Introduction
LaGrande Technology (LT) is a new security technology that will be available on Intel’s next generation CPUs (Merom, Conroe and Woodcrest) to be released in 2006. In this tutorial we will explain its main features and how they work.
Nowadays all users are vulnerable to several treats that compromise security. We are not talking only about virus and spyware, but also about someone stealing your password or even your identity.
On Figure 1 you can find a summary why this happens.
click to enlarge
Figure 1: Vulnerabilities of the PC.
The problem, as you can see on Figure 1, is that any software can have access to:
- Video memory: any software can create “fake” screens or “see” what the user is seeing.
- Input devices: any software can “see” or change what the user is typing.
- Memory: Any software can see what is inside RAM memory, so malicious software can capture or change data inside the system’s RAM memory.
- DMA: Software can access protected memory using the DMA controller.
So what LaGrande Technology does is basically address these issues, by creating a hardware-based protective layer for each one of these weak points present on your computer.
LaGrande Overview
LaGrande Technology provide the following features:
- Protected Execution: Software can be run in an isolated mode were no other software can have access to its code and data. This technique is also known as Domain Separation.
- Sealed Storage: Data is stored encrypted and can only be decrypted by the same environment that stored it.
- Protected Input: Protects input devices (mouse and keyboard) from being sniffed or have their data changed by malicious software. LaGrande Technology does this by encrypting the commands sent thru keyboard and mouse, so only software that has the correct encryption key can have access to these commands.
- Protected Graphics: Creates a secure path between applications running under protected execution to the video memory located on the video card, so no other software can see or change what is being written on the display.
- Attestation: A hardware-base attestation that LaGrande Technology protected environment is in place. This is provided by a module called TPM (Trusted Platform Module). Among other things, TPM provides a Random Number Generator (RNG) and also stores the encryption keys used by LaGrande Technology.
- Protected Launch: Controls the launch of the operating system in a protected execution environment.
click to enlarge
Figure 2: A PC with LaGrande Technology.
click to enlarge
Figure 3: How LaGrande Technology solves PC vulnerabilities.
Let’s now talk a little bit more about some of these features.
Protected Execution
As we explained, Protected Execution allows software to be run under a protected environment, where no other software can have access to the resources being used by the software, especially RAM memory – i.e. to the data being manipulated and generated by the software. Resources also include devices and processes being executed (i.e., the software itself).
click to enlarge
Figure 4: Protected execution overview.
As you can see on Figure 5, the protected execution is controlled by a new layer called Domain Manager. In order to run, this layer needs a LaGrande Technology-enabled CPU, an LT-enable chipset and a TPM (Trusted Platform Module).
click to enlarge
Figure 5: Protected execution architecture.
It is interesting to note that you can run both protected and unprotected software at the same time on an LT-enabled PC.
Protected Input
This feature creates a trusted channel between input devices such as mouse and keyboard and the PC. Since data transferred between input devices and the PC using this feature is encrypted, you will need new mouse and keyboard with encryption capability in order to use this feature. If the current mouse and keyboard you have this feature won’t work.
click to enlarge
Figure 6: What is a trusted channel.
click to enlarge
Figure 7: Protected input overview.
Protected Graphics
This feature creates a trusted channel between software and the video card. So, no other software can read or change data that is being sent to the display by the protected software. In order to work, however, you need to have a video card that has this feature, i.e. as far as we know the current video cards available on the market today cannot be used to create this protected environment, since they lack LaGrande Technology.
On the other hand, since LaGrande Technology needs a new generation of chipsets, it looks like Intel will launch chipsets with integrated graphics supporting this feature.
click to enlarge
Figure 8: Protected graphics overview.
Conclusions
It is too early to know if LaGrande Technology will be successful or not. It is a great idea, but it has so many prerequisites that we doubt if average users will use it. To summarize, to have a 100% LaGrande-enabled PC you will need to have:
- LT-enabled CPU;
- LT-enabled chipset;
- LT-enabled input devices (new mouse and new keyboard);
- LT-enabled video card (new video card or LT-enabled integrated graphics provided by new generation of Intel chipsets);
- TPM device on motherboard (“fixed token”, i.e. Random Number Generator and non-volatile memory to store encryption keys);
- LT Domain Manager software;
- LT-enabled operating system.
And the big thing is: none of these is available today.
So, we will have to wait until next-generation Intel CPUs (Merom, Conroe and Woodcrest) are launched to see what happens on the market.
Keep in mind that it is not clear if Intel will keep the codename LaGrande or will use a different commercial name for this technology.
Originally at http://www.hardwaresecrets.com/article/264
© 2004-9, Hardware Secrets, LLC. All Rights Reserved.
Total or partial reproduction of the contents of this site, as well as that of the texts available for downloading, be this in the electronic media, in print, or any other form of distribution, is expressly forbidden. Those who do not comply with these copyright laws will be indicted and punished according to the International Copyrights Law.
We do not take responsibility for material damage of any kind caused by the use of information contained in Hardware Secrets.