What is the difference between Intel TXT and TPM? What more Intel TXT has to offer as compared to TPM? Basically, I wanted to know how TXT works? Any easy to follow literature for beginners will be highly appreciated!
Asked
Active
Viewed 1.5k times
6
-
What exactly do you want to know? – Scolytus Oct 23 '13 at 11:42
-
I wanted to know how TXT works? Any easy to follow literature for beginners will be highly appreciated! – Geek Oct 23 '13 at 12:04
-
Then first of all you should rephrase your question ;-) – Scolytus Oct 23 '13 at 12:29
-
Consider it as rephrased! – Geek Oct 23 '13 at 12:43
2 Answers
11
Scolytus is right but let me explain a bit more.
As he said, a TPM is a dependency of TXT but not the other way around. The TPM is where TXT will store the measurements - hash of components - of the platform. If TXT is not supported by a platform but a TPM is still present you still have all those features:
- Integrity measurement – securely measure the platform's components (hashes stored within the TPM)
- Authenticated boot – a process by which a platform's state (the sum of its components) is reliably measured and stored. SRTM - Static Root of Trust for Measurements
- Sealed Storage - encrypt data based on the current state of the platform or in other words, what has been measured (the PCR hash values stored in the TPM) - seal operation
- Attestation - securely report to other parties the state of the platform, e.g., quote operation aka Remote Attestation.
As such you could use trustedgrub (SRTM - Static Root of Trust for Measurements) but not tboot which implements a DRTM (Dynamic Root of Trust for Measurements) aka TXT.
About "how TXT works" see this question.
-
Is my understanding correct that SRTM measures up-till PCR7 (before the OS is loaded) and DRTM measures OS and the application being launched over OS? Basically PCR0-PCR7 will be identical in SRTM and DRTM? – Geek Oct 26 '13 at 23:28
-
1
-
-
He's talking about my answer. Since "how txt works" has already been answered, I added a link to it. SRTM can measure up to PCR15 (but it depends on implementation - tpm aware OS, bootloader, etc). DRTM, does not measure the boot sequence so yes, PCRs are unchanged. – northox Oct 27 '13 at 16:28
-
@Scolytus I'm not entirely sure the word 'implement' is correct as someone could understand that tboot is like TXT while it simply 'uses' DRTM (to provide secure boot). DRTM/LAte Launch implementations are Intel's TXT and AMD's SVM. What do you think? – northox Oct 28 '13 at 12:27
-
@northox Hmmm... I'm not a native, so help me. Intel TXT itself is not an implementation of a DRTM. It needs software around it. It **needs** the *OS* and the *MLE* part, as described in the Software Development guide. Without an MLE you'll never have a DRTM. TBoot implements the OS and the MLE parts of the architecture. So I thought *require* is the wrong wording, since TBoot is vital in such a setup. One could also mention that there are other implementations as well. – Scolytus Oct 28 '13 at 12:41
-
2In that sense, I agree. My comment was about the Root of Trust which is either provided by the CRTM: bios boot block (SRTM) or the SMX instructions + ACM module, etc (DRTM). I believe that's a confusing part for newcomers. – northox Oct 28 '13 at 21:43
-
Thanks that was helpful :) @Scolytus Could you look at this one http://stackoverflow.com/questions/19705588/which-pcr-can-be-extended-by-our-own-code Your help will be highly appreciated! – Geek Oct 31 '13 at 17:49
2
It's like asking "What's the difference between a car and an engine?"
The TPM is a vital part of Intel TXT. Without it Intel TXT does not work.
Scolytus
- 16,338
- 6
- 46
- 69