[nextpage title=”Introduction”]
LaGrande Technology (LT) is a new security technology that will be available on Intel’s next generation CPUs (Merom, Conroe and Woodcrest) to be released in 2006. In this tutorial we will explain its main features and how they work.
Nowadays all users are vulnerable to several treats that compromise security. We are not talking only about virus and spyware, but also about someone stealing your password or even your identity.
In Figure 1 you can find a summary why this happens.
Figure 1: Vulnerabilities of the PC.
The problem, as you can see in Figure 1, is that any software can have access to:
- Video memory: any software can create “fake” screens or “see” what the user is seeing.
- Input devices: any software can “see” or change what the user is typing.
- Memory: Any software can see what is inside RAM memory, so malicious software can capture or change data inside the system’s RAM memory.
- DMA: Software can access protected memory using the DMA controller.
So what LaGrande Technology does is basically address these issues, by creating a hardware-based protective layer for each one of these weak points present on your computer.
[nextpage title=”LaGrande Overview”]
LaGrande Technology provide the following features:
- Protected Execution: Software can be run in an isolated mode were no other software can have access to its code and data. This technique is also known as Domain Separation.
- Sealed Storage: Data is stored encrypted and can only be decrypted by the same environment that stored it.
- Protected Input: Protects input devices (mouse and keyboard) from being sniffed or have their data changed by malicious software. LaGrande Technology does this by encrypting the commands sent through keyboard and mouse, so only software that has the correct encryption key can have access to these commands.
- Protected Graphics: Creates a secure path between applications running under protected execution to the video memory located on the video card, so no other software can see or change what is being written on the display.
- Attestation: A hardware-base attestation that LaGrande Technology protected environment is in place. This is provided by a module called TPM (Trusted Platform Module). Among other things, TPM provides a Random Number Generator (RNG) and also stores the encryption keys used by LaGrande Technology.
- Protected Launch: Controls the launch of the operating system in a protected execution environment.
Figure 2: A PC with LaGrande Technology.
Figure 3: How LaGrande Technology solves PC vulnerabilities.
Let’s now talk a little bit more about some of these features.
[nextpage title=”Protected Execution”]
As we explained, Protected Execution allows software to be run under a protected environment, where no other software can have access to the resources being used by the software, especially RAM memory – i.e., to the data being manipulated and generated by the software. Resources also include devices and processes being executed (i.e., the software itself).
Figure 4: Protected execution overview.
As you can see in Figure 5, the protected execution is controlled by a new layer called Domain Manager. In order to run, this layer needs a LaGrande Technology-enabled CPU, an LT-enable chipset and a TPM (Trusted Platform Module).
Figure 5: Protected execution architecture.
It is interesting to note that you can run both protected and unprotected software at the same time on an LT-enabled PC.
[nextpage title=”Protected Input”]
This feature creates a trusted channel between input devices such as mouse and keyboard and the PC. Since data transferred between input devices and the PC using this feature is encrypted, you will need new mouse and keyboard with encryption capability in order to use this feature. If the current mouse and keyboard you have this feature won’t work.
Figure 6: What is a trusted channel.
Figure 7: Protected input overview.
[nextpage title=”Protected Graphics”]
This feature creates a trusted channel between software and the video card. So, no other software can read or change data that is being sent to the display by the protected software. In order to work, however, you need to have a video card that has this feature, i.e., as far as we know the current video cards available on the market today cannot be used to create this protected environment, since they lack LaGrande Technology.
On the other hand, since LaGrande Technology needs a new generation of chipsets, it looks like Intel will launch chipsets with integrated graphics supporting this feature.
Figure 8: Protected graphics overview.
[nextpage title=”Conclusions”]
It is too early to know if LaGrande Technology will be successful or not. It is a great idea, but it has so many prerequisites that we doubt if average users will use it. To summarize, to have a 100% LaGrande-enabled PC you will need to have:
- LT-enabled CPU;
- LT-enabled chipset;
- LT-enabled input devices (new mouse and new keyboard);
- LT-enabled video card (new video card or LT-enabled integrated graphics provided by new generation of Intel chipsets);
- TPM device on motherboard (“fixed token”, i.e., Random Number Generator and non-volatile memory to store encryption keys);
- LT Domain Manager software;
- LT-enabled operating system.
And the big thing is: none of these is available today.
So, we will have to wait until next-generation Intel CPUs (Merom, Conroe and Woodcrest) are launched to see what happens on the market.
Keep in mind that it is not clear if Intel will keep the codename LaGrande or will use a different commercial name for this technology.
Leave a Reply