Volume 2 System Programming (794096), страница 103
Текст из файла (страница 103)
The CPUID instruction should be used to detect nested paging support on aparticular processor (see the AMD CPUID Specification, order# 24581, for the details of processorfeature identification and support).410Secure Virtual Machine24593—Rev. 3.13—July 200715.25AMD64 TechnologySecuritySVM provides additional hardware support that is designed to facilitate the construction of trustedsoftware systems.
While the security features described in this section are orthogonal to SVM’svirtualization support (and are not required for processor virtualization), the two form building blocksfor trusted systems.SKINIT Instruction. The SKINIT instruction and associated system support (the Trusted PlatformModule or TPM) are designed to allow for verifiable startup of trusted software (such as a VMM),based on secure hash comparison.Security Exception. A security exception (#SX) is used to signal certain security-critical events.15.26Secure Startup with SKINITThe SKINIT instruction is one of the keys to creating a “root of trust” starting with an initiallyuntrusted operating mode.
SKINIT reinitializes the processor to establish a secure executionenvironment for a software component called the secure loader (SL) and starts execution of the SL in away that cannot be tampered with. SKINIT also copies the secure loader executable image to anexternal device, such as a Trusted Platform Module (TPM) for verification using unique bustransactions that preclude SKINIT operation from being emulated by software in a way that the TPMcould not readily detect.
(Detailed operation is described in Section 15.26.4.)15.26.1 Secure LoaderA secure loader (SL) typically initializes SVM hardware mechanisms and related data structures, andinitiates execution of a trusted piece of software such as a VMM or VMM (referred to as a SecurityKernel, or SK, in this document), after first having validated the identity of that software.One of the main features of SKINIT allows SVM protections to be reliably enabled after the system isalready up and running in a non-trusted mode — there is no requirement to change the typical x86platform boot process.Exact details of the handoff from the SL to an SK are dependent on characteristics of the SL, SK andthe initial untrusted operating environment. However, there are specific requirements for the SL image,as described in Section 15.26.2.15.26.2 Secure Loader ImageThe secure loader (SL) image contains all code and initialized data sections of a secure loader.
Thiscode and initial data are used to initialize and start a security kernel in a completely safe manner,including setting up DEV protection for memory allocated for use by SL and SK. The SL image isloaded into a region of memory called the secure loader block (SLB) and can be no larger than64Kbyte (see “Secure Loader Block” on page 412). The SL image is defined to start at byte offset 0 inthe SLB.Secure Virtual Machine411AMD64 Technology24593—Rev.
3.13—July 2007The first word (16 bits) of the SL image must specify the SL entry point as an unsigned offset into theSL image. The second word must contain the length of the image in bytes; the maximum lengthallowed is 65535 bytes. These two values are used by the SKINIT instruction. The layout of the rest ofthe image is determined by software conventions. The image typically includes a digital signature forvalidation purposes. The digital signature hash must include the entry point and length fields.
SKINITtransfers the SL image to the TPM for validation prior to starting SL execution (see “SKINITOperation” on page 414 for further details of this transfer). The SL image for which the hash iscomputed must be ready to execute without prior manipulation.15.26.3 Secure Loader BlockThe secure loader block is a 64Kbyte range of physical memory which may be located at any 64Kbytealigned address below 4Gbyte. The SL image must have been loaded into the SLB starting at offset 0before executing SKINIT. The physical address of the SLB is provided as an input operand (in theEAX register) to SKINIT, which sets up special protection for the SLB against device accesses (i.e.,the DEV need not be activated yet).The SL must be written to execute initially in flat 32-bit protected mode with paging disabled.
A baseaddress can be derived from the value in EAX to access data areas within the SL image usingbase+displacement addressing, to make the SL code position-independent.Memory between the end of the SL image and the end of the SLB may be used immediately upon entryby the SL as secure scratch space, such as for an initial stack, before DEV protections are set up for therest of memory. The amount of space required for this will limit the maximum size of the SL image,and will depend on SL implementation.
SKINIT sets the ESP register to the appropriate top-of-stackvalue (EAX + 10000h).Figure 15-13 on page 413 illustrates the layout of the SLB, showing where EAX and ESP point afterSKINIT execution. Labels in italics indicate suggested uses; other labels reflect required items.412Secure Virtual Machine24593—Rev. 3.13—July 2007AMD64 TechnologyPost SKINIT ESPSL StackSL RuntimeData Area64 KBSL CodeandStatic DataSL Image(Hash Area)SL Entry PointSL HeaderLength31Figure 15-13.XT EAKINIStsPoEP Offset16 150SLB Example Layout15.26.4 Trusted Platform ModuleThe trusted platform module, or TPM, is an essential part of full trusted system initialization. Thisdevice is attached to an LPC link off the system I/O hub.
It recognizes special SKINIT transactions,receives the SL image sent by SKINIT and verifies the signature. Based on the outcome, the devicedecides whether or not to cooperate with the SL or subsequent SK. The TPM typically contains sealedstorage containing cryptographic keys and other high-security information that may be specific to theplatform.Secure Virtual Machine413AMD64 Technology24593—Rev.
3.13—July 200715.26.5 System Interface, Memory Controller and I/O Hub LogicSKINIT uses special support logic in the processor’s system interface unit, the internal controller andthe I/O hub to which the TPM is attached. SKINIT uses special transactions that are unique to SKINIT,along with this support logic, designed to securely transmit the SL Image to the TPM for validation.The use of this special protocol should allow the TPM to reliably detect true execution, as opposed toemulation, of a trusted Secure Loader, which in turn provides a reliable means for verifying thesubsequent loading and startup of a trusted Security Kernel.15.26.6 SKINIT OperationThe SKINIT instruction is intended to be used primarily in normal mode prior to the VMM takingcontrol.SKINIT takes the physical base address of the SLB as its only input operand in EAX, and performs thefollowing steps:1. Reinitialize processor state in the same manner as for the INIT signal, then enter flat 32-bitprotected mode with paging off.
The CS selector is set to 8h and CS is read only. The SS selectoris set to 10h and SS is read/write and expand-up. The CS and SS bases are cleared to 0 and limitsare set to 4G. DS, ES, FS and GS are left as 16-bit real mode segments and the SL must reloadthese with protected mode selectors having appropriate GDT entries before using them. Initializeddata in the SLB may be referenced using the SS segment override prefix until DS is reloaded. Thegeneral purpose registers are cleared except for EAX, which points to the start of the secureloader, EDX, which contains model, family and stepping information, and ESP, which containsthe initial stack pointer for the secure loader.
Cache contents remain intact, as do the x87 and SSEcontrol registers. Most MSRs also retain their values, except those which might compromiseSVM protections. The EFER MSR, however, is cleared. The DPD, R_INIT and DIS_A20M flagsin the VM_CR register are unconditionally set to 1.2. Form the SLB base address by clearing bits 15–0 of EAX (EAX is updated), and enable theSL_DEV protection mechanism (see “Secure Initialization Support” on page 403) to protect the64-Kbyte region of physical memory starting at the SLB base address from any device access.3. In multiprocessor operation, perform an interprocessor handshake as described in Section 15.26.8on page 415.4. Read the SL image from memory and transmit it to the TPM in a manner that cannot be emulatedby software.5.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
