Uncategorized

TCG on network hardware security

“Firewalls and gateway routers are already important components of any organization’s network security strategy. But network architects can often overlook the fact that the networking equipment itself can be attacked. Ensuring these devices are resistant to attacks is just as important as conventional security mechanisms that protect PCs and servers.”

Establishing Network Equipment Security
http://www.trustedcomputinggroup.org/wp-content/uploads/Establishing-Network-Equipment-Security.pdf

TCG Guidance for Securing Network Equipment Preview Synopsis
http://www.trustedcomputinggroup.org/wp-content/uploads/NetEq-Synopsis_1_0r3.pdf

More info:
http://www.trustedcomputinggroup.org/establishing-network-equipment-security/

Standard
Uncategorized

new ACPI spec on TCG D-RTM

I just noticed there’s a new file on the list of ACPI specs, a 1.0 doc from TCG on D-RTM from mid-June:

TCG D-RTM Architecture
Document Version 1.0.0
June 17, 2013

This specification describes the architecture and implementation examples for a Dynamic Root of Trust for Measurement (D-RTM) used for measured platform initialization without a hardware platform restart. This specification extends the TCG PC Client specification (See (1)). The term “dynamic” is used because the measured platform initialization may occur while the hardware platform is running. In contrast, the Static Root of Trust for Measurement (S-RTM) requires a platform shutdown or restart.

http://www.trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf
http://uefi.org/acpi

 

I wish there was an ACPI-announce list, or even a Twitter feed, to keep track of new ACPI specs…

Standard
Uncategorized

BSSSD: Trusted Computing for FreeBSD and OpenBSD

Excerpting the recent TCG announcement:

BSSSD: Trusted Computing now available for FreeBSD and OpenBSD: All pieces to utilize Trusted Computing and build Trusted Computing applications on FreeBSD and OpenBSD have been made available by the BSSSD-project.

Software components:
 * TPM device driver for the FreeBSD-kernel
 * TPM device driver for the OpenBSD-kernel
 * TCG Software Stack TrouSerS
 * TrustedGRUB boot-loader
 * TPM-Tools
 * OpenSSL-TPMengine
 * OpenCryptoKi
 * TPM-Emulator
 * TPM-Testsuite

Kernel drivers were developed for the following TPMs:
 * Atmel 97SC3203
 * Broadcom BCM0102
 * Infineon IFX SLB 9635 TT 1.2
 * Intel INTC0102
 * Sinosun SNS SSX35
 * STM ST19WP18
 * Winbond WEC WPCT200
 * TPMemulator

http://bsssd.sourceforge.net/components.html
http://bsssd.sourceforge.net/download.html

BSSSD: Trusted Computing Now Available for FreeBSD and OpenBSD

Standard
Uncategorized

TCG updated multiple specs

The Trusted Computing Group (TCG) has released revisions to multiple specifications:
I wish I knew why WordPress inserts the additional whitespace in these posts…. 😦

PC Client Specific Platform Firmware Profile Specification, Family 2.0, Level 00 Revision 00.21 and Errata
The PC Client Platform Specific Profile for TPM 2.0 systems defines the requirements for platform firmware to initialize and interact with a TPM 2.0 device in a PC Client platform.  This specification should be used in conjunction with the TCG UEFI Protocol Specification Family 2.0, the TCG Physical Presence Interface Specification, and the TCG ACPI Specification to design and implement a PC Client TPM 2.0-enabled platform.  This specification replaces the requirements defined in the PC Client Implementation Specification for Conventional BIOS and the PC Client UEFI Platform Specification for systems with TPM 2.0 devices.

PC Client Specific Platform Firmware Profile Specification

PC Client Work Group EFI Protocol Specification, Family 2.0, Level 00, Revision 00.13
The purpose of this document is to define a standard interface to the TPM on an UEFI platform. It defines data structures and APIs that allow an OS to interact with UEFI firmware to query information important in an early OS boot stage. Such information include: is a TPM present, which PCR banks are active, change active PCR banks, obtain the TCG boot log, extend hashes to PCRs, and append events to the TCG boot log.The latest revision of this specification is written with platforms with TPM 2.0 devices in mind, but nothing in this specification prevents the use with platforms with TPM 1.2 devices.

TCG EFI Protocol Specification

TCG Storage Opal Test Cases Specification, Version 2.00 Errata Version 1.00, Revision 1.00
The Opal Test Cases Specification contains a set of tests that are intended to verify the correct behavior of a storage device implementing the Opal SSC Specification. These test cases are intended to be used as a basis for the compliance component of the projected Storage certification program, which would seek to ensure a high level of interoperability of storage devices from multiple vendors.

TCG Storage Opal Test Cases

Multiple Stakeholder Model , Revision 3.40
The Multiple Stakeholder Model (MSM) is an informative reference document that describes use cases, recommended capabilities, and various implementation alternatives to allow multiple stakeholders to coexist safely on a mobile platform.  This document includes guidance on how to leverage TCG specifications to realize each alternative.  In particular, this document emphasizes the role of the Trusted Platform Module (TPM), the Mobile Common Profile, and the Mobile Reference Architecture specifications to support these capabilities for multiple stakeholders.  The goal of the MSM is to provide trusted services, for example, TPM and Trusted Network Communications (TNC), in a secure and efficient manner to all interested stakeholders (both local and remote) for a given mobile device. This guidance is applicable to all mobile devices (smartphones, feature phones, basic phones, etc.) and may be useful for other computing devices.  The target audience for this document includes designers, manufacturers, system integrators, application developers, and implementers of Trusted Computing technologies in mobile platforms.

Multiple Stakeholder Model

TPM Library Specification

TCG TPM 2.0 Mobile Common Profile

TPM 2.0 Mobile Reference Architecture Specification

TNC IF-M Segmentation Specification Version 1.0, Revision 5
The Trusted Network Communications (TNC) Work Group defines an open solution architecture that enables network operators to evaluate and enforce policies regarding endpoint integrity when granting access to a network infrastructure. As TCG’s Trusted Network Communications (TNC)-enabled technology is deployed in real-world environments, we’re learning that deplorer’s have the need to collect robust posture information to support endpoint compliance, security automation, and continuous monitoring. IF-M is the communication layer of the TNC architecture used to connect the endpoint components that collect information about the endpoint, and the corresponding components on a policy server that receive that information and act on it. IF-M is designed to be flexible to support communication of virtually any type of information about the endpoint that the enterprise might wish to know.

TCG Updates IF-M Segmentation to Enable Efficient Information Exchange

TNC IF-M Segmentation Specification

Trusted Network Communications

Standard
Uncategorized

UEFI boot support for locked SEDs updated

Eric Dong of Intel has updated UEFI’s TCG OVAL support, used with SEDs, how the UEFI-based system will work with the locked SEDs, when the user has no valid password:

[Patch] SecurityPkg OpalPasswordDxe: Enhance input password process.

Enhance the input password process, when device in unlock status and user press ESC, shutdown the device. If user reach the max try number, shutdown the device.

+  L”Confirm: Not unlock device and continue boot?.”,
+  L”Press ENTER to confirm, Press Esc to input password”,
+  L”Warning: system in unkown status, must shutdown!”,
+  L”Press ENTER to shutdown.”,

– L”Opal password retry count is expired. Keep lock and continue boot.”,
+ L”Opal password retry count exceeds the limit. Must shutdown!”,
  L”Press ENTER to continue”,

For more information, see the patch on the edk2-devel list:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

new Intel patch adding TCG OPAL unlock to Linux NVMe

Rafael Antognolli of Intel posted a patch to the Linux-(NVMe,Block,Kernel) mailing lists, adding TCG OPAL unlock support to NVMe:

Add Opal unlock support to NVMe. This patch series implement a small set of the Opal protocol for self encrypting devices. It’s implemented only what is needed for saving a password and unlocking a given “locking range”. The password is saved on the driver and replayed back to the device on resume from suspend to RAM. It is specifically supporting the single user mode. It is not planned to implement the full Opal protocol (at least not for now).

Add optane OPAL unlocking code. This code is used to unlock a device during resume from “suspend to RAM”. It allows the userspace to set a key for a locking range. This key is stored in the module memory, and will be replayed later (using the OPAL protocol, through the NVMe driver) to unlock the locking range. The nvme_opal_unlock() will search through the list of saved devices + locking_range + namespaces + keys and check if it is a match for this namespace. For every match, it adds an “unlocking job” to a list, and after this, these jobs are “consumed” by running the respective OPAL “unlock range” commands (from the OPAL spec):
  * STARTSESSION
  * SET(locking range, readwrite)
  * ENDSESSION

NVMe: Add ioctls to save and unlock an Opal locking range. Two ioctls are added to the NVMe namespace: NVME_IOCTL_SAVE_OPAL_KEY and NVME_IOCTL_UNLOCK_OPAL. These ioctls map directly to the respective nvme_opal_register() and nvme_opal_unlock() functions. Additionally, nvme_opal_unlock() is called upon nvme_revalidate_disk, so it will try to unlock a locking range (if a password for it is saved) during PM resume.

For more information, see the post on the list archives:
http://lists.infradead.org/mailman/listinfo/linux-nvme

Standard
Uncategorized

UEFI support for TCG OVAL passwords

Eric Dong of Intel has submitted an 8-part patch to enable TCG OPAL password support in UEFI:

Enable Opal password solution: These patches used to enable opal password solution in BIOS. Opal feature defined in TCG storage Opal spec. This opal solution is a sample driver shows how to use opal feature in bios. It enables user to config opal feature in the setup page and popup dialog to let user unlock device in boot phase. It auto unlock opal device in S3 resume phase.

  MdePkg: Add definition for TCG Storage Core and Opal specs.
  SecurityPkg: TcgStorageCoreLib: Add TCG storage core library.
  SecurityPkg: TcgStorageOpalLib: Add TCG storage opal library.
  SecurityPkg: OpalPasswordSupportLib: Add Opal password support
    library.
  SecurityPkg: Add library header file definition to package.
  SecurityPkg: OpalPasswordDxe: Add Opal password dxe driver.
  SecurityPkg: OpalPasswordSmm: Add Opal password Smm driver.
  SecurityPkg: Enable Opal password solution build in Security package
    build.

 39 files changed, 21524 insertions(+)

For more information:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard