Description
The increasing shift from on-premise hosting to shared public clouds
presents a challenge to traditional trust schemes. The user has to
trust the vendor for providing a secure platform, which he can not
verify. Trusted platforms are one approach to solve this problem, by
giving the user the ability to authenticate the platform. This thesis
gives an overview of the current state-of-the-art platform security
on commercial x86 hardware. We take a special look at the Intel-
developed Trusted Execution Technology and its capability for
providing a highly secure device. Contrary to other technologies
such as SecureBoot or TCG Measured boot, it provides a way to launch
a Dynamic Root of Trust Measurement. This process can be launched
anytime in the boot process and can remove portions of the firmware
and boot-loaders from the trusted base. Current TXT deployments are
reliant on GRUB2 and tboot, which provide a potential entry point
for an attacker. Three different approaches to remove GRUB2
are presented. We also evaluate the potential shortcomings of Intel
TXT and the x86 platform in general for providing a highly secure
platform.
|