Windows adds TXT-supported MLE to boot security

Interesting to hear that Microsoft has added TXT support alongside MLE. Sorry, no more info on it than above tweet….

From Wikipedia: Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, Cloud Raxak, and VMware. Open-source projects also utilize the TXT functionality; for example, tboot provides a TXT-based integrity system for the Linux kernel and Xen hypervisor.



Intel TXE 3.0 security update??

Quoting an article from hexus.net:

MSI adds latest Intel TXE 3.0 security update

In order to avoid severe security vulnerabilities for the platforms, MSI motherboards now support the latest Intel Trusted Execution Engine (TXE) 3.0 for safer system protection. According to recent Intel comprehensive security review, security vulnerabilities are identified and could potentially allow attackers to gain unauthorized access to platforms features, secrets and 3rdparty secrets protected by Intel TXE. Therefore, Intel has validated and released Intel TXE 3.0 updates to address the encountered security situations. Currently all MSI 100,200 and 300 series motherboards are supporting the newest Intel TXE 3.0 by updating to the latest BIOS and installing the latest software updates. MSI always places strong emphasis on security and anti-hack issues to makes sure all MSI motherboard users are operating under the most secure circumstances. MSI will continue to provide additional updates if necessary to ensure maximum platform security protection for users.[…]


[ Update: my last paragraph was wrong, removed. see Comment by reader. :-). ]



Linux.com has a nice article on Xen, Linux, TPM, and TXT. It also mentions the OpenXT toolkit.


OpenXT is an open-source development toolkit for hardware-assisted security research and appliance integration. Released as Open-Source Software (OSS) in June 2014, OpenXT stands on the shoulders of Xen Project and OpenEmbedded. It is derived from XenClient XT, which was first released in May 2011. It includes hardened Xen VMs that can be configured as a user-facing virtualization appliance, for client devices with Linux and/or Windows guests. It has been used to develop managed software appliances to isolate demanding graphics workloads, untrusted workloads and multiple networks on a single laptop or desktop. OpenXT is optimized for x86 devices with Intel VT-d, TXT (Trusted Execution Technology) and a TPM. OpenXT is being developed to meet the varied needs of the security and virtualization communities, as a toolkit for the configurable disaggregation of operating systems and user workflows. Client appliances developed on OpenXT can contain a mixture of open-source and proprietary software, supporting a range of business models.[…]





The EFI TBOOT project is currently under development! EFI TBOOT is mostly a proof of concept at this point. It is not currently functional. It can be built and installed as an EFI boot loader. It only works in conjunction with Xen at the moment. The current development work is being done on Fedora 25 x64. The status as of March 14, 2017 is:
 – EFI TBOOT will boot, but it needs a few key strokes to get going (this is for debugging purposes).
 – EFI TBOOT will relocate itself to EFI runtime memory and setup a shared runtime variable with Xen.
 – EFI related configuration setup is done as well as standard TBOOT pre-launch configuration.
 – Xen is launched and has code to call EFI TBOOT back after EBS.
 – EFI TBOOT then does the SENTER successfully in the callback.
 – The post launch entry point is reached but the switch back to long mode is not working.
EFI TBOOT needs a number of platform support files used with TXT (called Authenticated Code Modules or ACMs). For convenience the packages can be gotten from the OpenXT mirror:



VZ on Secure Boot, Intel TXT, Linux, and UEFI

Earlier today, Matthew Garret posted a problem on Twitter about Intel Linux and Intel TXT mode:


Later that day, Vincent Zimmer of Intel is apparently helping to get that Intel project working with UEFI:

A few weeks ago, a similar thing happened with Intel SGX. Intel is lucky to have Vincent Zimmer, who is very engaged with Linux security/development community, in helping to fix Intel projects to properly support UEFI. Many large companies do not have this kind of public individual involvement.


MJG on Secure Boot, Intel TXT, Linux, and security

A short security lesson from Matthew (click on Twitter link for follow-up post):

[BTW, sorry WordPress doesn’t seem to render Twitter’s HTML table when scrolling through the site If you ever see multiple blank lines in the post it is probably a Twitter URL that WordPress didn’t render, refresh to fix. You have to refresh on new pages, often, or view the post on a separate page (which generates a refresh). I post messages while online and finding news, but don’t spend a huge amount of extra time formatting the posting, simple ASCII text plus a few URLs. The interactive WordPress HTML UI to add a hyperlink triples the time to post each message, and WordPress won’t accept HTML <A> links. WordPress renders some URLs differently, like showing the image of a JPEG/PNG/etc, and showing the Youtube video link and hiding the rest of a web page which contains a Youtube URL — like Kickstart funding pages.]


Intel KGT

Wow, I wasn’t aware of Intel’s Kernel-Guard Technology (KGT) for Linux, until today. 😦

As found on the Twitter feed of Alex Bazhaniuk (@ABazhaniuk):

Intel Kernel-Guard Technology (Intel KGT) is a policy specification and enforcement framework for ensuring runtime integrity of kernel and platform assets.  The Intel® KGT framework allows policy writers to specify:
 * Which OS/platform resources to monitor
 * Actions to take when the monitored resource is accessed
 * A policy

A policy can be specified at build-time (embedded in the code), boot-time (such as through grub module), or at runtime (via configfs and script), and is enforced by an outside-OS component.  The Intel KGT framework, along with an appropriate policy, can be used to achieve immutability and runtime integrity of critical resources such as kernel code pages, kernel pagetable mappings, kernel interrupt descriptor table (IDT), control registers (CRs), MSRs, and MMIO regions. The Intel KGT is based on xmon, which is a thin VT-x component. Xmon runs in vmx-root (ring -1), de-privileges the OS, and uses VTx controls to trap access to specified resources and enforce policy specified actions. Xmon is not limited to using VT-x and, in the future, is expected to incorporate other CPU and platform features in addition to VT-x to enforce policy.    

Their Overview page gives a good introduction.

It looks like the last release was August 7th, with Intel TXT/tboot support:

More Information: