Trusted Computing for the Java(tm) Platform  
General
News
General Info
Mailing Lists
Downloads
SF Project Page
Links
jTSS
About
Documentation
Javadoc TSP
Javadoc full
jTpm Tools
About
Documentation
acTvSM platform
Documentation
jTSS Wrapper
About
Documentation
PrivacyCA
About
Documentation
Compartment
TCcert Tool
About
Documentation
Javadoc
XKMS lib
About
Documentation
Javadoc
TCPVM
About
Documentation
 
 

 
 

Java is a trademark of Sun Microsystems, Inc. See here for more information.

v0.3
Andreas Niederl <andreas.niederl@iaik.tugraz.at>
Martin Pirker <martin.pirker@iaik.tugraz.at>
Ronald Toegl <ronald.toegl@iaik.tugraz.at>
Michael Gebetsroither
Michael Gissing

1. Introduction

The IAIK acTvSM Platform is a prototype integration of Intel® Trusted Execution Technology (Intel TXT) into an off-the-shelf Debian Linux operating system. The Linux boot process is modified so that the acTvSM platform offers TPM-based guarantees for base system integrity. Further, on top of the base system, virtualized applications can be executed. A set of tools and operational procedures allow flexible configuration management and updates.

Development of this package was supported by the Austrian FIT-IT Trust in IT Systems programme, project acTvSM.

1.1. Trusted Platforms

The TCG concept of Trusted Computing extends the PC architecture with a unique trusted component called the Trusted Platform Module (TPM). It provides several cryptographic functions in hardware to support security related functions of the platform. Trusted Execution Technology (Intel TXT) by Intel extends the basic TCG Trusted Computing model to provide even more advanced services such as hardware virtualization, isolation of memory and hardwired, secure system states.

The IAIK acTvSM Platform is an experimental prototype which integrates the dynamic switch to trusted/measured hardware state into a standard boot process of an off-the-shelf Debian Linux system. Partitions on disc are encrypted by default. The cryptographic key needed to access the data on them can only be obtained in an administrator defined trusted system configuration. A management tool provides the required functions to allow the administrator to update the system from one defined boot state to a new one. Further, application images can be imported and started in hardware-isolated virtualized partitions, running on top of the small (unsealed) Linux base system.

1.2. Development Status

Development of the IAIK acTvSM Platform is ongoing and not all features are fully implemented. This is EXPERIMENTAL prototype software targeted at research and educational environments. You may lose data or hardware due to using this experimental platform. Use of this platform prototype is entirely at your own risk! For debugging purposes this platform still contains code for external instrumentation!

However, you can report success or problems to our support mailing list. This will help us, other users and ultimately you to improve this platform.

1.3. License

The IAIK acTvSM Platform extends and improves several standard components of an off-the-shelf Debian Linux system. The respective open-source licenses of these components apply, please consult the individual packages for detailed information, as you would do in your usual Linux distribution.

Original contributions of IAIK are marked
Copyright © 2010 IAIK, Graz University of Technology

Stand-alone IAIK contributions are made available for free under the acTvSM Research License V1.0 for research and educational use. For any commercial use, a Stiftung SIC licence should be purchased. A general open-source license may be granted in future releases or on request. Please contact jce-sales@iaik.at for further information.

2. Installation, Usage and Configuration

This chapter is the usage guide of the IAIK acTvSM Platform. It describes the installation process and use of the installed platform.

2.1. Hardware Requirements

The TXT concept requires three components to cooperate, CPU, chipset and the Trusted Platform Module. Compatible components are identified as follows:

  • A TXT compatible CPU requires the VMX (Virtual Mode Extension) and SMX (Secure Mode Extension) flags. These can be checked for with the output of
    cat /proc/cpuinfo | grep flags.

  • Chipsets providing TXT support at the time of writing are (see also SINIT-guide.txt provided by Intel at Tboot@SF):

    • Intel® GM45, GS45, and PM45 Express Chipset (Cantiga)

    • Intel® Q45 and Q43 Express Chipsets (Eaglelake)

    • Intel® Core™ i5-600 Desktop Processor Series,
      i7-600 & i5-500 Mobile Processor Series (Arrandale & Clarkdale)

  • A TPM v1.2 supported by the Linux kernel tpm_tis driver. However, depending on your TPM vendor and BIOS implementation proper autodetection and support of a TPM may still fail in the kernel driver. Check your system for a /dev/tpm0 device and your kernel boot messages (dmesg | grep -i tpm) if auto detection was successful.

All three components must be present and supported by the BIOS. Systems marketed as "Intel VPro" compatible meet this requirement. The TPM should be reset to factory defaults (suggested), and must be enabled and activated. Virtualization support (VT, VT-d) and TXT must be enabled in BIOS. Intel AMT support should also be enabled.

2.1.1. Reference Platform

Two reference hardware platforms are used for development and testing of the IAIK acTvSM Platform:

The HP dc7900 system with 4GB of RAM is a Q45 based platform with an Infineon TPM 1.2 chip.
Similar chipset series 4 based platforms are expected to work as well, but have not been tested.

The HP Elitebook 8440p with 4GB RAM features the QM57 Express chipset and also an Infineon TPM 1.2.
The HP dc8100 system is a Q57 based platform with an Infineon TPM 1.2 chip.
Similar chipset series 5 based platforms are expected to work as well, but have not been tested.

Chipset series 6 or 7 based platforms are not supported in this release (please donate hardware…)

2.2. Words of Caution

2.2.1. Backup your Data!

The IAIK acTvSM Platform assumes to operate a TXT-capable computer exclusively, without any other operating systems beside it. Thus, the installation procedure will erase and overwrite all existing data on the storage disk specified!

2.2.2. BIOS INCOMPATIBILITY

There are several reported cases of bugs in the BIOS support for TXT, which may permanently damage your hardware! Some bricked devices require a mainboard replacement after an attempted late launch with TBoot.

Before you experiment with the IAIK acTvSM Platform:

  • Please, always upgrade the BIOS of your platform to the newest version.

  • Search your platform name on the TBoot-ML archive or your favourite search engine first to find reports on known TXT bugs of certain hardware and/or BIOS revisions.

  • Search the knowledge support base of your hardware vendor for known problems with TXT or tboot.

  • It is advisable to upgrade Infineon TPMs 1.2 with Firmware 3.16 to version 3.17.

2.3. Installation

Installation is initiated by booting from the provided installer.iso image from CD.

The administrator has to enter the following data during installation

  • the target storage device to install to (the harddisk device)

  • the root account password for the system

  • the TPM ownership password (SRK password is TSS_WELL_KNOWN_SECRET)

The target media will be completely wiped(!), partitioned, encrypted and a IAIK acTvSM Platform deployed. The cryptographic key to access the system partition is sealed with the TPM and released only if the boot process has not been tampered with since installation or last authorized update.

The installer precomputes the state the system will be in after boot. The first reboot after the platform installation procedure is already using the TXT boot mechanisms. When the administrator logs in for the first time, the system is already in a defined, trusted state.

2.3.1. Installation steps:

  • boot installer CD image

The installer image is based on GRML Linux, just choose the default boot option.
(Note: Due to a framebuffer driver bug a HP 8440p requires an additional "blacklist=nouveau" boot parameter with actvsm release 0.2)

  • install actvsm platform

Examine optional commands - defaults should suffice.
Provide installation target.
The full installation takes a few minutes, depending on install media speed and harddisk size.

(Note: Due to a framebuffer driver bug a HP 8440p requires an additional "--kernel_params nomodeset" installation parameter with actvsm release 0.3)

# actvsm-installer -h
# actvsm-installer /dev/sda

  • reboot

2.4. TVAM

The Trusted Virtual Application Manager (TVAM) utility provides the commands needed to operate the platform.

# tvam
TVAM - Trusted Virtual Application Manager
    import        - import an application
    remove        - remove an application
    remove_state  - remove a system state
    seal          - seal basesystem to a new state
    show          - show informations about installed applications
    start         - start applications
    stop          - stop a running application
    tmp_create    - create a crypted temporary storage
    tmp_remove    - remove a crypted temporary storage
    version       - show version information

Your build of TVAM may already provide more commands than shown here.
Each command provides basic help output when invoked with -h or --help option. The TVAM man page provides some further details.
The following sections provide example calls of TVAM usage.

2.5. Base System Update

By design, all modifications to the running base system image are lost upon reboot. There is no persistant read/write storage in the base system. Any changes will be lost after the next reboot. If core components (for instance the kernel) are modified (maliciously or not), the next boot will prevent the execution and halt.

However, there is a well-defined update process. First, the administrator configures the platform for its intended use, along with importing security updates etc. After that the administrator can define this new platform state as the new trustworthy one. By invoking the seal task of the Trusted Virtual Application Manager within the current running platform the cryptographic keys for the base system as well as the keys for the virtual applications are re-sealed to the new trusted state.

Example:

  • Change the basesystem by installation of a new package, htop here in our example. Other changes could be settings in configuration files, creation of folders and user accounts. 

# apt-get install htop

  • seal modified base system to new state 

# tvam seal -h
# tvam seal -o actvsm

This creates a new entry in the GRUB boot menu, the new base system (state). This newly created state is now integrity protected as was the old one.

  • reboot

2.6. Applications Management

  • create some temporary disk storage for your images (takes some time)

Use this command to create some storage within the LVM managed disk space. This can be used to store large files on the system (like a CD ISO image) without the need to hold it in TMPFS (in memory).

The created storage is encrypted with a random key which isn’t stored, so every stored data on this volume is useless after the volume was unmapped. (e.g. on a reboot)

The command returns the path of the mountpoint.

# cd `tvam tmp_create -v 0 5000`

This space can be deleted with following command

# tvam tmp_remove PATH_GIVEN_BY_tmp_create

  • Download an ISO image of your virtual application

For example we provide an .iso image of a GRML distribution with integrated jTSS support - a placeholder for any trusted application. Store it on the tempory space created before.

  • Create a config file for your application

See the section about "Application Configuration File" for how to write a configuration file.

  • Install the application

Import the application. For the provided demo image run

# tvam import -i grml grml-jtss.iso grml.cfg

The imported application will be stored in a protected logical volume of its own.

  • If you want to, start application(s) with 

# tvam start

To connect to the started applications a VNC client can be used. TVAM will asign the VNC-server port numbers in ascending order, starting at 5900. So for the third started application the port will be 5902. The server is only reachable by the local host, so to connect remotely, a SSH tunnel can be used.

# ssh -o ControlPath=none -L 127.0.0.1:{VNC_SERVER_PORT}:127.0.0.1:{VNC_SERVER_PORT} root@{HOST}
# vinagre 127.0.0.1:{VNC_SERVER_PORT}

To get access to the TPM within the provided demo image and other Linux systems, the kernel driver tpm_atmel has to be loaded inside the running virtual machine.

# modprobe tpm_atmel
# jtt.sh pcr_read

2.6.1. Application Configuration File

The config file is a simple, bash-like text-file. On an acTvSM system the example file is available in /usr/share/tvam/example.config.
Content of example.config:

#
# This is an example configuration file for a TVAM managed application
#

# Here you can enter a description of the application (currently not used)
DESCRIPTION="some stuff"

# Type of the image. Currently "HDD" and "CD-ROM" are supported.
# If not specified "HDD" will be used as default.
IMAGE_TYPE="CD-ROM"

# Uncomment to enable usage of TPM in the application
# USE_TPM="1"

# Uncomment to look for a second disk image. This image will be available
# either as a CD-ROM or as a HDD, dependend on SECONDARY_TYPE. Either way
# the device will be available as the slave on primary IDE
# USE_SECONDARY="1"

# Type of the secondary image. "HDD" and "CD-ROM" are supported.
# If not specified "HDD" will be used as default.
# SECONDARY_TYPE="HDD"

# Amount of virtual RAM which shall be assigned to the virtual machine.
# Define in units of MegaBytes. If not specified 256 MB will be used as
# default.
# MEMORY="512"

##########################################################################
# Network

# Method how the application is attached to the network
# Possibilities are: NONE, NAT, BRIDGE
# If not specified "NAT" will be used
# NETWORK_TYPE="NAT"

# MAC address XX:XX:XX:XX:XX:XX
# if no mac address is specified a random one is used
# MAC_ADDRESS=""

3. Technical Notes

This section provides technical details of the acTvSM platform.

3.1. Base System

The base system is essentially a minimal Debian GNU/Linux system adjusted for common administration tasks and running multiple virtual machines. It is contained within a read-only filesystem which is sealed to a trusted state, which can only be accessed by performing a proper Trusted Boot, as defined by the administrator. In order to keeping modifications of the base system permanently, i.e. applying security updates, the administrator has to define a new trustworthy state, resulting in a separate read-only filesystem containing the changed system.

3.2. Trusted Virtualized Application Manager (TVAM)

The Trusted Virtualized Application Manager (TVAM) manages all virtualized applications running on the platform. In addition, it is responsible for defining trustworthy states of the platform and sealing base system and applications to these states.

All configuration files are available in /etc/tvam

3.3. Software

Virtualized applications images are run by the Kernel-based Virtual Machine (KVM). It has been modified to allow passing a hardware TPM device into a virtual machine. TPM access is facilitated by the IAIK jTSS stack along with the IAIK jTpmTools (jTT) which are also available from the Trusted Computing for Java(tm) Platform project (TrustedJava@SF). Management of the virtualized applications as well as state management is done by the Trusted Virtualized Application Manager (TVAM) which has been developed for this purpose.

3.4. Network Setup

TVAM supports three different types of how to connect a virtual application to the network. Which one is used depends on the application’s configuration. (See section Application Configuration File)

NAT

Uses QEMU’s user mode network stack. See QEMU: Using the user mode network stack.

Bridge

The virtual application gets connected to a network bridge device together with host’s eth0 device.

None

No network device is available within the virtual application.

Additional informations can also be found in the QEMU User Documentation.

3.5. TPM Passthrough

TVAM can passthrough the host’s TPM to one of the virtual applications. To use the TPM in an application a configuration option in the application’s configuration file has to be set. (See section Application Configuration File)

The KVM/QEMU included in this release emulates an Atmel TPM interface. When using a Linux based virtual application the tpm_atmel kernel module must be used to access the TPM. Auto detection of the TPM may fail, in this case the module has to be loaded manually.

Windows based virtual applications are not supported by TPM passthrough in this release since the Windows TPM driver only supports the TPM TIS interface. A KVM/QEMU supporting an emulated TPM TIS interface is planned for a future release.

3.6. Soft Secure Mode

When Soft Secure Mode is specified in tvam.cfg (see section Platform Configuration) the behaviour of the platform is changed in the following ways:

No PCR extend on application launch

When TVAM starts to launch virtual applications, a random value is extended to PCR 15 to measure the state transition. In Soft Secure Mode this step is skipped.

SSH daemon is not killed on application launch

When no administrative SSH connection is established during an amount of time (specified by the LOGIN_WINDOW configuration option), TVAM kills the SSH daemon and launches the virtual applications. Killing of sshd is skipped in Soft Secure Mode.

3.7. Requirements and Recommendations for Virtual Applications

respond to ACPI power button events

A virtual application should shut down on an ACPI power button event. If an application does not shut down on request, the KVM process just gets killed.
Hint: If a Debian GNU/Linux based virtual application is used install the acpid package.

3.8. Platform Configuration

There are two configuration files affecting the behaviour of an acTvSM platform. These are the files common.cfg and tvam.cfg in the /etc/tvam directory. The config files are simple, bash-like text-files.

common.cfg

This file is mainly used during installation of acTvSM platform and should not be touched on a running platform.

tvam.cfg

This file can and shall be customized to the needs of the current system. 

# acTvSM platform TVAM configuration file

# The command name of IAIK jTpmTools.
JTT_CMD="jtt"

# Specify the TVAM log file. If commented out, log messages are
# not written to a log file.
LOG_FILE="/var/log/tvam.log"

# LOG_LEVEL specifies how detailed the messages are written to
# LOG_FILE. We suggest a value of 2.
#
# known values:
# ERROR = 0 (only errors are reported)
# WARN  = 1
# INFO  = 2 (suggested)
# DEBUG = 3 (nearly everything is reported)
#
LOG_LEVEL="3"

# Defines the overall amount of memory which can be assigned to
# applications. Define in units of MegaBytes.
MAX_APP_MEM="2048"

# Defines the security level of the platform.
# Known values are "NORMAL" and "SOFT". See the documentation
# for details.
# We suggest to use "NORMAL".
# When not specified, "NORMAL" will be used.
SECURITY="NORMAL"

# Defines the time window in which an SSH connection is available.
# After this window SSH gets disabled and the virtual applications
# are started. Define in units of seconds.
# When not specified, "90" will be used.
LOGIN_WINDOW="90"

# Specify the port on which your sshd is listening.
# When not specified, port 22 will be used.
SSH_PORT="22"

3.9. Components

IAIK acTvSM Platform is based upon several distributions and components provided by third parties. As an overview, the following components are used or were modified in the acTvSM platform:

For convenience we also provide a number of unmodified, backported 3rd party packages for download. Their individual license terms apply.

3.10. Known Limitations, Issues and Bugs

  • This README documentation is incomplete

    See next release…

  • Application management is incomplete

    See next release…

  • …..

4. Support

This software is provided "as is". However, a mailing list trustedjava-support@lists.sourceforge.net is maintained at TrustedJava@SF to assist users and to allow users to help each other. You are invited to join the discussion, but kindly take a look at the mailing list archive before posting a question.

We are looking forward for you experience reports!

5. References

The acTvSM architecture, design and implementation is documented in a series of publications. They provide additional information not available in this short README.

Pirker, M.; Toegl, R.:
"Towards a Virtual Trusted Platform",
in: Journal of universal computer science 16 (2010) 4, p.531-542, (link).

Pirker, M.; Toegl, R.; Gissing, M.:
"Dynamic Enforcement of Platform Integrity"
in: Proc. 3rd International Conference on Trust and Trustworthy Computing (TRUST 2010), LNCS 6101, Springer-Verlag 2010.

Toegl, R.; Pirker, M.; Gissing, M.:
"acTvSM: A Dynamic Virtualization Platform for Enforcement of Application Integrity"
in: Proc. The 2nd International Conference on Trusted Systems (INTRUST 2010), LNCS 6802, Springer-Verlag 2011.

Gissing, M.; Toegl, R.; Pirker M.:
"Management of Integrity-Enforced Virtual Applications"
in: Secure and Trust Computing, Data Management, and Applications, STA 2011 Workshop Proceedings: STAVE 2011

6. Trademarks

Java™ and all Java™ based marks are a trademark or registered trademark of Sun Microsystems, Inc.

Intel, Pentium, TXT, Intel Core, VPro are trademarks or registered trademarks of Intel Corporation.

All other trademarks and copyrights are property of their respective owners.

7. Revision History

date version comment

2011/09/15

0.3

bugfixes, based on Debian Squeeze instead of Lenny, unlimited resealing, support for series 5 desktops chipset

2010/10/07

0.2

more of everything, support of Core i5/i7 platforms

2010/06/09

0.1

first "rough cut" public release