Trusted Computing System

The overall goal of the Trusted Computing (TC) approach of the Trusted Computing Group (TCG) is the realisation of a so-called Trusted Computing System (TCS). A TCS basically consists of a Trusted Computing Platform (TCP) and a Trusted Operating System (TOS) with trustworthy services and applications. Figure 3.2 illustrates the schematic design of a TCS.

Figure 3.2.: Schematic design of a Trusted Computing System [55]

3.7.1. Trusted Computing Platform

The Trusted Computing Platform (TCP) as defined by the Trusted Computing Group (TCG) consists of the Trusted Platform Module (TPM) and the Core Root of Trust for Measurement (CRTM) Code. The TCP should be able to record the state of the integrity of software and hardware components during the actual boot process of a platform.

3. Background to Trustworthy Computing

3.7.1.1. Trusted Platform Module

The Trusted Platform Module (TPM) is a cryptographic hardware chip which is tied to the platform of a computer system and whose basic structure and functionality has been specified by the Trusted Computing Group. A detailed description about the individual components of the chip, as well as an account on the functionality of this hardware-based security implant can be found in Appendix E.

The TPM offers basic cryptographic engines in hardware and therefore the functionality of the TPM module often is compared to the operating mode of a high-end smartcard. However, there are some major differences between these two hardware-based security modules. First of all a smartcard is used to authenticate a specific user, whereas the Trusted Platform Module is tied to a client platform and therefore can be used to authenticate a specific computing platform. Furthermore the TPM offers special protected capabilities, such as a secured memory region and the possibility for a secure generation of cryptographic keys inside of the chip. Special Roots of Trust are used for the creation of a key hierarchy, ensuring that each newly created key is bound to the TPM first, before it leaves the chip in an encrypted form.

The most interesting feature of the TPM is the Platform Configuration Register (PCR). A special memory region inside of the TPM stores the hash values of special data blocks during the boot process. These values represent the actual state of the system and can be used for attestation purposes and for the sealing of data not only to the platform, but also to a specific configuration state of that platform. Additionally these values can be used as a guarantee for a secure bootstrap of the system since they are creating a Chain of Trust over the components involved in the boot process.

3.7.1.2. Core Root of Trust for Measurement

Besides the TPM a TCP requires another component, which is named the Core Root of Trust for Measurement (CRTM), generally implemented as a BIOS extension, hence it is within the firmware part of the system. The CRTM contains the first instructions executed when powering

3. Background to Trustworthy Computing

up the system and generates check sums over the components involved in the boot process. With the creation of these check sums the TCP initiates a Chain of Trust starting at the BIOS Power On Self Test (POST) and ending at the Master Boot Record (MBR). This is also called the Static Chain of Trust, and assures that each and any executed component in this operating stage can be clearly identified. The CRTM Code comprises an implementation of the Root of Trust for Measurement (RTM). Refer to Appendix E for more information about the ’Roots of Trust’.

3.7.2. Trusted Operating System

A trusted platform is an essential part of a trustworthy computing system. Another important component is a Trusted Operating System (TOS). Compared to the TCP, which has been clearly specified by the TCG, there are no clear definitions or specifications for the creation of a TOS. In general a TOS can be figured as a combination of a trustworthy kernel, services and applications. A TOS should meet a list of demands stated below:

• Integrity Measurement and Protection

The Static Chain of Trust for Measurement ends at the Master Boot Record. The first task of a TOS needs to continue in this chain during a boot process of the operating system by adding integrity measurement routines to the boot manager and operating system loader. In order to be able to represent the actual state of the system, and not the state the system had during boot process, the integrity measurements should be sustained even during the runtime of the operating system. However, commonly used operating systems are far too complex which makes complete integrity measurements of all security critical data quite infeasible. The Chain of Trust could be extended to a Tree of Trust.

• (Remote) Integrity Validation

A TOS must furthermore offer the possibility to evaluate the current state of the platform in order to verify the trustworthiness. If the integrity validation takes place on the same system it is mandatory that the verifying component is also part of the trust chain.

3. Background to Trustworthy Computing

However, if the system has been compromised the verifying component could also have been compromised. As a result the integrity validation should be performed by a remote system.

• Trusted Software Stack

In order to communicate with the TPM and to provide an interface to the TPM for trusted computing aware applications, a TOS must provide a Trusted Software Stack (TSS). The basic structure of the TSS has been specified by the TCG. It consists of multiple abstraction layers, as illustrated in figure 3.3. Nowadays, implementation of a Trusted Software Stack exists for different operating systems. For more detailed information on the TSS please refer to [11].

Figure 3.3.: Trusted Software Stack [12]

• Protected Execution

An important requirement for a trustworthy operating system is the ability to execute arbitrary software applications in a protected execution environment. It must be guaran-

3. Background to Trustworthy Computing

teed that the storage region of an application is shielded from access and modification by another application. Especially the Trusted Computing Base (TCB) of the system and additional security critical components must be secured from untrustworthy processes. However, the structure of commonly used operating systems offers some challenges for the implementation of the ’Protected Execution’ goal. As already stated, these operating systems are largely based on monolithic kernel structures and all active processes in the kernel can share the same memory region. This forms a drawback, regarding security because it provides the possibility to manipulate security critical data structures of the operating system kernel.

For the realization of the ’Protected Execution’ goal different approaches exist. The most feasible approach, in the author’s opinion, is to use virtualization techniques in combination with special processor security enhancements. All approaches are based on the same basic idea, i.e. to partition the system into small parts with variable security requirements.

• Trusted GUI, Input and Output

The goal of a Trusted GUI is the creation of a trusted channel between the user/administra- tor and the operating system. The rational behind this goal is that the user/administrator normally cannot distinguish between GUI elements of the operating system and poten- tially maliciously-behaving applications. Regarding Trusted Computing this implies a significant security risk. If the user cannot trust the displayed information then it is not possible to inform the user about the current state of the system. In the case of system compromise the reporting component could also be compromised.

Beyond the difficulty of a trustworthy output of information, the problem of secure data input and output also has to be addressed. Again the implementation of Trusted Channels and Trusted Paths between the peripheral devices and the application could solve this problem. However, this implies both software and hardware changes.

3. Background to Trustworthy Computing