As provider for infrastructure services or "PaaS", such as VPN or Cloud-Storage, it is a necessity to trust your server vendor's firmware, especially if your company has limited resources in firmware engineering and trusted computing. For use cases like this, Intel™ came up with "Trusted Execution Technology"(TXT). It makes sure, that only untampered code will be executed. The specification describes the configuration of firmware, chipset, handling of Intel CPU registers, utilization of a "Trusted Platform Module" (TPM) and the way these components interact with each other. As you can see in the following figure, the CPU and the chipset need certain capabilities for Intel TXT.

From Intel TXT Enabling Guide, P.8

In the process of setting up servers with Intel TXT, server vendors have to take care of the correct configuration. This includes measurements of the firmware. Simply put, a measurement is a hash of a certain part of firmware or software and will be stored inside the TPM. When the TPM ist locked, the manipulation of the measurement is impossible. Before any code is executed, Intel TXT hashes the code and compares it against the stored value. If the hash values match, the code will be executed.

But....

you want to make sure your system is actually configured correctly or you want to implement open source firmware with Intel TXT support and check it therefore. For Intel TXT utilizes several parts of a server/desktop system, checking the configuration isn't trivial.

In cooperation with a customer we developed the TXT-Suite. Its purpose is to verify the configuration of a server or desktop system, if it is satisfying the specification. It supports setting up (provisioning) a system.

TL:DR

TXT-Suite checks the system against the requirements of Intel TXT.

The tests include:

  • Availability of a TPM, its needed capabilities.
  • Configuration of the TPM in regards to correct NVRAM configuration.
  • CPU and chipset capability and register configuration.
  • The system's firmware on existence of certain authenticated code which is supplied by the hardware manufacturer of CPU, chipset and mainboard and signed trustworthy by Intel.

If you want to start contributing to TXT-Suite, you always can start doing so via Github.

If you want to know more about our firmware and security work please feel free to contact us at cybersecurity@9elements.com