BATTLE OF SKM AND IUM
1MHMIxh
1MHMIxh
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SKM</strong> LAUNCH<br />
• To initialize VTL 1, and provide <strong>IUM</strong> capabilities, the Secure Kernel must be loaded<br />
• This will be configured by the various VBS configuration options that the Administrator / Group Policy enables<br />
• But can also be manually configured by using the “vsmlaunchtype” BCD variable<br />
• Loading the Secure Kernel is done by the OslVsmSetup routine inside of the boot loader (WINLOAD.EFI)<br />
• This will create the VSM Loader Block, which contains all the key data structures for the Secure Kernel to<br />
initialize<br />
• Boot loader will provide an initial set of boot stack pages, shared system buffers, map the API set schema, map<br />
code integrity data, pass policy information, and more<br />
• Boot loader is also responsible for generating, provisioning, measuring and sealing the IDK (Identification Key)<br />
and the LKEY (Local Key) which are used to provide strong cryptographic guarantees by Credential Guard and<br />
vTPM<br />
• Boot loader will then load the Secure Kernel itself (SECUREKERNEL.EXE), as well as its dependencies<br />
• Namely SKCI.DLL and CNG.SYS