BATTLE OF SKM AND IUM
1MHMIxh
1MHMIxh
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
PLATFORM REQUIREMENTS<br />
• The Boot Loader needs to trust that the platform it is running on is not running arbitrary firmware<br />
• This code could modify the bootstrap of the Hypervisor and affect all of VSM’s guarantees<br />
• Secure Boot provides this guarantee<br />
• Also used to safely store protected, persistent variables that cannot be modified (to store policy/settings)<br />
• The Hypervisor needs to trust that hardware is not performing DMA access to VTL 1 pages<br />
• Flashing a vulnerable device’s firmware, or loading a vulnerable/custom driver could allow a VTL 0<br />
administrator access to VTL 1 memory<br />
• IOMMU / VT-d provides this guarantee<br />
• The Hypervisor needs to have a secure place to store and seal machine secrets and keys<br />
• Otherwise, persistent data such as the Machine Key could be stolen/replayed<br />
• TPM provides this guarantee<br />
• VBS can be configured to require these platform features, or to work around their lack thereof<br />
• VSM will work regardless, and can be enabled on its own