next generation secure computing base 黃志源@sis. contents next generation secure computing base...
Post on 19-Dec-2015
230 Views
Preview:
TRANSCRIPT
Next Generation Next Generation Secure Computing Secure Computing BaseBase
黃志源黃志源@SiS@SiS
ContentsContents
Next Generation Secure Computing Next Generation Secure Computing Base OverviewBase Overview
Hardware Fundamentals For NGSCBHardware Fundamentals For NGSCBPart 1: Core HardwarePart 1: Core Hardware
Hardware Fundamentals For NGSCBHardware Fundamentals For NGSCBPart 2: Peripheral HardwarePart 2: Peripheral Hardware
Nexus FundamentalsNexus Fundamentals
Next Generation Secure Next Generation Secure Computing Base OverviewComputing Base Overview
Trustworthy ComputingTrustworthy Computing
SecuritySecurity
PrivacyPrivacy
ReliabilityReliability
Business IntegrityBusiness Integrity
Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,
availability, and dataavailability, and data
Dependable
Available when needed
Performs at expected levels
Individuals control personal data
Products and Online Services adhere to fair information principles
Help customers find appropriate solutions
Address issues with products and services
Open interaction with customers
NGSCB Vision And GoalsNGSCB Vision And Goals
VisionVision NGSCB advances the PC ecosystem to meet NGSCB advances the PC ecosystem to meet
customers’ requirements for customers’ requirements for security, privacy, security, privacy, and data protectionand data protection
Product GoalProduct Goal NGSCB will broaden the utility of the PC by NGSCB will broaden the utility of the PC by
delivering delivering security on par with closed security on par with closed architecturearchitecture systems while maintaining the systems while maintaining the flexibility of the Windows platformflexibility of the Windows platform
Business GoalBusiness Goal NGSCB will help to revitalize the PC ecosystem NGSCB will help to revitalize the PC ecosystem
by enabling a by enabling a new generation of hardware and new generation of hardware and softwaresoftware products products
Customer Security IssuesCustomer Security Issues
Vulnerability introduced by enabling Vulnerability introduced by enabling remote accessremote access
Illegal access and usage of sensitive Illegal access and usage of sensitive informationinformation
Difficulty in knowing who a company is Difficulty in knowing who a company is doing business withdoing business with
Difficulty in doing patch managementDifficulty in doing patch management OthersOthers
Collaborating in a secure environmentCollaborating in a secure environment Protecting secrets, e.g., key pairs, certificatesProtecting secrets, e.g., key pairs, certificates Virus and malicious code attacksVirus and malicious code attacks
Why NGSCB?Why NGSCB?
Vulnerabilities todayVulnerabilities today Attacks on Core assetsAttacks on Core assets Attacks on NetworksAttacks on Networks Attacks via Remote users/machinesAttacks via Remote users/machines
NGSCB can address software attacks NGSCB can address software attacks on applications, secretson applications, secrets Damage from attacks can be Damage from attacks can be
compartmentalized and limitedcompartmentalized and limited
How It Works: The PCHow It Works: The PC
How It Works: Before NGSCBHow It Works: Before NGSCB
How It Works: Before NGSCBHow It Works: Before NGSCB
How it Works: Before NGSCBHow it Works: Before NGSCB
NGSCB
How It Works: With NGSCBHow It Works: With NGSCB
How It Works: With NGSCBHow It Works: With NGSCB
NGSCB
How It Works: With NGSCBHow It Works: With NGSCB
Main OSMain OS
USBUSBDriverDriver
NexusMgr.sysNexusMgr.sys
HALHAL
User Apps.User Apps.
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NALNAL
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
NGSCB Quadrants
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
SSCSSC Hardware Hardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
Four NGSCB Features GroupsFour NGSCB Features Groups
The first three are needed to protect against malicious code
Attestation breaks new ground in distributed computingThe identity
of hardware, nexus, and applications can be proven
11
22
33
44
Addressing Customer Needs Addressing Customer Needs With NGSCBWith NGSCB Remote accessRemote access
Granularity of access at machine, nexus, and application levelGranularity of access at machine, nexus, and application level Application to application connection rather than VPN connectionApplication to application connection rather than VPN connection
Patch managementPatch management IT can specify that only a known configuration of nexus and application can IT can specify that only a known configuration of nexus and application can
execute or access corporate resourcesexecute or access corporate resources Preventing illegal access of informationPreventing illegal access of information
Reinforce rights management by rooting key pair in hardwareReinforce rights management by rooting key pair in hardware Encryption of data based on secrets that never leave hardwareEncryption of data based on secrets that never leave hardware
Agents developmentAgents development Agents identity is rooted in secrets on the hardwareAgents identity is rooted in secrets on the hardware Applications run in isolated process space and are impermeable to Applications run in isolated process space and are impermeable to
software attacksoftware attack Collaboration enablementCollaboration enablement
End users can collaborate and communicate securelyEnd users can collaborate and communicate securely End users can establish content authenticity by digital signatureEnd users can establish content authenticity by digital signature
Four NGSCB Features GroupsFour NGSCB Features Groups
What Does This All Mean?What Does This All Mean?
All NGSCB capabilities build off of four key featuresAll NGSCB capabilities build off of four key features Strong process isolationStrong process isolation Root key for persistent secret protectionRoot key for persistent secret protection Secure path to and from the userSecure path to and from the user Attestation (hardware (HW)/software (SW) authentication)Attestation (hardware (HW)/software (SW) authentication)
The first three are needed to protect against The first three are needed to protect against malicious code malicious code
Attestation breaks new ground in Attestation breaks new ground in distributed computingdistributed computing ““Things” (software, machines, services) can be Things” (software, machines, services) can be
securely identifiedsecurely identified
NGSCB Quadrants
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
SSCSSC
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
Nexus-Mode (RHS)Nexus-Mode (RHS)
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
Four Key Features (1) Process Isolation
Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware
AgentAgent AgentAgent AgentAgent
Strong Process Strong Process IsolationIsolation Nexus Computing Agents, or NCAs, Nexus Computing Agents, or NCAs,
run in curtained memoryrun in curtained memory Not accessible by the standard Not accessible by the standard
Windows kernelWindows kernel Not accessible by hardware DMANot accessible by hardware DMA Not accessible by other NCAsNot accessible by other NCAs
Enforced by hardware and softwareEnforced by hardware and software Changes to CPU, chipsetChanges to CPU, chipset Nexus arbitrates page tablesNexus arbitrates page tables
Nexus Manager Abstraction Layer (NMAL)Nexus Manager Abstraction Layer (NMAL)
Nexus Manager Core Nexus Manager Core Nexus
DispatchServices
Shadow Service
AdminService
Nexus MgrIPC
Object SecurityManager
Shared ResourceManager
HW Allocator(memory
wholesaler)
Nexus Loader
Nexus-Mode (RHS)Nexus-Mode (RHS)Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware
Four Key Features(2) Secure Path To and From User
SecureSecureInput Input
Filter DriverFilter Driver
SecureSecureVideo Video
Filter DriverFilter Driver
Secure videoSecure videoSecure InputSecure Input
Secure Path To UserSecure Path To User
Secure inputSecure input Encrypted session between USB device Encrypted session between USB device
and nexusand nexus Changes to standard USB driver stackChanges to standard USB driver stack Required for keyboard and mouseRequired for keyboard and mouse Alternate solution being developed for Alternate solution being developed for
non-USB (laptops)non-USB (laptops)
Secure outputSecure output Secure channel between graphics adaptor Secure channel between graphics adaptor
and nexusand nexus Changes to graphics adaptorChanges to graphics adaptor Changes to video driverChanges to video driver
Nexus-Mode (RHS)Nexus-Mode (RHS)
Four Key Features (3) Sealed Storage
Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware
NexusNexus
NALNAL
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
SSCSSC
Hardware Protection Hardware Protection Of SecretsOf Secrets Security Support Component (SSC) Security Support Component (SSC)
chip on motherboardchip on motherboard SSC holds a secure keysetSSC holds a secure keyset Each nexus generates a random keyset Each nexus generates a random keyset
on first loadon first load SSC provides hardware protection of the SSC provides hardware protection of the
nexus keysetnexus keyset
NCAs use nexus facilities to generate NCAs use nexus facilities to generate and protect keysand protect keys
Nexus-Mode (RHS)Nexus-Mode (RHS)
Four Key Features (4) Attestation
Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware
NexusNexus
NALNAL
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
SSCSSC
AttestationAttestationSoftware/Hardware AuthenticationSoftware/Hardware Authentication
When requested, the nexus can prepare a When requested, the nexus can prepare a chain that authenticateschain that authenticates NCA by digest, signed by the nexusNCA by digest, signed by the nexus Nexus by digest, signed by the SSCNexus by digest, signed by the SSC SSC by public key, signed by OEMSSC by public key, signed by OEM
Other forms of attestation are possible that Other forms of attestation are possible that provide less informationprovide less information Using trusted third partyUsing trusted third party
User sets policy to control which NCAs can User sets policy to control which NCAs can use which forms of attestationuse which forms of attestation
HardwareHardware
ChipsetChipsetCPUCPUSecureSecureInputInput
Secure Secure VideoVideo
SSCSSC
Nexus-Mode (RHS)Nexus-Mode (RHS)Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
Hardware SummaryHardware Summary
Hardware SummaryHardware Summary
Modified componentsModified components CPUCPU ChipsetChipset Secure videoSecure video Secure input (keyboard and mouse)Secure input (keyboard and mouse)
Two versions: USB and laptopTwo versions: USB and laptop
New componentsNew components SSCSSC
A Qualitative Step ForwardA Qualitative Step Forward
NGSCB extends the Windows platformNGSCB extends the Windows platform We provide the core, others will build the We provide the core, others will build the
solutionssolutions We really want to enable others to build new and We really want to enable others to build new and
exciting applicationsexciting applications
NGSCB is appropriate anywhere you could NGSCB is appropriate anywhere you could possibly imagine needing privacy, security or possibly imagine needing privacy, security or data protectiondata protection
We will ship some solutions “in the box”We will ship some solutions “in the box” Enough to provide immediate valueEnough to provide immediate value
Scenario CategoriesScenario Categories
Secure remote accessSecure remote access Corporate remote accessCorporate remote access Secure client access to middle tier serversSecure client access to middle tier servers
Secure collaborationSecure collaboration Chat and instant messagingChat and instant messaging E-MailE-Mail Rights managementRights management Digital signatureDigital signature
Secure Remote AccessSecure Remote Access
ExamplesExamples To a client/server app, using a custom NCA clientTo a client/server app, using a custom NCA client To your enterprise desktop, using a secure remote To your enterprise desktop, using a secure remote
desktop clientdesktop client How it worksHow it works
Uses attestation for end-to-end authenticationUses attestation for end-to-end authentication Uses strong process isolation and secure path to the Uses strong process isolation and secure path to the
user to be safe against attacks on the remote client user to be safe against attacks on the remote client Uses an application private network (APN) for Uses an application private network (APN) for
secure communicationssecure communications Application-to-application encrypted sessionApplication-to-application encrypted session More secure than a VPN because the protection extends More secure than a VPN because the protection extends
into the application layer itself into the application layer itself
Application Private NetworkApplication Private NetworkApplicationApplication(Client NCA)(Client NCA)
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
DatalinkDatalink
PhysicalPhysical
ApplicationApplication(Server)(Server)
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
DatalinkDatalink
PhysicalPhysical
Standard IP: vulnerable at every layerStandard IP: vulnerable at every layer
NGSCB APN: extends protection to all NGSCB APN: extends protection to all layers, so that only the client and server layers, so that only the client and server applications can use the connectionapplications can use the connection
VPN: network layer and below are protected, VPN: network layer and below are protected, including data on the wire – but all software on including data on the wire – but all software on the client has access to the server connectionthe client has access to the server connection
Secure CollaborationSecure Collaboration
ExamplesExamples Secure e-mailSecure e-mail Secure text document creation and sharingSecure text document creation and sharing Secure instant messagingSecure instant messaging Secure digital signature – “what you see is what you sign”Secure digital signature – “what you see is what you sign”
How it worksHow it works Uses rights management based on hardware protection of Uses rights management based on hardware protection of
secrets to protect and control access to datasecrets to protect and control access to data Uses strong process isolation and secure path to the user to Uses strong process isolation and secure path to the user to
be safe against spoofing and snooping attacksbe safe against spoofing and snooping attacks Uses an APN for end-to-end messaging securityUses an APN for end-to-end messaging security
Secure Digital SignatureSecure Digital Signature
Microsoft Word
This is text that should be verified as correct and then signed.
File Edit View Insert Help
Sign Digitally...
When the userclicks “sign”, theXML data is signedand the signeddata is returned tothe application
Secure Digital Signature
This is text that should be verified as correct and then signed.
Sign
Cancel
USPS SignatureSignature:
When the user wants to sign, thetext is rendered by the applicationinto a standard XML-based formatand passed to the digital signature
agent
NOTE: for NOTE: for explanatory explanatory purposes purposes only; this is only; this is not actual UInot actual UI
Hardware Fundamentals Hardware Fundamentals For NGSCBFor NGSCBPart 1: Core HardwarePart 1: Core Hardware
AgendaAgenda
Threat ModelsThreat Models What is NGSCB and Why?What is NGSCB and Why? What does NGSCB do?What does NGSCB do? NGSCB Features and Details NGSCB Features and Details
Strong Process IsolationStrong Process Isolation AttestationAttestation Sealed StorageSealed Storage
Call to ActionCall to Action
Next Generation Secure Next Generation Secure Computing Base (NGSCB)Computing Base (NGSCB) DefinedDefined
New security technology for the Microsoft New security technology for the Microsoft Windows platformWindows platform
Unique hardware and software architecture Unique hardware and software architecture Protected computing environment inside the Protected computing environment inside the
Windows PCWindows PC A “virtual vault” that will sit side by side with the A “virtual vault” that will sit side by side with the
regular Windows environment regular Windows environment
New kinds of security and privacy New kinds of security and privacy protections for computers protections for computers
NGSCB Quadrants
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
SSCSSC
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
NGSCB: Threat ModelsNGSCB: Threat Models
Our Threat ModelOur Threat Model NO Software-Only Attacks Against Nexus-Space NO Software-Only Attacks Against Nexus-Space
OperationsOperations NO Break-Once/Break-Everywhere (BOBE) attacksNO Break-Once/Break-Everywhere (BOBE) attacks
No Software-Only Attacks means…No Software-Only Attacks means… No attacks based on micro-code, macro-code, No attacks based on micro-code, macro-code,
adapter card scripts, etc. adapter card scripts, etc. Any attacks launched from the Web or e-mail are Any attacks launched from the Web or e-mail are
“software only”“software only”
Protection only applies to the release Protection only applies to the release of secrets of secrets Viruses could still delete encrypted filesViruses could still delete encrypted files
NGSCB: Threat ModelsNGSCB: Threat Models
No BOBE attacks meansNo BOBE attacks means Attacks don’t scaleAttacks don’t scale
Each Security Support Component (SSC) has Each Security Support Component (SSC) has unique keysunique keys
Data MUST use unique or partially unique, Data MUST use unique or partially unique, rather than global keysrather than global keys
One person breaking one machine yields One person breaking one machine yields the secrets sent to that machine onlythe secrets sent to that machine only Does NOT allow that person to tell everybody Does NOT allow that person to tell everybody
else in the world how to break content else in the world how to break content Does allow the release of content bound to Does allow the release of content bound to
that machinethat machine
What And Why?What And Why?
Modifications to allow PCs to be used in Modifications to allow PCs to be used in new waysnew ways Hardware changesHardware changes Software changesSoftware changes
Allows users to interact with entities either Allows users to interact with entities either inside or outside the machine:inside or outside the machine: Show them what code is runningShow them what code is running Make believable promises about codeMake believable promises about code Prove that those promises are durableProve that those promises are durable
Changes what can be believed about Changes what can be believed about computationcomputation Not what can be done with itNot what can be done with it
What And Why?What And Why?
This is the Next Big ThingThis is the Next Big Thing Windowing in the ‘80sWindowing in the ‘80s Networking in the ‘90sNetworking in the ‘90s Security in the ‘00sSecurity in the ‘00s
Security and trust will advance the Security and trust will advance the PC ecosystemPC ecosystem Customers are demanding higher security Customers are demanding higher security
and privacyand privacy From end-users to enterprisesFrom end-users to enterprises Governments are mandating as wellGovernments are mandating as well
Opens new markets that rely on trustworthiness Opens new markets that rely on trustworthiness of information technologyof information technology
What Does NGSCB Do?What Does NGSCB Do?
Creates a safe region called nexus-space Creates a safe region called nexus-space inside of a regular PCinside of a regular PC Think of an access-controlled, high-security vault Think of an access-controlled, high-security vault
in an open marketin an open market
All the rest of the PC is still presentAll the rest of the PC is still present Apply full power and speed of the PC to Apply full power and speed of the PC to
security functionssecurity functions Co-processors don’t scale with the CPUCo-processors don’t scale with the CPU
Adding main memory won’t speed them upAdding main memory won’t speed them up
Majority of the hardware is unchangedMajority of the hardware is unchanged E.g., PCI, Serial, Parallel, MemoryE.g., PCI, Serial, Parallel, Memory
What Does NGSCB Do?What Does NGSCB Do?
NGSCB Code on NGSCB HardwareNGSCB Code on NGSCB Hardware Designed to stop all software only threats Designed to stop all software only threats
in nexus-spacein nexus-space
Run all the old codeRun all the old code Very obscure exceptionsVery obscure exceptions
Qualitatively different Qualitatively different Profound change in what can be believed, Profound change in what can be believed,
and hence, trustedand hence, trusted
What Does NGSCB Do? What Does NGSCB Do?
Enhances Enhances Security Security ““Vault” to store important materialVault” to store important material
Both locally and remotely attestableBoth locally and remotely attestable Realistic control over which code can touch which dataRealistic control over which code can touch which data
Control given to software, by usersControl given to software, by users
EnhancesEnhances Robustness Robustness Better user control of what can run in NGSCB; what it can doBetter user control of what can run in NGSCB; what it can do
Enhances Enhances PrivacyPrivacy Users can know which code is doing what with private Users can know which code is doing what with private
informationinformation Users can delegate privacy decisions in a usable wayUsers can delegate privacy decisions in a usable way
How Does NGSCB WorkHow Does NGSCB Work
New kind of process, called a Nexus CNew kind of process, called a Nexus Computing Agent, or NCA, or Agentomputing Agent, or NCA, or Agent Very much like a traditional process, but rVery much like a traditional process, but r
uns in a much more spartan environmentuns in a much more spartan environment The Key Assertions may be applied The Key Assertions may be applied
to agentsto agents
Key AssertionsKey Assertions
The agent is what it is attested to beThe agent is what it is attested to be The agent is running in the attested environment The agent is running in the attested environment
and THEREFOREand THEREFORE The agent will be initiated correctlyThe agent will be initiated correctly
Agent behavior cannot be permuted by attacking initializationAgent behavior cannot be permuted by attacking initialization The agent is isolated The agent is isolated
From other agents From other agents From the Left Hand Side (LHS) From the Left Hand Side (LHS) Not even debuggers or device drivers can alter the agent Not even debuggers or device drivers can alter the agent
at runtimeat runtime The agent has someplace to keep a secretThe agent has someplace to keep a secret On clients, agents will have a secure path to the userOn clients, agents will have a secure path to the user
Main OSMain OS
DriversDrivers
HALHAL
User ProgramsUser Programs
NGSCB: Context
Standard-Mode (LHS)Standard-Mode (LHS)
User User ModeMode
Kernel Kernel ModeMode
DLLDLL DLLDLL
What exists in today’s What exists in today’s systemssystems Main OS is rich, Main OS is rich,
compatible with vast compatible with vast array of stuff, array of stuff, supports vast array of supports vast array of hardware – it is largehardware – it is large
User can install User can install drivers which get drivers which get privileged access to privileged access to memory – remote memory – remote parties can never be parties can never be sure the program has sure the program has not been negatively not been negatively impacted by the driverimpacted by the driver
NGSCB Quadrants
Main OSMain OS
DriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
SSCSSC
User Apps.User Apps.
AgentAgent AgentAgentAgentAgent
Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
NxSvc.exeNxSvc.exe
Main OSMain OS
DriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
SSCSSC
User Apps.User Apps.
AgentAgent AgentAgentAgentAgent
Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
NxSvc.exeNxSvc.exe
NGSCB Quadrants
NGSCB: NGSCB: Strong Process IsolationStrong Process Isolation Machine is locked into flat paged modeMachine is locked into flat paged mode Address-Translation-Control prohibits std-Address-Translation-Control prohibits std-
mode code from mapping a nexus-mode pagemode code from mapping a nexus-mode page No CPU access to memory w/out mappingNo CPU access to memory w/out mapping Requires CR3 loads trap to nexusRequires CR3 loads trap to nexus Requires alteration of maps Requires alteration of maps Requires PTE-writes to trap to the nexus or be Requires PTE-writes to trap to the nexus or be
filtered by hardware filtered by hardware Chipset/Memory controller maintains a per-page Chipset/Memory controller maintains a per-page
list of pages to which DMA is prohibited, periodlist of pages to which DMA is prohibited, period
NGSCB: AttestationNGSCB: Attestation
Attestation is a crypto-signed digest Attestation is a crypto-signed digest of some codeof some code
Proof that some bit vector is known Proof that some bit vector is known by this digestby this digest
SSC and CPU compute digest of nexus SSC and CPU compute digest of nexus at nexus bootat nexus boot
Nexus computes the digest of agentsNexus computes the digest of agents Digests are gathered together to make Digests are gathered together to make
attestation vector that is passed back attestation vector that is passed back to a challengerto a challenger
NGSCB: AttestationNGSCB: Attestation
Root of attestation stack is the security Root of attestation stack is the security support component (SSC)support component (SSC) Proof valid because the SSC provides a Proof valid because the SSC provides a
proof of a secret that only the SSC knowsproof of a secret that only the SSC knows
This secret never leaves the SSCThis secret never leaves the SSC Secret not revealedSecret not revealed Secret not a privacy hazardSecret not a privacy hazard
NGSCB: Attestation NGSCB: Attestation ExampleExample Digest1 is for the SSCDigest1 is for the SSC
Establishes confidence in validity of NGSCB Establishes confidence in validity of NGSCB hardware hardware
Digest2 is for the nexusDigest2 is for the nexus Establishes confidence in validity of nexusEstablishes confidence in validity of nexus Has meaning only if Digest1 is validHas meaning only if Digest1 is valid
Digest3 is for the agent Digest3 is for the agent Establishes confidence in validity of agentEstablishes confidence in validity of agent Has meaning only if Digest1 and Digest2 are validHas meaning only if Digest1 and Digest2 are valid
NGSCB: Attestation CaveatNGSCB: Attestation Caveat
Attestation is NOT a judgment of code Attestation is NOT a judgment of code quality or fitnessquality or fitness Hardware will run any nexus, and attest to Hardware will run any nexus, and attest to
the digest of any nexusthe digest of any nexus Our nexus will run any agent (in Our nexus will run any agent (in
accordance with user policy) and attest to accordance with user policy) and attest to the digest of that agentthe digest of that agent
Attestation leaves judgment up to Attestation leaves judgment up to challengerchallenger Done with excellent confidenceDone with excellent confidence Not up to hardware/nexusNot up to hardware/nexus
NGSCB: Attestation → NGSCB: Attestation → HardwareHardware Attestation is implemented at the root Attestation is implemented at the root
by the SSC by the SSC Must be tightly bound to the CPU and the Must be tightly bound to the CPU and the
chipset for chipset for Booting of the nexusBooting of the nexus Attestation of the nexusAttestation of the nexus Chain of attestation Chain of attestation
NGSCB: SealNGSCB: Seal
Here’s a good mental modelHere’s a good mental model Seal(secret) → cryptoblob(secret)Seal(secret) → cryptoblob(secret)
Crytoblob(secret) may be stored anywhereCrytoblob(secret) may be stored anywhere
The call is reallyThe call is really Seal(secret, DigestOfEnvironment, DigestOfCallingAgent,Seal(secret, DigestOfEnvironment, DigestOfCallingAgent,
MigrationControls) → cryptoblob(secret) MigrationControls) → cryptoblob(secret)
Unseal(cryptoblob(somesecret)) → somesecretUnseal(cryptoblob(somesecret)) → somesecret BUT – Unseal is reallyBUT – Unseal is really
Unseal(cryptoblob(somesecret), DigestOfEnvironment, DUnseal(cryptoblob(somesecret), DigestOfEnvironment, DigestOfCallingAgent) → somesecret | nothingigestOfCallingAgent) → somesecret | nothing
If the Digest of the environment or the calling agent does If the Digest of the environment or the calling agent does not match with those that did the seal, Unseal returns ** not match with those that did the seal, Unseal returns ** NOTHING **NOTHING **
NGSCB: SealNGSCB: Seal
What it means…What it means… If we ignore migration and indirection…If we ignore migration and indirection… Seal/Unseal say that if agent A running on environment B Seal/Unseal say that if agent A running on environment B
seals a secret, then,seals a secret, then, Only agent A running on environment B can unseal itOnly agent A running on environment B can unseal it This gives agent A a way to hide a keyThis gives agent A a way to hide a key
Seal is implemented by the nexus in cooperation Seal is implemented by the nexus in cooperation with the SSCwith the SSC Same hardware build rules as for attestationSame hardware build rules as for attestation
What's an "environment"What's an "environment" Matching attestation vector for nexus-mode onlyMatching attestation vector for nexus-mode only
Booting some other OS that can call the SSC does NOT reveal Booting some other OS that can call the SSC does NOT reveal the secretsthe secrets
NGSCB: SealNGSCB: Seal
Migration and indirectionMigration and indirection Caller gets to specify certain propertiesCaller gets to specify certain properties
What agents may unseal the secretWhat agents may unseal the secret What hardware may unseal the secretWhat hardware may unseal the secret What nexus may unseal the secretWhat nexus may unseal the secret What users may unseal the secretWhat users may unseal the secret
Agents shouldn’t seal against the SSCAgents shouldn’t seal against the SSC They should seal against the nexus They should seal against the nexus
which seals against the SSCwhich seals against the SSC
Backup, restore, migration are all possible Backup, restore, migration are all possible using intermediate keys using intermediate keys and certificatesand certificates
Hardware Fundamentals Hardware Fundamentals For NGSCBFor NGSCBPart 2: Peripheral HardwarePart 2: Peripheral Hardware
GSCB: Desktop Secure InputGSCB: Desktop Secure Input
Threat ModelThreat Model NO Software Only Attacks Against Secured NO Software Only Attacks Against Secured
KeystrokesKeystrokes NO Break-Once/Break-Everywhere (BOBE) attacksNO Break-Once/Break-Everywhere (BOBE) attacks
Out of scopeOut of scope People swapping the keyboard hardwarePeople swapping the keyboard hardware Patching into the keyboard cablePatching into the keyboard cable Sticking some device between the keyboard and Sticking some device between the keyboard and
the boxthe box All require a physical attackAll require a physical attack
Cannot send a physical attack via e-mailCannot send a physical attack via e-mail
HazardHazard
Nexus-Mode (RHS)Nexus-Mode (RHS)
Secure Input
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
USBUSBHostHost
ControllerController
Nexus-Mode (RHS)Nexus-Mode (RHS)
Secure Input
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
E = EncryptedE = Encrypted
HazardHazard
USBUSBHostHost
ControllerController
EE
EE
Nexus-Mode (RHS)Nexus-Mode (RHS)
Secure Input
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
E = EncryptedE = Encrypted
HazardHazard
USBUSBHostHost
ControllerController
EE
EE
Nexus-Mode (RHS)Nexus-Mode (RHS)
Secure Input
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
E = EncryptedE = Encrypted
EE
USBUSBHostHost
ControllerController
HazardHazardEE
Nexus-Mode (RHS)Nexus-Mode (RHS)
Secure Input
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
E = EncryptedE = Encrypted
EE
USBUSBHostHost
ControllerController
HazardHazardEE
Nexus-Mode (RHS)Nexus-Mode (RHS)
Secure Input
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
E = EncryptedE = Encrypted
EE
USBUSBHostHost
ControllerController
DecryptedDecryptedTextText
HazardHazard EE
Nexus-Mode (RHS)Nexus-Mode (RHS)
Mobile PC Secure Input
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
E = EncryptedE = EncryptedKey BoardKey BoardControllerController
(KBC)(KBC)
ChipsetChipsetSouth BridgeSouth Bridge
(LPC bus(LPC busController)Controller)
EE
HazardHazard
EE
Secure Input Secure Input
Encryption for Human Interface Device Encryption for Human Interface Device (HID) will be done on the outboard side (HID) will be done on the outboard side of a USB hostof a USB host1.1. Built into USB root hubBuilt into USB root hub
2.2. Built into any USB hubBuilt into any USB hub
3.3. Inside the device of interestInside the device of interest
4.4. In-line device (dongle) between the In-line device (dongle) between the machine and the input devicemachine and the input device
Best solution is Best solution is #1#1
Secure Input Work In ProgressSecure Input Work In Progress
For desktopsFor desktops Evaluating several different ways of establishing Evaluating several different ways of establishing
shared secretshared secret Security versus OEM and IT deployment tradeoffsSecurity versus OEM and IT deployment tradeoffs
For laptopsFor laptops Evaluating different ways to partition Secure Input Evaluating different ways to partition Secure Input
Path firmware/microcode in Embedded ControllerPath firmware/microcode in Embedded Controller Legacy versus security certification issuesLegacy versus security certification issues
Alternatives being evaluatedAlternatives being evaluated More information in calls-to-actionMore information in calls-to-action
Secure VideoSecure Video
Threat Model for videoThreat Model for video NO Software-Only attacks against Secure Windows NO Software-Only attacks against Secure Windows
and the information displayed in themand the information displayed in them NO Break-Once/Break-Everywhere (BOBE) attacks NO Break-Once/Break-Everywhere (BOBE) attacks
This is not the ONLY hazard relevant to all This is not the ONLY hazard relevant to all stake holdersstake holders
It is what we can secureIt is what we can secure
Security for external video interfaces is a matter Security for external video interfaces is a matter for hardware standardsfor hardware standards NGSCB could support link protections but won’t require itNGSCB could support link protections but won’t require it
Nexus-Mode (RHS)Nexus-Mode (RHS)
Secure Video
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
USBUSBHostHost
ControllerController
GraphicsGraphicsAdaptorAdaptor
(nexus-mode)(nexus-mode)
GraphicsGraphicsAdaptorAdaptor
(std-mode)(std-mode)
HazardHazard
Secure VideoSecure Video
Secure Video assuresSecure Video assures Secure windows cannot be obscuredSecure windows cannot be obscured Secure windows cannot be captured by Secure windows cannot be captured by
unauthorized softwareunauthorized software Secure windows cannot be altered by Secure windows cannot be altered by
unauthorized softwareunauthorized software
Graphics adaptor may communicate Graphics adaptor may communicate with display in various formatswith display in various formats
We are working on accessibilityWe are working on accessibility
Secure VideoSecure Video
The ChallengeThe Challenge How does the video data get from How does the video data get from
nexus-mode to the graphics processor?nexus-mode to the graphics processor? Two general waysTwo general ways
Closed path – video MUST be integrated deviceClosed path – video MUST be integrated device Depends on special hardware path from nexus to Depends on special hardware path from nexus to
video devicevideo device Works when the video device is in close cooperation Works when the video device is in close cooperation
with the memory controllerwith the memory controller
Encrypted path – data is encrypted in Encrypted path – data is encrypted in nexus-mode and decrypted by the nexus-mode and decrypted by the graphics adaptorgraphics adaptor Can reuse LHS driver stackCan reuse LHS driver stack
Nexus-Mode (RHS)Nexus-Mode (RHS)
Closed Path T-Vid
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
USBUSBHostHost
ControllerController
Trusted Trusted Video Video
AbstractorAbstractor
GraphicsGraphicsAdaptorAdaptor
(nexus-mode)(nexus-mode)
GraphicsGraphicsAdaptorAdaptor
(std-mode)(std-mode)
HazardHazard
Nexus-Mode (RHS)Nexus-Mode (RHS)
Crypto Path T-Vid
Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
E = EncryptedE = EncryptedUSBUSBHostHost
ControllerController
Trusted Trusted Video Video
AbstractorAbstractor
EEGraphicsGraphicsAdaptorAdaptor
(nexus-mode)(nexus-mode)
GraphicsGraphicsAdaptorAdaptor
(std-mode)(std-mode)
EEHazardHazard
KernelKernel
NGSCB: EcosystemNGSCB: Ecosystem
Works today on x86 flat 32-bit Works today on x86 flat 32-bit architectures from multiple sourcesarchitectures from multiple sources
Could work on any CPU with Could work on any CPU with User/kernel modesUser/kernel modes Page granular virtual memory mappingPage granular virtual memory mapping
With effort, could be adapted to other With effort, could be adapted to other CPU modelsCPU models
NGSCB: EcosystemNGSCB: Ecosystem
Building an NGSCB capable machine Building an NGSCB capable machine requires:requires:
NGSCB NGSCB CPUCPU
NGSCB NGSCB ChipsetChipset SSCSSC Secure Secure
InputInputSecure Secure VideoVideo
All working in conjunctionInclude tamper resistant/detecting hardware to pursue specific opportunities
NGSCB: NGSCB: Changing The NexusChanging The Nexus
The digest of the nexus is the basis for trust in The digest of the nexus is the basis for trust in the systemthe system So a change to the nexus is non-trivialSo a change to the nexus is non-trivial
Hardware changes which require nexus changes will face delayHardware changes which require nexus changes will face delays in market supports in market support We are working closely with core-logic vendors to minimize riskWe are working closely with core-logic vendors to minimize risk
For RHS input and output it’s important to get For RHS input and output it’s important to get things “right”things “right”
This means that there will be a small number of practical *INTERThis means that there will be a small number of practical *INTERFACES* for trusted-input and trusted-outputFACES* for trusted-input and trusted-output This is about INTERFACES, not gates, technologies, fabs, speeds, or This is about INTERFACES, not gates, technologies, fabs, speeds, or
costs; INTERFACEScosts; INTERFACES Microsoft is working to define these INTERFACES with leading Microsoft is working to define these INTERFACES with leading
providers of video and USB hardwareproviders of video and USB hardware
LHS interfaces and software can change in the normaLHS interfaces and software can change in the normal waysl ways
Nexus FundamentalsNexus Fundamentals
Device DriversDevice Drivers
NGSCB doesn’t change the device NGSCB doesn’t change the device driver modeldriver model
NGSCB needs very minimal access to NGSCB needs very minimal access to real hardwarereal hardware
Secure reuse of Left Hand Side (LHS) driver Secure reuse of Left Hand Side (LHS) driver stacks wherever possiblestacks wherever possible Right Hand Side (RHS) encrypted channel through Right Hand Side (RHS) encrypted channel through
LHS unprotected conduitLHS unprotected conduit Every line of privileged code is a potential Every line of privileged code is a potential
security risksecurity risk No third-party codeNo third-party code No kernel-mode plug-insNo kernel-mode plug-ins
Partitioned SystemPartitioned System
RHS = SecurityRHS = Security In the presence of adversarial LHS code In the presence of adversarial LHS code
the system must not leak secretsthe system must not leak secrets→ → The RHS must NOT rely on the LHS The RHS must NOT rely on the LHS
for securityfor security
LHS = Richness and Compatibility LHS = Richness and Compatibility In the absence of LHS cooperation In the absence of LHS cooperation
NGSCB doesn’t runNGSCB doesn’t run→ → The RHS MUST rely on the LHS for stability The RHS MUST rely on the LHS for stability
and servicesand services
What Runs On The LHSWhat Runs On The LHS
Applications and Drivers still runApplications and Drivers still run Viruses tooViruses too Windows as you know it todayWindows as you know it today Any software with minor exceptionsAny software with minor exceptions
The new hardware (HW) memory The new hardware (HW) memory controller won’t allow certain “bad” controller won’t allow certain “bad” behaviors, e.g., code whichbehaviors, e.g., code which Copies all of memory from one location to Copies all of memory from one location to
the nextthe next Puts the CPU into real modePuts the CPU into real mode
What NGSCB Needs From What NGSCB Needs From The LHSThe LHS Device Driver work for Trusted Input / VideoDevice Driver work for Trusted Input / Video Memory Management additions to allow nexuMemory Management additions to allow nexu
s to participate in memory pressure and pagis to participate in memory pressure and paging decisionsng decisions
User mode debugger additions to allow debuUser mode debugger additions to allow debugging of agents (explained later)gging of agents (explained later)
Window Manager coordinationWindow Manager coordination Nexus Manager Device driver (nexusmgr.sys)Nexus Manager Device driver (nexusmgr.sys) NGSCB management software and servicesNGSCB management software and services
Close-Up Of The Lower RHSClose-Up Of The Lower RHS
Syscall Dispatcher
Porch
Nexus.exe
Kerneldebug
Nexus Core
HandleMgr
SSCAbstractor
ATCModule
(Nexus Callable Interfaces)
Nexus Abstraction Layer (NAL)
Nx* Functions
IntHandler
Sync
Objects
Mem
oryM
anager
Process Loader
Process
Manager
Thread M
anager
IO M
anager
NG
SC
B C
allsT
raps
Crypto
Runtim
eLibrary
Native S
RM
I Think, Therefore I AmI Think, Therefore I AmDescartes ProblemDescartes Problem
Challenge for attestation must always come fChallenge for attestation must always come from outside the machinerom outside the machine Local (the user with a superkey) Local (the user with a superkey) Remote (some server)Remote (some server)
No nexus can directly determine if it is runninNo nexus can directly determine if it is running in the secured environmentg in the secured environment
No Agent can directly determine if it is runninNo Agent can directly determine if it is running in the secured environmentg in the secured environment
Must use Remote Attestation or Sealed StoraMust use Remote Attestation or Sealed Storage to cache credentials or secrets to prove thge to cache credentials or secrets to prove the system is sounde system is sound
Nexus Derivative WorksNexus Derivative Works
The user can run any nexus, or write his The user can run any nexus, or write his own and run it, on the hardwareown and run it, on the hardware
That nexus can only report the attestation That nexus can only report the attestation provided by the Security Support provided by the Security Support Component (SSC)Component (SSC) The SSC won’t lieThe SSC won’t lie The nexus cannot pretend to be another nexusThe nexus cannot pretend to be another nexus
Other systems will need to decide if they Other systems will need to decide if they trust the new derived nexustrust the new derived nexus
Just need to prove to others your derivative Just need to prove to others your derivative is legitimateis legitimate
Agent Derivative WorksAgent Derivative Works
The user can run any agent, or write The user can run any agent, or write his own and run it, on the nexushis own and run it, on the nexus
That agent can report the attestation That agent can report the attestation provided by the nexusprovided by the nexus The nexus won’t lieThe nexus won’t lie The agent cannot pretend to be The agent cannot pretend to be
another agentanother agent Other systems will need to decide if Other systems will need to decide if
they trust the new derived agentthey trust the new derived agent Just need to prove to others your Just need to prove to others your
derivative is legitimatederivative is legitimate
Policy Controlled By The Policy Controlled By The Owner Of The MachineOwner Of The Machine NGSCB enforces policy but does not set the policyNGSCB enforces policy but does not set the policy The hardware will load any nexusThe hardware will load any nexus
But only one at a timeBut only one at a time Each nexus gets the same servicesEach nexus gets the same services The hardware keeps nexus secrets separateThe hardware keeps nexus secrets separate Nothing about this architecture prevents any nexus from Nothing about this architecture prevents any nexus from
running; however, the owner can control which nexuses are running; however, the owner can control which nexuses are allowed to runallowed to run
Proposed software (nexus) policiesProposed software (nexus) policies The Microsoft nexus will run any agentThe Microsoft nexus will run any agent
The platform owner can set policy that limits thisThe platform owner can set policy that limits this User gets to pick some other delegated evaluator User gets to pick some other delegated evaluator
(e.g., my union) if they choose(e.g., my union) if they choose
Policy NotesPolicy Notes
Policy is a way for users and machine Policy is a way for users and machine owners to make general, abstract owners to make general, abstract statements, about what software runsstatements, about what software runs
““Run any agent I click”Run any agent I click” ““Run only agents whose source I’ve read”Run only agents whose source I’ve read” ““Run agents that a third party I trust, trusts” Run agents that a third party I trust, trusts”
The point of policy is to enable the The point of policy is to enable the users to control what runs on their users to control what runs on their machinesmachines
Next Generation Secure Next Generation Secure Computing Base DefinedComputing Base Defined Microsoft’s Next-Generation Secure Microsoft’s Next-Generation Secure
Computing Base (NGSCB) is a new Computing Base (NGSCB) is a new security technology for the Microsoft security technology for the Microsoft Windows platform Windows platform Uses a unique hardware and Uses a unique hardware and
software design software design Gives people new kinds of security and Gives people new kinds of security and
privacy protections in an privacy protections in an interconnected worldinterconnected world
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
SSCSSC
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
NGSCB Quadrants
Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
““Booting” The NexusBooting” The Nexus
Nexus is like an OS kernel, so it must Nexus is like an OS kernel, so it must boot sometimeboot sometime
Can boot long after main OSCan boot long after main OS Can shut down long before main OS Can shut down long before main OS
(and restart later)(and restart later)
Nexus Manager Abstraction Layer (NMAL)Nexus Manager Abstraction Layer (NMAL)
Nexus Manager Core Nexus Manager Core Nexus
DispatchServices
Shadow Service
AdminService
Nexus MgrIPC
Object SecurityManager
Shared ResourceManager
HW Allocator(memory
wholesaler)
Nexus Loader
Nexus-Mode (RHS)Nexus-Mode (RHS)Standard-Mode (LHS)Standard-Mode (LHS)
UserUser
KernelKernel
HardwareHardware
NGSCB Nexus Manager
SecureSecureInput Input
Filter DriverFilter Driver
SecureSecureVideo Video
Filter DriverFilter Driver
Secure videoSecure videoSecure InputSecure Input
““Booting” The NexusBooting” The Nexus
NexusMgr is a kernel mode LHS compoNexusMgr is a kernel mode LHS componentnent Read and map the nexus codeRead and map the nexus code Allocate some pages from the main OSAllocate some pages from the main OS Pass that list of pages to the nexus via soPass that list of pages to the nexus via so
me platform-specific code/hardwareme platform-specific code/hardware Digest the nexus (with hardware help)Digest the nexus (with hardware help)
Now the nexus starts, initializes AddreNow the nexus starts, initializes Address Translation Control (ATC), and returss Translation Control (ATC), and returns control to the LHSns control to the LHS
Address TranslationAddress Translation
Protected PageProtected Page
Normal PageNormal Page
AddressAddressTranslationTranslation
Normal PageNormal PageVirtualVirtual
addressesaddresses
Address Translation ControlAddress Translation Control
This is curtained memory (or strong This is curtained memory (or strong process isolation)process isolation)
Can’t tamper with a page unless you have a Can’t tamper with a page unless you have a mapping to itmapping to it
On current PCsOn current PCs Any kernel mode code can modify Virtual Address (VA) → Any kernel mode code can modify Virtual Address (VA) →
Physical Address (PA) mapping structuresPhysical Address (PA) mapping structures There’s untrusted code in kernel modeThere’s untrusted code in kernel mode
NGSCB hardware calls nexus beforeNGSCB hardware calls nexus before Page map changes (process swap)Page map changes (process swap) Edits to mapping structuresEdits to mapping structures Turning off pagingTurning off paging
Address Translation ControlAddress Translation Control
When the page map changes, When the page map changes, the nexusthe nexus Walks the tree of pages it mapsWalks the tree of pages it maps Makes sure no protected pages are Makes sure no protected pages are
mappedmapped No read/write mappings to the page mapNo read/write mappings to the page map Now the map will remain safe, so Now the map will remain safe, so
hardware and software can manage a list hardware and software can manage a list of known safe page mapsof known safe page maps
Address Translation ControlAddress Translation Control
When a mapping structure changes, When a mapping structure changes, the nexusthe nexus Walks the tree of pages getting mappedWalks the tree of pages getting mapped Makes sure no protected pages are Makes sure no protected pages are
getting mappedgetting mapped Ensures no read/write mappings to the Ensures no read/write mappings to the
page mappage map
ATC will almost always allow the ATC will almost always allow the mapping to changemapping to change Legacy code will still work unless it Legacy code will still work unless it
attempts to access nexus space pagesattempts to access nexus space pages
Address Translation ControlAddress Translation Control
ATC protectsATC protects Agent and nexus dataAgent and nexus data Agent and nexus codeAgent and nexus code All page mapping structures (LHS/RHS)All page mapping structures (LHS/RHS)
Also protected from DMA (thanks to Also protected from DMA (thanks to special hardware)special hardware)
Correct ATC implementation vital to Correct ATC implementation vital to NGSCB securityNGSCB security
Memory Management (MM)Memory Management (MM)
Simplicity, robustness preferred over Simplicity, robustness preferred over maximizing performancemaximizing performance
Allocate/free whole pagesAllocate/free whole pages No shared memory between agentsNo shared memory between agents No paging-to-disk in this versionNo paging-to-disk in this version
If nexus were to page to disk, it would If nexus were to page to disk, it would encrypt and sign the pages, then ask the encrypt and sign the pages, then ask the main OS to flush themmain OS to flush them
Memory Management (MM)Memory Management (MM)
Nexus keeps some free pages that ATC Nexus keeps some free pages that ATC is protectingis protecting
Nexus can request extra pages from keNexus can request extra pages from kernel via NexusMgr (seize)rnel via NexusMgr (seize)
Nexus MM asks ATC if new pages are sNexus MM asks ATC if new pages are safe to use - “any left side mappings?”afe to use - “any left side mappings?”
Nexus can give surplus pages back to Nexus can give surplus pages back to kernel if the kernel needs themkernel if the kernel needs them
Nexus Abstraction Layer (NAL)Nexus Abstraction Layer (NAL)
Multiple CPU vendorsMultiple CPU vendors Different Security Support Different Security Support
Components (SSC)Components (SSC) Much nexus code is architecture Much nexus code is architecture
independentindependent
InterruptsInterrupts
Interrupts enabled on the RHSInterrupts enabled on the RHS Most drivers are still on the LHSMost drivers are still on the LHS
So…what if an interrupt for the NIC, SCSI So…what if an interrupt for the NIC, SCSI card, etc. happens on the right?card, etc. happens on the right?
Nexus asks Porch to transition to Nexus asks Porch to transition to the LHSthe LHS
NexusMgr “replays” the interruptNexusMgr “replays” the interrupt
Nexus Also ProtectsNexus Also Protects
Model specific registers (MSRs)Model specific registers (MSRs) Some MSRs are used to implement NGSCB, Some MSRs are used to implement NGSCB,
but most will be accessible by left side codebut most will be accessible by left side code
I/O portsI/O ports Combined with ATC, this means PCI config Combined with ATC, this means PCI config
space is protectedspace is protected Things like the DMA exclusion list are in chiThings like the DMA exclusion list are in chi
pset registers, so we must protect thempset registers, so we must protect them
The NAL helps decide what to protectThe NAL helps decide what to protect
top related