gehrmann Swedish Institute of Computer Science, Stockholm, Sweden February 26, 2010 To my wife, Guiniwere, who is everything to me. Till min hustru, Guiniwere, som är allt för mig. I would also like to thank my advisor, Christian Gehrmann, for his support, guidance and collaboration; Louise Yngström, Alan Davidson, Stewart Kowalski and my other teachers and colleagues at DSV for their generosity and tutelage; and my friends and family for their love. ABSTRACT Virtualization has grown increasingly popular, thanks to its benefits of isolation, management, and utilization, supported by hardware advances. It is also re- ceiving attention for its potential to support security, through hypervisor-based services and advanced protections supplied to guests. Today, virtualization is even making inroads in the embedded space, and embedded systems, with their security needs, have already started to benefit from virtualization’s security po- tential. In this thesis, we investigate the possibilities for thin hypervisor-based security on embedded platforms. In addition to significant background study, we present implementation of a low-footprint, thin hypervisor capable of provd- ing security protections to a single FreeRTOS guest kernel on ARM. Backed by performance test results, our hypervisor provides security to a formerly unse- cured kernel with minimal performance overhead, and represents a first step in a greater research effort into the security advantages and possibilities of embed- ded thin hypervisors. Our results show that thin hypervisors are both possible and beneficial even on limited embedded systems, and sets the stage for more advanced investigations, implementations, and security applications in the fu- ture. CONTENTS List of Tables . viii List of Figures . ix Abbreviations . x 1. Introduction ................................. 1 1.1 Security and Virtualization on Embedded Systems . 1 1.2 Thesis Organization . 2 1.3 Problem Definition . 2 1.3.1 Impetus . 2 1.3.2 Originality . 2 1.3.3 Feasibility . 3 1.4 Purpose and Goals . 3 1.5 Method . 3 2. Virtualization Technologies ........................ 5 2.1 What is virtualization? . 5 2.2 Virtualization Basics . 6 2.2.1 Interfaces . 6 2.2.2 Types of virtualization . 8 2.2.3 Non-standard systems . 12 2.3 Hypervisors . 12 2.3.1 Traditional hypervisors . 12 2.3.2 Hosted hypervisors . 13 2.3.3 Microkernels . 14 2.3.4 Thin hypervisors . 14 2.4 Advantages of System Virtualization . 15 2.4.1 Isolation . 15 2.4.2 Minimized trusted computing base . 16 2.4.3 Architectural flexibility . 16 2.4.4 Simplified development . 16 2.4.5 Management . 17 2.4.6 Security . 17 2.5 Hardware Support for Virtualization . 18 2.5.1 Basic virtualization requirements . 19 2.5.2 Challenges in x86 architecture . 19 2.5.3 Intel VT . 20 2.5.4 AMD-V . 24 2.5.5 ARM TrustZone . 25 2.6 Typical Virtualization Scenarios . 27 2.6.1 Hosting center . 27 2.6.2 Desktop . 28 Contents vi 2.6.3 Service provider . 28 2.6.4 Mobile/embedded . 28 2.7 Hypervisor-based security architectures . 29 2.7.1 Advantages . 29 2.7.2 Virtualization security challenges . 29 2.7.3 Architectural limitations . 31 2.7.4 Architectural patterns . 33 2.7.5 Isolation-based services . 34 2.7.6 Monitoring-based services . 39 2.7.7 Alternatives . 41 2.8 Summary . 41 3. Multicore and Embedded Systems .................... 42 3.1 Embedded systems . 42 3.1.1 Traditional characteristics . 42 3.1.2 Emerging trends . 42 3.2 Virtualization and embedded systems . 43 3.2.1 Existing platforms . 43 3.2.2 Companies . 43 3.2.3 Applications . 44 3.3 Multicore systems . 46 3.3.1 Why multicore? . 46 3.3.2 Hardware considerations . 47 3.3.3 Software considerations . 49 3.3.4 Interesting multicore architectures . 51 3.4 Multicore and virtualization . 52 3.4.1 Multicore virtualization architectures . 53 3.5 Embedded multicore systems . 54 3.5.1 Virtualization and embedded multicore . 54 3.6 Summary . 55 4. Thin Hypervisors on ARM Architecture ................. 56 4.1 ARMv5 Architecture . 57 4.1.1 Operating modes . 57 4.1.2 Exceptions and exception handlers . 57 4.1.3 Registers . 58 4.1.4 MMU . 59 4.1.5 Key differences with ARM TrustZone processors . 62 4.2 The FreeRTOS Kernel . 63 4.3 Thin Hypervisor Approach . 64 4.3.1 General concerns . 64 4.3.2 A thin hypervisor on TrustZone . 67 4.3.3 A thin hypervisor for FreeRTOS . 68 4.4 Analysis and Transitioning of Current Systems . 69 4.4.1 Kernel code interity . 69 4.4.2 Application protection . 71 4.4.3 Identifying covert binaries . 74 4.5 Summary . 76 Contents vii 5. Implementation of a Thin Hypervisor .................. 77 5.1 Use of OVP . 77 5.2 Overall structure . 78 5.2.1 The core kernel . 79 5.2.2 Platform-dependent code . 79 5.2.3 The hypervisor . 79 5.3 Key system aspects . 80 5.3.1 Hypercall interface . 80 5.3.2 Memory protection . 81 5.3.3 Interrupts and yielding . 83 5.4 Security Analysis . 83 5.5 Design Recommendations . 85 5.5.1 Trapping vs. Hypercalls . 85 5.5.2 Memory protection . 85 5.5.3 Security Services . 86 5.5.4 Multicore . 86 5.5.5 Hardware heterogeneity . 86 5.5.6 Multiple guests . 87 5.6 Summary . 87 6. Performance Tests ............................. 88 6.1 Description of Tests . 88 6.2 Results . 89 7. Conclusions and Future Work ....................... 90 7.1 Future Work . 90 7.2 Conclusions . 90 LIST OF TABLES 4.1 ARMv5 operating modes . 57 4.2 ARMv5 exceptions . 58 4.3 ARMv5 “special” general purpose registers. 58 4.4 ARMv5 system control coprocessor registers . 60 4.5 ARMv5 MMU access control . 61 4.6 Memory domains . 66 5.1 Hypercall interface . 80 6.1 Test Results, in OVP-simulated instruction counts . 89 LIST OF FIGURES 2.1 Virtualization in a nutshell . 5 2.2 Interposition . 6 2.3 Virtual memory for processes . 9 2.4 System virtualization . 10 2.5 Domain isolation in a mobile device . 34 5.1 Overall implementation structure . 78 5.2 MMU domains . 81 5.3 Interrupt sequence . 83 ABBREVIATIONS ABI Application Binary Interface API Application Programming Interface ASID Address Space Identifier CPSR current program status register CPU central processing unit DMA direct memory access DMAC DMA controller DMR dual-modular redundancy DRM Digital Rights Management EPT Extended Page Table FCSE PID Fast Context-Switch Extension Process ID I/O Input/Output IOMMU I/O Memory Management Unit IPC interprocess communication ISA Instruction Set Architecture MAC Mandatory Access Control MMM Mixed-Mode Multicore reliability MMU Memory Management Unit MPU Memory Protection Unit MVA modified virtual address NUMA Non-Uniform Memory Architecture OMTP Open Mobile Terminal Platform OSTI Open and Secure Terminal Initiative OVP Open Virtual Platforms SPMD.
Recommended publications
  • UG1046 Ultrafast Embedded Design Methodology Guide

    UG1046 Ultrafast Embedded Design Methodology Guide

    UltraFast Embedded Design Methodology Guide UG1046 (v2.3) April 20, 2018 Revision History The following table shows the revision history for this document. Date Version Revision 04/20/2018 2.3 • Added a note in the Overview section of Chapter 5. • Replaced BFM terminology with VIP across the user guide. 07/27/2017 2.2 • Vivado IDE updates and minor editorial changes. 04/22/2015 2.1 • Added Embedded Design Methodology Checklist. • Added Accessing Documentation and Training. 03/26/2015 2.0 • Added SDSoC Environment. • Added Related Design Hubs. 10/20/2014 1.1 • Removed outdated information. •In System Level Considerations, added information to the following sections: ° Performance ° Clocking and Reset 10/08/2014 1.0 Initial Release of document. UltraFast Embedded Design Methodology Guide Send Feedback 2 UG1046 (v2.3) April 20, 2018 www.xilinx.com Table of Contents Chapter 1: Introduction Embedded Design Methodology Checklist. 9 Accessing Documentation and Training . 10 Chapter 2: System Level Considerations Performance. 13 Power Consumption . 18 Clocking and Reset. 36 Interrupts . 41 Embedded Device Security . 45 Profiling and Partitioning . 51 Chapter 3: Hardware Design Considerations Configuration and Boot Devices . 63 Memory Interfaces . 69 Peripherals . 76 Designing IP Blocks . 94 Hardware Performance Considerations . 102 Dataflow . 108 PL Clocking Methodology . 112 ACP and Cache Coherency. 116 PL High-Performance Port Access. 120 System Management Hardware Assistance. 124 Managing Hardware Reconfiguration . 127 GPs and Direct PL Access from APU . 133 Chapter 4: Software Design Considerations Processor Configuration . 137 OS and RTOS Choices . 142 Libraries and Middleware . 152 Boot Loaders . 156 Software Development Tools . 162 UltraFast Embedded Design Methodology GuideSend Feedback 3 UG1046 (v2.3) April 20, 2018 www.xilinx.com Chapter 5: Hardware Design Flow Overview .
  • Vmware Fusion 12 Vmware Fusion Pro 12 Using Vmware Fusion

    Vmware Fusion 12 Vmware Fusion Pro 12 Using Vmware Fusion

    Using VMware Fusion 8 SEP 2020 VMware Fusion 12 VMware Fusion Pro 12 Using VMware Fusion You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents Using VMware Fusion 9 1 Getting Started with Fusion 10 About VMware Fusion 10 About VMware Fusion Pro 11 System Requirements for Fusion 11 Install Fusion 12 Start Fusion 13 How-To Videos 13 Take Advantage of Fusion Online Resources 13 2 Understanding Fusion 15 Virtual Machines and What Fusion Can Do 15 What Is a Virtual Machine? 15 Fusion Capabilities 16 Supported Guest Operating Systems 16 Virtual Hardware Specifications 16 Navigating and Taking Action by Using the Fusion Interface 21 VMware Fusion Toolbar 21 Use the Fusion Toolbar to Access the Virtual-Machine Path 21 Default File Location of a Virtual Machine 22 Change the File Location of a Virtual Machine 22 Perform Actions on Your Virtual Machines from the Virtual Machine Library Window 23 Using the Home Pane to Create a Virtual Machine or Obtain One from Another Source 24 Using the Fusion Applications Menus 25 Using Different Views in the Fusion Interface 29 Resize the Virtual Machine Display to Fit 35 Using Multiple Displays 35 3 Configuring Fusion 37 Setting Fusion Preferences 37 Set General Preferences 37 Select a Keyboard and Mouse Profile 38 Set Key Mappings on the Keyboard and Mouse Preferences Pane 39 Set Mouse Shortcuts on the Keyboard and Mouse Preference Pane 40 Enable or Disable Mac Host Shortcuts on the Keyboard and Mouse Preference Pane 40 Enable Fusion Shortcuts on the Keyboard and Mouse Preference Pane 41 Set Fusion Display Resolution Preferences 41 VMware, Inc.
  • Improving the Reliability of Commodity Operating Systems

    Improving the Reliability of Commodity Operating Systems

    Improving the Reliability of Commodity Operating Systems MICHAEL M. SWIFT, BRIAN N. BERSHAD, and HENRY M. LEVY University of Washington Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85% of recently reported failures. This paper describes Nooks, a reliability subsystem that seeks to greatly enhance OS reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to existing driver and system code. Nooks isolates drivers within lightweight protection domains inside the kernel address space, where hardware and software prevent them from corrupting the kernel. Nooks also tracks a driver’s use of kernel resources to facilitate automatic clean-up during recovery. To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. Under a wide range and number of fault conditions, we show that Nooks recovers automatically from 99% of the faults that otherwise cause Linux to crash. While Nooks was designed for drivers, our techniques generalize to other kernel extensions. We demonstrate this by isolating a kernel-mode file system and an in-kernel Internet service.
  • The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors

    The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors

    The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors Gernot Heiser, Ben Leslie Open Kernel Labs and NICTA and UNSW Sydney, Australia ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. Microkernels vs Hypervisors > Hypervisors = “microkernels done right?” [Hand et al, HotOS ‘05] • Talks about “liability inversion”, “IPC irrelevance” … > What’s the difference anyway? ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 2 What are Hypervisors? > Hypervisor = “virtual machine monitor” • Designed to multiplex multiple virtual machines on single physical machine VM1 VM2 Apps Apps AppsApps AppsApps OS OS Hypervisor > Invented in ‘60s to time-share with single-user OSes > Re-discovered in ‘00s to work around broken OS resource management ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 3 What are Microkernels? > Designed to minimise kernel code • Remove policy, services, retain mechanisms • Run OS services in user-mode • Software-engineering and dependability reasons • L4: ≈ 10 kLOC, Xen ≈ 100 kLOC, Linux: ≈ 10,000 kLOC ServersServers ServersServers Apps Servers Device AppsApps Drivers Microkernel > IPC performance critical (highly optimised) • Achieved by API simplicity, cache-friendly implementation > Invented 1970 [Brinch Hansen], popularised late ‘80s (Mach, Chorus) ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 4 What’s the Difference? > Both contain all code executing at highest privilege level • Although hypervisor may contain user-mode code as well > Both need to abstract hardware resources • Hypervisor: abstraction closely models hardware • Microkernel: abstraction designed to support wide range of systems > What must be abstracted? • Memory • CPU • I/O • Communication ok-labs.com ©2010 Open Kernel Labs and NICTA.
  • Performance Analysis of Selected Hypervisors (Virtual Machine Monitors - Vmms) Waldemar Graniszewski, Adam Arciszewski

    Performance Analysis of Selected Hypervisors (Virtual Machine Monitors - Vmms) Waldemar Graniszewski, Adam Arciszewski

    INTL JOURNAL OF ELECTRONICS AND TELECOMMUNICATIONS, 2016, VOL. 62, NO. 3, PP. 231–236 Manuscript received August 12, 2016; revised September, 2016. DOI: 10.1515/eletel-2016-0031 Performance analysis of selected hypervisors (Virtual Machine Monitors - VMMs) Waldemar Graniszewski, Adam Arciszewski Abstract—Virtualization of operating systems and network results for CPU, NIC, kernel compilation time and storage infrastructure plays an important role in current IT projects. benchmarks’ tests are presented in Section IV. Finally, in With the number of services running on different hardware Section V, we draw some conclusions. resources it is easy to provide availability, security and efficiency using virtualizers. All virtualization vendors claim that their hypervisor (virtual machine monitor - VMM) is better than their II. BACKGROUND AND RELATED WORK competitors. In this paper we evaluate performance of different In this section we present some general background for solutions: proprietary software products (Hyper-V, ESXi, OVM, VirtualBox), and open source (Xen). We are using standard virtualisation technology (in Subsection II-A) and a short benchmark tools to compare efficiency of main hardware com- review of related work (in Subsection II-B). ponents, i.e. CPU (nbench), NIC (netperf), storage (Filebench), memory (ramspeed). Results of each tests are presented. A. Background Keywords—virtualisation, virtualmachines, benchmark, per- As mentioned earlier, in Section I, cloud computing and formance, hypervisor, virtual machine monitor, vmm services provided by data centers require robust software for their operation. With data center server consolidation, the I. INTRODUCTION portability of each solution plays an important role. In the N recent years the most popular IT projects have been last decade both proprietary software like VMware ESXi, Mi- I based on cloud computing.
  • Carrier Grade Virtualization

    Carrier Grade Virtualization

    Carrier Grade Virtualization Leveraging virtualization in Carrier Grade Systems Abstract Network Equipment Providers (NEPs) have been building networking infrastructure equipment able to deliver “carrier grade” services, typically mission-critical services such as voice telephony. In decades past, NEPs have achieved high degrees of availability through purpose-built hardware and software implementations. Today they increasingly build on COTS (Commercial Off The Shelf) hardware and Open Source Software (OSS), freeing their engineering resources to focus on core telephony competencies. The move to COTS and OSS requires that these hardware and software components be available from an ecosystem of suppliers, and that they interoperate seamlessly. Bodies such as The Linux Foundation (LF), the Service Availability Forum (SA Forum) and PICMG have defined standards and specifications such as carrier grade OSes (CGLinux), Service Availability Forum APIs and AdvancedTCA hardware to target carrier grade applications. Recent advances have made virtualization appealing for carrier class equipment by permitting significant cost reduction through consolidation of workloads and of physical hardware. Virtualization also transparently lets NEPs and other OEMs (Original Equipment Manufacturers) leverage multi-core processors to run legacy software designed for uniprocessor hardware. However, virtualization needs to meet specific requirements to enable network equipment deploying this technology to meet industry expectations for carrier grade systems. This
  • Information Guide for Managing Vmware Esxi : Vmware, Inc

    Information Guide for Managing Vmware Esxi : Vmware, Inc

    INFORMATION GUIDE Managing VMware ESXi VMWARE INFORMATION GUIDE Table of Contents Introduction ............................................................................................................ 3 Deployment ........................................................................................................... 3 Large-Scale Standardized Deployment ............................................................. 4 Interactive and Scripted Management ................................................................. 5 VI Client .............................................................................................................. 5 Remote Command Line Interfaces .................................................................... 6 File Management ............................................................................................... 7 Remote Command Line Interface and ESX 3 ..................................................... 8 Third-Party Management Applications ................................................................. 8 Common Information Model ............................................................................. 8 VI API .................................................................................................................. 8 SNMP .................................................................................................................. 9 System Image Design ............................................................................................. 10 Patching and Upgrading
  • A Comparison of Virtual Lab Solutions for Online Cyber Security Education

    A Comparison of Virtual Lab Solutions for Online Cyber Security Education

    Communications of the IIMA Volume 12 Issue 4 Article 6 2012 A Comparison of Virtual Lab Solutions for Online Cyber Security Education Joon Son California State University, San Bernardino Chinedum Irrechukwu University of Maryland University College Patrick Fitzgibbons University of Maryland University College Follow this and additional works at: https://scholarworks.lib.csusb.edu/ciima Recommended Citation Son, Joon; Irrechukwu, Chinedum; and Fitzgibbons, Patrick (2012) "A Comparison of Virtual Lab Solutions for Online Cyber Security Education ," Communications of the IIMA: Vol. 12 : Iss. 4 , Article 6. Available at: https://scholarworks.lib.csusb.edu/ciima/vol12/iss4/6 This Article is brought to you for free and open access by CSUSB ScholarWorks. It has been accepted for inclusion in Communications of the IIMA by an authorized editor of CSUSB ScholarWorks. For more information, please contact [email protected]. Virtual Lab for Online Cyber Security Education Son, Irrechukwu & Fitzgibbons Virtual Lab for Online Cyber Security Education Joon Son California State University, San Bernardino [email protected] Chinedum Irrechukwu University of Maryland University College (UMUC) [email protected] Patrick Fitzgibbons University of Maryland University College (UMUC) [email protected] ABSTRACT In this paper the authors describe their experience of designing a virtual lab architecture capable of providing hundreds of students with a hands on learning experience in support of an online educational setting. The authors discuss alternative approaches of designing a virtual lab and address the criteria in selecting the optimal deployment method. The authors conclude that virtualization offers a significant instructional advantage in delivering a cost effective and flexible hands on learning experience.
  • Linux Virtualization Update

    Linux Virtualization Update

    Linux Virtualization Update Chris Wright <[email protected]> Japan Linux Symposium, November 2007 Intro Virtualization mini-summit Paravirtualization Full virtualization Hardware changes Libvirt Xen Virtualization Mini-summit June 25-27, 2007 ± Just before OLS in Ottawa. 18 attendees ● Xen, Vmware, KVM, lguest, UML, LinuxOnLinux ● x86, ia64, PPC and S390 Focused primarily on Linux as guest and areas of cooperation ● paravirt_ops and virtio Common interfaces ● Not the best group to design or discuss management interfaces ● Defer to libvirt, CIM, etc... ● CPUID 0x4000_00xx for hypervisor feature detection ● Can we get to common ABI for paravirt hybrid guest? Virtualization Mini-summit paravirt_ops ● Make use of existing abstractions wherever possible (clocksource, clockevents or irqchip) ● Could use a common lib/x86_emulate.c ● Open question: performance benefit of shadow vs. direct paging? Distro Issues ● Lack of feature parity between bare metal and Xen is difficult for distros ● Single binary kernel image ● Merge upstream Performance ● NUMA awareness lacking in Xen ± difficult for Altix ● Static NUMA representation doesn©t map well to dynamic virt environment ● Cooperative memory management ± guest memory hints Virtualization Mini-summit Hardware ● x86 and ia64 hardware virtualization roadmap ● ppc virtualization is gaining in embedded market, realtime requirments ● S390 ªhas an instruction for thatº Virtio ● Separate driver from transport ● Makes driver small, looks like a Linux driver and reusable ● Hypervisor specific
  • Sel4: Formal Verification of an Operating-System Kernel

    Sel4: Formal Verification of an Operating-System Kernel

    seL4: Formal Verification of an Operating-System Kernel Gerwin Klein1;2, June Andronick1;2, Kevin Elphinstone1;2, Gernot Heiser1;2;3 1 1 1;2 1;2 David Cock , Philip Derrin ∗, Dhammika Elkaduwe ,z Kai Engelhardt 1;2 1;4 1 1;2 1;2 Rafal Kolanski , Michael Norrish , Thomas Sewell , Harvey Tuch y, Simon Winwood 1 NICTA, 2 UNSW, 3 Open Kernel Labs, 4 ANU [email protected] ABSTRACT We report on the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, hardware, and boot code. seL4 is a third-generation microkernel of L4 provenance, comprising 8,700 lines of C and 600 lines of assembler. Its performance is comparable to other high-performance L4 kernels. We prove that the implementation always strictly follows our high-level abstract specification of kernel behaviour. This encompasses traditional design and implementation safety properties such as that the kernel will never crash, and it will never perform an unsafe operation. It also implies much more: we can predict precisely how the kernel will behave in every possible situation. 1. INTRODUCTION Almost every paper on formal verification starts with the observation that software complexity is increasing, that this Figure 1: Call graph of the seL4 microkernel. Ver- leads to errors, and that this is a problem for mission and tices represent functions, and edges invocations. safety critical software. We agree, as do most. Here, we report on the full formal verification of a critical system from a high-level model down to very low-level C kernel, and every single bug can potentially cause arbitrary code.
  • Ubuntu Server Guide Basic Installation Preparing to Install

    Ubuntu Server Guide Basic Installation Preparing to Install

    Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
  • Operating System Support for Run-Time Security with a Trusted Execution Environment

    Operating System Support for Run-Time Security with a Trusted Execution Environment

    Operating System Support for Run-Time Security with a Trusted Execution Environment - Usage Control and Trusted Storage for Linux-based Systems - by Javier Gonz´alez Ph.D Thesis IT University of Copenhagen Advisor: Philippe Bonnet Submitted: January 31, 2015 Last Revision: May 30, 2015 ITU DS-nummer: D-2015-107 ISSN: 1602-3536 ISBN: 978-87-7949-302-5 1 Contents Preface8 1 Introduction 10 1.1 Context....................................... 10 1.2 Problem....................................... 12 1.3 Approach...................................... 14 1.4 Contribution.................................... 15 1.5 Thesis Structure.................................. 16 I State of the Art 18 2 Trusted Execution Environments 20 2.1 Smart Cards.................................... 21 2.1.1 Secure Element............................... 23 2.2 Trusted Platform Module (TPM)......................... 23 2.3 Intel Security Extensions.............................. 26 2.3.1 Intel TXT.................................. 26 2.3.2 Intel SGX.................................. 27 2.4 ARM TrustZone.................................. 29 2.5 Other Techniques.................................. 32 2.5.1 Hardware Replication........................... 32 2.5.2 Hardware Virtualization.......................... 33 2.5.3 Only Software............................... 33 2.6 Discussion...................................... 33 3 Run-Time Security 36 3.1 Access and Usage Control............................. 36 3.2 Data Protection................................... 39 3.3 Reference