IBM Research

Integrating TCG Technology in Linux

January 25, 2005 IBM Tokyo Research Laboratory Seiji Munetoh

2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research What are the fundamental TCG Components?

ƒ Hardware based Root of Trust • TPM (Trusted Platform Module) • Write protected Boot ROM ƒ Software Support • TSS (TCG Software Stack) • TPM Device Driver • Trusted Boot Support (Trust Measurement) ƒ Infrastructure • Credentials – PKI

2 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research Hardware

ƒ TPM Protects • Identity (Private Keys) • Integrity (Platform Configurations) TPM CPU ROM ƒ TPM for Embedded Platform… • Discrete TPM Discrete TPM  TPM for PC Platform (LPC bus) TPM  Atmel AT97SC3201S supports I2C bus! CPU • CPU Embedded TPM ROM

 Intel PXA27x (Also supports Trusted ROM) Embedded TPM • Software TPM with Strong Separation  ARM11 TrustZone? Normal CPU Trusted Area

Software TPM

3 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research

Software ƒ Specifications • You can download them from TCG site  TPM Main Specification v1.1b and v1.2  TCG Software Stack (TSS) Specification v1.1 ƒ Opensource Implementation from IBM • TPM Device Driver for LINUX (GPL)  http://sourceforge.net/projects/tpmdd/ • TSS (TCG Software Stack) for LINUX (CPL)  http://sourceforge.net/projects/trousers

4 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research

TCG Components Overview

Remote Platform

Application Application TSP TCG Service Provider (TSP)

RPC

TCG Core Service (TCS) TCG Software Stack Spec. TDDL tcsd Measure

TPM Device Driver Operating System

Measure TCG Main Spec. Boot ROM TPM Root of Trust (PC Platform Specific Spec.)

5 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research

Take a look at the technical detail of our demonstration

PC104 TPM Board

Arcom Viper (Industry Controller based on XScale and Linux)

6 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research

Bill Of Materials

PC104 TPM Daughter Board TPM : Atmel AT97SC3291S I2C bus controller : Philips PCA9564 Battery backup (for RTC) TPM Java Middleware With Integrity Check Capability TCG Enabled Linux TPM Device Driver and TSS Flash2 LSM Modules: IMA and LIDS CPU Flash1

Arcom Viper CPU: Intel XScale (PXA255 400MHz) Boot Flash Memory: 32M Flash, 64MB SDRAM Work as CRTM(Core Root of Trust Platform: PC104 Measurement) TCG Enabled RedBoot

7 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research Transitive Trust

ƒ Integrity Measurement Strategy • RedBoot measure itself and Kernel Image • Kernel measures Executables, Shared libraries and Loadable Kernel Modules • The OSGi bundle loader measures integrity of each bundle JAR file before loading it

Bundles

Applications Java (OSGi) Libraries

Linux Kernel Measure POR RedBoot

Extend(n,digest): Measure PCR[n] = SHA1(PCR[n] + digest) TPM

8 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research Linux - Security Enhancement

ƒ LSM (Linux Security Module) • LISD (Linux Intrusion Detection System)  MAC Policy Enforcement Stacked! • IMA (Integrity Measurement Architecture)  Integrity Measurement

MAC Linux Kernel Hook Points TCG (Domain Separation) (Integrity Protection) LSM

IMA (Primary) TPM DD LIDS (2nd) TPM

AC Policy

9 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research

Demonstration – Stored Measurement Log (SML)

ƒ Contains sequences of related measured values. Each sequence shares a common measurement digest.

Verified by PCR

SML

Verified by Integrity Database

10 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research Attestation (Integrity Reporting) ƒ Root of Trust Reporting • To expose shielded-locations for storage of integrity measurements (PCRs). • To attest to the authenticity of stored value based on trusted platform identities (AIK).

PCR Values ?

Get the PCR Values QuoteQuote Signed by AIK in TPM !

11 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research Seal/Unseal ƒ TPM_Seal: External data is concatenated with a value of integrity metric sequence and encrypted under a parent key. ƒ TPM_Unseal decrypts the blob using the parent key and exports the plaintext data if the current integrity metric sequence inside the TPM matches the value of integrity metric sequence inside the blob

Concatenated with PCR Values

12 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research

Conclusions ƒ TCG develop and promote open, vendor-neutral industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms ƒ Hardware protection for Keys used by various applications ƒ Hardware protection for Platform Integrity - this achieve an evaluation of assurance ƒ Lowest cost – standardized security solution ƒ Future Works • Integrity Management and Validation Vulnerability, Provisioning…. • Credential, Infrastructure

13 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research Thank you!

Trusted RFID Gateway will be demonstrate at upcoming RSA Conference. See you at the IBM booth

14 2005 CELF Plenary Meeting © 2005 IBM Corporation IBM Research

Links

ƒ Trusted Computing Group (TCG) • https://www.trustedcomputinggroup.org/home ƒ Linux Intrusion Detection System (LIDS) • http://www.lids.org/ ƒ Integrity Measurement Architecture (IMA) • http://www.research.ibm.com/secure_systems_department/projects/tcglinux/ • http://www.research.ibm.com/compsci/project_spotlight/security/ ƒ TPM Device Driver for LINUX (GPL) • http://sourceforge.net/projects/tpmdd/ ƒ

15 2005 CELF Plenary Meeting © 2005 IBM Corporation