Trusted Mobile Keyboard Controller Architecture

Size: px

Start display at page:

Download "Trusted Mobile Keyboard Controller Architecture"

Aldous Short
5 years ago
Views:

1 Trusted Mobile Keyboard Controller Architecture Sundeep Bajikar Security Architect Mobile Platforms Group Intel Corporation September 17,

2 Safer Computing Track Fall IDF Tuesday Wednesday Thursday LT Overview SCMS-16 TCG & TPM v1.2 SCMS-17 LT Architecture SCMS-18 Tech Showcase Every Day Birds of a Feather Lunches Tuesday & Wednesday Privacy Method for Assuring Trust SCMS-19 Opt-In Strategy SCMS-156 Trusted Mobile KB Controller MOB-147 / SCMS-24 Software for LT SCMS-20 Fundamentals for NGSCB SCMS-21 Migrating Apps to NGSCB SCMS-22 2 TPM Recovery SCMS-25 TCG Credentials SCMS-157 TPM Mfg & Testing SCMS-180 = Overview = Medium Technical = Highly Technical

3 TMKBC in Mobile LT Platform Architecture New instructions: - Isolate Open and Protected partitions - Control S/W access to protected memory Protected path between graphics and Protected Partition Trusted Graphics USB CPU MCH ICH RAM Protected Memory Pages (1 of n) Memory protection: Blocks DMA device access to protected memory pages Fixed token: Stores/protects credentials Crypto engine HW RNG Monotonic counters Protected path between external keyboard & mouse and Protected Partition LPC TMKBC TPM Trusted Mobile KBC: Trusted channel to integrated mobile keyboard & pointing devices LT LT architecture details details provided in in the the Safer Safer Computing Track Track 3

4 Agenda! Mobile trusted input requirements! Trusted Mobile Keyboard Controller (TMKBC) architecture! TMKBC implementation examples! Design Considerations 4

5 Mobile Trusted Input Requirements! Protect end-user input from malicious S/W Snooping, modification, false insertion! Provide non-repudiation for transactions! Protect input from standard devices Notebook integrated key matrix Notebook pointing devices External USB keyboard and pointing devices! Protection from physical hardware attack is outside the scope LT LT requires trusted input from user 5

6 TMKBC Key Functions CPU! Protects input from: Notebook s integrated key matrix Integrated Pointing Devices (IPD)! Architecture specifies Behavioral requirements Trusted Channel TMKBC architecture specification available from Intel Intel Display External Keyboard Chipset IPD Protected Partition TMKBC Trusted Channel Key Matrix Scan Memory LPC Special Cycles TPM 6 Legend : New Standard

7 TMKBC Behavioral Architecture! Trusted Channel multiplexed on LPC! Protected and Standard functions are separated! Entry & exit of New Mode controlled by bit in New Register space TMKBC adds trusted input handling 7 60/64h 62/66h Other Functions External PS/2 Ports Legend : LPC PS/2 IPD IPD New Trusted Channel Switch LPC Special Cycles New Registers USB HID formatting Key Matrix Scan Key Matrix Standard Fn

8 TMKBC Trusted Channel! New registers are mapped to LT protected region! New LPC special cycles similar to standard I/O Read and I/O Write Only protected system software running in protected partition on main CPU can initiate these cycles! TMKBC New Registers accessible only via new LPC special cycles! Enable bit for New Mode mapped to New Register 8

9 TMKBC Trusted Channel: Register Overview! Status registers! Data registers! Capabilities registers! Control registers! ID registers 9

10 TMKBC Trusted Channel: Logical Devices LPC! TMKBC supports up to 15 logical devices! Expected devices: Keyboard, Mouse Touch pad, Hot Keys GPIO based events e.g. Lid Switch! USB-like Report Descriptor used to describe each logical device 60/64h Other Functions PS/2 Ports 62/66h GPIO (Lid) Trusted Channel Switch Hot Keys New Registers USB HID formatting PS/2 IPD Key Matrix Scan IPD Key Matrix 10 Legend : New Standard

11 TMKBC Trusted Channel Data and Event Reporting! Data and status registers mapped to New Register space! Each logical device reports data using standard 8-byte USB HID packets Status register indicates logical device! Data to/from TMKBC goes via FIFO FIFO must accommodate full USB HID packet Reduces overhead on CPU! Events reported using existing edgetriggered interrupts 11

12 TMKBC Trusted Channel Entering New Mode! Protected Software reads Report Descriptors and Capabilities Registers! Protected Software performs several verification checks! Protected Software enables New Mode Causes TMKBC to enter New Mode of operation! Legacy ports are still available for legacy functions E.g. GPIO, power management, etc. 12

13 TMKBC Implementations! TMKBC specification does not require any specific internal architecture! At least three viable implementations Single microcontroller Single microcontroller with Trusted Mode Dual microcontroller! Several TMKBC vendors have products under development TMKBC implementation is is flexible 13

14 Single Microcontroller! Add Trusted Channel and New Registers! Challenges: Entire code base needs certification Any code update needs re-certification 60/64h Microcontroller Core External PS/2 Ports 62/66h PS/2 IPD Trusted Channel New Registers RAM ROM Key Matrix Scan High cost cost of of certification 14

15 Single Microcontroller with Trust Mode! Microcontroller has trusted operating mode Regions of ROM and RAM only accessed by trusted code! Split firmware Trusted code only does key matrix scan and IPD handling 60/64h Microcontroller Core External PS/2 Ports 62/66h PS/2 IPD Trusted Channel New Registers RAM ROM Key Matrix Scan Only trusted firmware certified 15

16 Dual Microcontroller 60/64h 62/66h Trusted Channel New Registers Microcontroller Core RAM ROM Microcontroller Core RAM ROM External PS/2 Ports GPIO PM PS/2 IPD Key Matrix Scan Communication link Only one one Microcontroller involved with with Trusted Input 16

17 TMKBC Design Considerations Boundary Cases! TMKBC resets and reverts to standard mode on a platform reset or power failure TMKBC must not preserve any secrets, such as prior keystrokes or IPD data! Protected environment taken down before sleep state entry TMKBC switched back to standard mode by Protected Software 17

18 TMKBC Design Considerations - Hot Keys! TMKBC can internally report Hot Keys from New side to Standard side! OS-Visible Hot Keys can be reported through Trusted Channel! Requirements Hot Keys are reported ONLY if Fn key is pressed Fn key cannot be remapped using translation table 18 CPU SMI 60/64h 62/66h Other Functions Proprietary Hot Key TMKBC Protected Software OS Hot Key Trusted Channel Protected Functions Fn

19 TMKBC Design Considerations Error Handling! TMKBC reports keystroke or IPD errors as part of the standard USB HID packets This is already defined in the USB specification! Self-Test and other errors reported through Extended Status Register! For system lockup, TMKBC remains in New Mode until it receives a system hardware reset 19

20 TMKBC Design Considerations Other! External keyboards and mice are supported via USB Internal PS/2 devices are supported! Protected code on TMKBC can be field updated Use Signed and/or encrypted update mechanism Firmware update mechanisms are beyond the scope of the TMKBC spec Implement TMKBC architecture based on on design considerations identified 20

21 Status! TMKBC Specification V0.8 available under NDA and license TMKBC V0.8 Specification reviews completed Contact your local Intel representative to get access to the specification! TMKBC V0.9 Specification planned for end of Q4 2003! TMKBC V1.0 Specification planned for end of Q2 2004! TMKBC products in development 21

22 Summary! LT requires trusted input from user! TMKBC architecture specification available from Intel! TMKBC specification allows for various implementations & vendor optimizations! Implement TMKBC architecture based on design considerations identified 22

23 Next Steps! OEMs: Prepare plan for LT platform design Work with KBC vendors to set design goals and understand architecture issues! KBC Vendors: Design TMKBC based on the guidelines & specifications available from Intel! ISVs: Evaluate product offerings in the LT timeframe to understand how they can benefit from LT features! OSVs: Provide support for TMKBC based on the hardware specification provided by Intel 23

24 Thank you for attending. Please fill out the Session Evaluation Form. 24

25 Acronyms! LT = LaGrande Technology! KBC = Keyboard Controller! TMKBC = Trusted Mobile KBC! IPD = Internal Pointing Device! LPC = Low Pin Count bus! USB = Universal Serial Bus! HID = Human Input Device! TPM = Trusted Platform Module! OS = Operating System! I/O = Input / Output! FIFO = First In First Out buffer 25

Intel s s Security Vision for Xen

Intel s s Security Vision for Xen Carlos Rozas Intel Corporation Xen Summit April 7-8, 7 2005 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. EXCEPT AS PROVIDED IN INTEL'S TERMS