New hacking-proof processor
Robert Stratton
bob at stratton.net
Thu Apr 16 18:32:42 CDT 2009
It remains to be seen how things that require the "trusted fab" will
scale commercially.. but.. if you haven't looked at the newest version
of the Trusted Platform Module technology, it's a good time to take a
new look.
The previously unwieldy Static Root of Trust for Measurement is now
augmented by the Dynamic Root of Trust for Measurement, and a new CPU
instruction, SKINIT or SENTER (depending on whether you're talking
about AMD or Intel). The Nehalem processors (like the Core i7) will
let you dynamically invoke a fenced-off processing environment which
will allow you to do things like perform attestation on arbitrary
blocks of code in an environment with restricted DMA and register use,
then hop back-and-forth into your normal dirty OS, or store your keys
in a place that the rest of the machine can't touch.
There's some hit but unlike the original SRTM functionality, you don't
necessarily have to do boot-time attestation on every single piece of
code from your bootstrap up through the whole OS.
There's a lot one can do with that.
--Bob
More information about the Tacos
mailing list