Feature changed by: Thomas Schmidt (digitaltomm)
Feature #310787, revision 4
Title: Intel(R) Trusted Execution Technology (Intel(R) TXT) Support
- openSUSE-11.4: Unconfirmed
+ openSUSE-11.4: New
Requested by: Joseph Cihula (jcihula)
Partner organization: openSUSE.org
Intel(R) Trusted Execution Technology (Intel(R) TXT) provides a
hardware dynamic root of trust for measurement (D-RTM). Intel TXT can
be used to reduce the trusted computing base (TCB) of system SW such as
an OS kernel or hypervisor/VMM. TXT provides platform configuration
protection such as memory aliasing checks, register locking, etc. It
also provides reset protection via a hardware memory lock and memory
scrubbing. In multi-processor systems, Intel TXT strengthens the RAS
capability through CPU-rooted measurement of the BIOS and hardware-
enforced protections of RAS events. Finally, TXT provides for a
platform owner -controlled launch control policy.
Intel TXT support consistes of two parts: kernel/VMM enabling and the
Kernel support involves building the Linux kernel (>= 2.6.35) with the
CONFIG_INTEL_TXT flag set. This will also enable it for KVM. The
default Xen build already supports TXT.
Linux/Xen support actually assumes that TXT is "managed" through the
Trusted Boot (tboot) module and thus, the tboot package is also needed
for complete support. Tboot is an open source, pre-kernel/VMM module
that uses Intel TXT to perform a measured and verified launch of an OS
1) Disk encryption
2) Hardened local key storage/operations
3) Remote attestation
Business case (Partner benefit):
: Enabling Intel TXT in the kernel/VMM will increase the
trust and value of the above usage models. And the same value
proposition that TXT has for Fedora also applies to openSuSE:
TXT also compliments the OpenTC work
- being done by/with SuSE.
+ compliments the OpenTC work being done by/with SuSE.
#1: Joseph Cihula (jcihula) (2010-11-04 05:20:56)
A tboot package already exists (and builds) in OBS:
+ #3: Thomas Schmidt (digitaltomm) (2010-12-20 14:01:33)
+ Can we set this to 'done' then?