[linuxkernelnewbies] Flicker: Minimal TCB Code Execution

Wed, 25 Mar 2009 16:36:48 -0700

http://sparrow.ece.cmu.edu/group/flicker.html

Flicker: Minimal TCB Code Execution

Flicker is a technique leveraging new features of CPUs from AMD and Intel, including support for dynamic root of trust, to execute application-specific code with an extremely small TCB, while maintaining compatibility with a legacy operating system.

Minimal TCB Code Execution

We propose an architecture that allows a Piece of Application Logic (PAL) to execute in complete isolation from other software while trusting only a tiny software base that is orders of magnitude smaller than even minimalist virtual machine monitors. Our technique also enables more meaningful attestation than previous proposals, since only measurements of the security-sensitive portions of an application need to be included. We achieve these guarantees by leveraging hardware support provided by commodity processors from AMD and Intel that are shipping today.

Prerequisites

To use Flicker, a PC platform supporting _skinit_ is needed. The platform requires a processor supporting the _skinit_ instruction, a v1.2 TPM, and a chipset which provides memory protection for the Flicker code. The _skinit_ instruction is available with newer AMD64 processors.

Intel TXT support is in the works.

Frequently Asked Questions (FAQ)

  • Q: When will Flicker for Intel systems be available?
    After Jon finishes his dissertation.
  • Q: Which Intel systems will support Flicker?
    The same ones that support Intel's Trusted Boot project (i.e., systems for which Intel has released SINIT AC Modules). Our early prototype runs on systems that include the Intel Q35 chipset (e.g., the Dell Optiplex 755, Lenovo M57p, and HP dc7800). Newer systems (e.g., those with GM45, PM45, and GS45 chipsets) supporting Intel vPro should also have the necessary hardware support, but the Linux TPM device driver is not yet updated.
  • Q: Will Flicker run on my machine?
    If it meets the Prerequisites above, Flicker _should_ run. However, I have only tested it on the machines that I have. The kmod included with this version has only been tested with Linux kernel 2.6.24.
  • Q: I don't have a Flicker-capable machine. Can I still develop a Flicker module?
    Yes, AMD's SimNow supports the _skinit_ instruction. However, there will be no TPM support included. In fact, we have encountered machines in the wild that will execute _skinit_ but do not include a TPM. These can be useful for developing application-specific functionality without requiring a reboot during a debug cycle.
  • Q: I want to buy a machine to run Flicker. What should I buy?
    The machine we use the most is an HP dc5750.
  • Q: Is Flicker bug-free?
    Certainly not in this version. However, its extremely small size suggests that a bug-free implementation may be attainable by buggy human beings. :) Known problems include excessive I/O permissions to ring 3 PAL code and excessive memory access by PAL segment descriptors due to need to access the TPM from ring 3 without system calls.

Revision History

  • 2008.04.15. Initial public release of Version 0.1. Contains Flicker kernel module, barebones PAL with 250-line TCB, and "Hello, world" PAL with debug code. Please send email to Jonathan McCune to request the code.

Reply via email to