What is the difference between Intel TXT and TPM? What more Intel TXT has to offer as compared to TPM? Basically, I wanted to know how TXT works? Any easy to follow literature for beginners will be highly appreciated!
What is the difference between Intel TXT and TPM?
Asked Answered
What exactly do you want to know? –
Hickok
I wanted to know how TXT works? Any easy to follow literature for beginners will be highly appreciated! –
Jacquejacquelin
Then first of all you should rephrase your question ;-) –
Hickok
Consider it as rephrased! –
Jacquejacquelin
Scolytus is right but let me explain a bit more.
As he said, a TPM is a dependency of TXT but not the other way around. The TPM is where TXT will store the measurements - hash of components - of the platform. If TXT is not supported by a platform but a TPM is still present you still have all these features:
- Integrity measurement – securely measure the platform's components (hashes stored within the TPM)
- Authenticated boot – a process by which a platform's state (the sum of its components) is reliably measured and stored. SRTM - Static Root of Trust for Measurements
- Sealed Storage - encrypt data based on the current state of the platform or in other words, what has been measured (the PCR hash values stored in the TPM) - seal operation
- Attestation - securely report to other parties the state of the platform, e.g., quote operation aka Remote Attestation.
As such you could use trustedgrub (SRTM - Static Root of Trust for Measurements) but not tboot which implements a DRTM (Dynamic Root of Trust for Measurements) aka TXT.
About "how TXT works" see this question.
Is my understanding correct that SRTM measures up-till PCR7 (before the OS is loaded) and DRTM measures OS and the application being launched over OS? Basically PCR0-PCR7 will be identical in SRTM and DRTM? –
Jacquejacquelin
Well, that's not how TXT works, but if Geek is happy... ;-) –
Hickok
@Hickok your comment is about the answer or my comment? :) –
Jacquejacquelin
He's talking about my answer. Since "how txt works" has already been answered, I added a link to it. SRTM can measure up to PCR15 (but it depends on implementation - tpm aware OS, bootloader, etc). DRTM, does not measure the boot sequence so yes, PCRs are unchanged. –
Outplay
@Hickok I'm not entirely sure the word 'implement' is correct as someone could understand that tboot is like TXT while it simply 'uses' DRTM (to provide secure boot). DRTM/LAte Launch implementations are Intel's TXT and AMD's SVM. What do you think? –
Outplay
@Outplay Hmmm... I'm not a native, so help me. Intel TXT itself is not an implementation of a DRTM. It needs software around it. It needs the OS and the MLE part, as described in the Software Development guide. Without an MLE you'll never have a DRTM. TBoot implements the OS and the MLE parts of the architecture. So I thought require is the wrong wording, since TBoot is vital in such a setup. One could also mention that there are other implementations as well. –
Hickok
In that sense, I agree. My comment was about the Root of Trust which is either provided by the CRTM: bios boot block (SRTM) or the SMX instructions + ACM module, etc (DRTM). I believe that's a confusing part for newcomers. –
Outplay
Thanks that was helpful :) @Hickok Could you look at this one #19706088 Your help will be highly appreciated! –
Jacquejacquelin
@Outplay "If TXT is not supported by a platform but a TPM is still present you still have all those features:" I thought TXT was essential to support TPM. Did you mean to say "you still have all these (below) features"?? The term "those" would imply the features pertaining to TXT. –
Manatee
You need a TPM for TXT but can use a TPM without TXT. I fixed it with “these”. Thanks. –
Outplay
It's like asking "What's the difference between a car and an engine?"
The TPM is a vital part of Intel TXT. Without it Intel TXT does not work.
© 2022 - 2024 — McMap. All rights reserved.