For the last several years, hypervisors have played a key role in platform
security by reducing the possible attack surface. At the same time, the hype
surrounding computing and Internet of Things Gateways has led to an increase in
network appliance devices. Our target was to create a less-insecure virtual
network appliance using TrenchBoot, Trusted Platform Module 2.0 and AMD SKINIT
Dynamic Root of Trust for Measurement to establish a Xen hypervisor with a
meta-virtualized pfSense firewall. We are going to present it with an update
of the status of support of TrenchBoot for AMD processors.
This appliance is supported by are supported by apu2, a reliable low-SWaP x86
device from Swiss OEM PC Engines. It can be used as a Single Office / Home
Office firewall or an industrial edge device and has mostly open-source
hardware, coreboot firmware, mPCIe extensibility and an extended support
lifecycle for the embedded Central Processing Unit and motherboard.
In this talk, we will show how to create a system, which enables a significant
portion of computations to the edge devices while maintaining security. Using
a simple, well-known platform, we will conduct a secure boot using the Static
Root of Trust for Measurement with coreboot, move to the Dynamic Root of Trust
for Measurement by SKINIT in TrenchBoot and use all of this to provide a
complete chain of trust for the Xen hypervisor, a virtual firewall appliance
isolated by an inputβoutput memory management unit (IOMMU) from the physical
network interface controller (NIC) devices. We will present benchmark data
on virtualization overhead, explain how this complexity can still be practical
and outline the value of this stack. In the second part of presentation we will
discuss current status of Intel TXT development in the GRUB and Linux kernel.