Eugene Myers
U.S. National Security Agency

We describe our work to demonstrate an enhanced SMI transfer monitor (STM) to provide protected execution services on the x86 platform. An STM is a hypervisor that executes in x86 system management mode (SMM) and functions as a peer to the hypervisor or operating system. The STM constrains the SMI handler, by hosting the handler in a virtual machine (VM). Otherwise, the SMI handler holds unconstrained access to the platform, which could undermine the assurance provided by DRTM or TXT.

Our STM enhancements create a protected execution capability by extending the STM to support additional VMs (PE/VM). These enhancements utilize the existing capabilities of the x86 processor and, thus, require no additional hardware. We modified an existing hypervisor integrity measurement engine to function in a PE/VM. The related discussion explains how the module can be loaded from a guest virtual machine and how page tables are used to restrict the access that the measurement engine is allowed to memory.

🔎 Boot Integrity · Xen


Source Code