Anti-Evil Maid with UEFI and Xen

Brendan Kerrigan
Assured Information Security

According to the UEFI specification, measurements of boot components and applications are required if the system has a TPM present. These measurements are referred to as Static Root-of-Trust Measurements (SRTMs). The SRTMs only extend to the firmware and the EFI applications it launches. However, modern operating systems have many moving components that are critical to the security and integrity of the system as a whole. In the case of Linux for example, hijacking the initramfs or even just being able to manipulate the boot parameters can prove to be disastrous.

The problem is also present for systems such as Xen, which is the cornerstone of both QubesOS and OpenXT. While Xen can be included in the SRTM measurements, if it is booted directly by the UEFI firmware (ie. without GRUB), none of its critical components —such as the XSM policy, dom0 kernel or the command line arguments — would be measured.

We have extended the shim EFI loader and Xen to allow measurement to be made of these critical components during boot. Using these measurements, it is possible to implement Anti-Evil Maid solutions without the use of Intel TXT, enabling a practical solution for non-Intel hardware. That said, the solution is compatible with TXT, allowing for deployments where the end of the SRTM chain is the start of the DRTM, thus eliminating the traditional “gap” present in DRTM solutions.

🔎 Boot Integrity · OpenXT · Xen

Source Code