This collection of background material for Platform Security Summit 2018 was edited by Rich Persaud, with contributions from many others. It is intended to provide historical timeline context and does not imply endorsement of linked materials.

Table of Contents

  1. Policy, Law, Incentives and Ecosystems
  2. Firmware Resiliency and Device Attestation
  3. Hyper-V Hardening with Hardware
  4. OpenXT, Xen and OpenEmbedded
  5. Functional Safety: Automotive
  6. Events

1. Policy, Law, Incentives and Ecosystems

Summary: Open-source evolves from outsider to strategic instrument in 20 years.

2. Firmware Resiliency and Device Attestation

Summary: security co-processors can use secure boot protocols to verify peripheral device firmware, e.g. MS Cerberus powers on before the main CPU. Unauthorized peripherals cannot access platform resources. Unauthorized IoT devices cannot use some cloud services. Deployed in MS Azure. Standardization efforts underway via NIST, TCG and OCP.

3. Microsoft Windows Hyper-V: Hardening With Hardware

Summary: new Win10 hardware baseline for security includes IOMMU and TPM 2.0, both used by OpenXT. Win10 DRTM (System Guard) is expected. Will some OS/store/app/cloud features require runtime attestation? Will endpoints continue to function without bare metal access, e.g. Hyper-V as nested hypervisor on Linux KVM, Xen or VMware? In a Microsoft 2018 re-org, the Windows and Azure platform teams were combined. Microsoft (Azure) has a board seat on the Linux Foundation.

“… has/will have hardware rooted boot attestations for TXT DRTM, SMM protections, and boot integrity. We want to make this an API that anyone can use to verify the integrity of key security properties on windows from boot all the way to runtime. This can be used by relying parties for zero trust/conditional acccess implementations.”

4. OpenXT, Xen and OpenEmbedded

Summary: OpenEmbedded (OE) provides a cross-compile environment to create custom Linux-based systems for ARM and x86 devices. The OE ecosystem accommodates competing vendors and use cases via layers. OE’s meta-virtualization layer supports Xen, Linux KVM and containers.

Xen Project is a versatile, general-purpose, Open Source hypervisor that continues improving in response to use in public clouds, enterprise servers, middleboxes, desktops, vehicles and embedded devices. Xen is available in OE meta-virtualization.

OpenXT uses OE and Xen in a platform for hardware-assisted isolation of untrusted Linux and Windows workloads. If Windows System Guard adds IOMMU, TPM and TXT to hardware baselines, more OEMs will validate hardware security features used by Qubes and OpenXT since 2010.

5. Functional Safety: Automotive

Summary: $80B USD of autonomous driving R&D pursues trillions in projected revenues. Powered by mapping, sensors, connectivity, AI/ML, energy storage density and low-power SoCs, the autonomy economy extends security concerns to safety and long-term maintenance.

VMMs reduce size, weight and power via consolidation, but must guarantee spatial and temporal isolation for safety-critical workloads. Nested hypervisors and inter-partition messaging can enable app compatibility without losing bare-metal safety. Time-sensitive networking HW/VMM/OS features enable multi-node certification.

OpenEmbedded and Xen are used on Renesas, NXP and Xilinx Arm boards, while Toyota uses AGL/OE. Gap analysis for Xen is underway and may result in a Kconfig subset of Xen that is optimized for security and safety certification. This subset may overlap with OpenXT requirements.

“…some people argue that L1 is actually safer than L2 or L3 - with L1 you do know explicitly that it’s you that’s driving the car ALL THE TIME, but sometimes the car will stamp on the brakes when you weren’t looking and save a life. This is why so much work is going into how the vehicle might communicate with the user - how does it say ‘this is an L5 journey and you can sleep’, or ‘I’ll drive myself for the next hour, and alert you 5 minutes before it’s time for you to take over’?”

“security will be more about safety than privacy. Certification will no longer mean testing a car once before selling it for 10 years … Phones and laptops do not kill a lot of people, at least directly; cars and medical devices do… As we build more complex artifacts, which last longer and are more safety critical, the long-term maintenance cost may become the limiting factor…On the technical side, at present it is hard to patch even five-year-old software. The toolchain usually will not compile on a modern platform … Could we develop on virtual platforms that would support multiple versions?”

  • Apr 2018: Automotive Grade Linux (AGL) virtualization whitepaper draft

“Xen can partition or pool plural resources while optionally virtualizing —securely sharing— singular hardware resources like coprocessors. Xen provides stable interfaces as applications and platforms evolve. For environments with real-time constraints, it can be configured as a partitioning hypervisor, eliminating scheduler overhead, reducing interrupt latency and delegating I/O and memory isolation to hardware with an IOMMU. Xen also provides static CPU assignment and multiple real-time schedulers (including an ARINC 653 scheduler) to further isolate resources and provide real-time guarantees.”

“Although hardware-based security is not a silver bullet, it does provide a “chain of trust” rooted in silicon that makes the device and extended network more trustworthy and secure.”

6. Events