Over the last several years, computer security has become a major concern for all users and manufacturers around the world. Sophisticated software has been written to penetrate corporate, government and military networks and servers in order to access proprietary and sensitive information, and to perform malicious and criminal attacks that compromise the integrity of, and deny legitimate access to, that information. Both internal and external attacks on data security are becoming more and more frequent, with the damage often being irreversible, and, in general, the traditional methods of protection such as firewalls and anti-virus/anti-malware software are no longer adequate. A “holistic” approach to security that ranges from user education / operational policies to containment after a breech is required to address the rapidly evolving computer security environment. For embedded computing, a “holistic” approach requires that security features at the hardware and firmware level are also present. In addition, for some defense and government agency customers, the required security features go beyond what is found in many embedded computing engines currently on the market. For these applications, additional measures have been, and are being, developed to ensure that computers with sensitive information do not fall into the hands of the enemy.
As a result of these increased computer security threats, General Micro Systems has taken the lead in implementing improved security features - from the architectural level down to the hardware level. All GMS systems are designed from the ground up to provide for the most advanced security features possible. GMS’ systems include security functions that protect against threats such as software attacks at system initialization, threats against the integrity of the system BIOS and related firmware, escalation of privilege attacks against the operating system, rootkits, physical tampering and unauthorized configuration changes, and compromise of data and mass storage devices. In addition, GMS provides architectural variants of the typical embedded computer system that provide for government approved compartmentalization of I/O resources for operation of virtual machines in computing environments with multiple security domains, and with multiple processing sub-systems in total isolation.
TPM (Trusted Platform Module) and TXT (Trusted Execution Technology)
TXT is a computer hardware technology based in the processor and associated chipset that provides key elements for establishing a verifiable description of the system per the methodologies prescribed by the Trusted Computing Group (TCG). Key elements of TXT include extensions to the instruction set specifically for security operations, Authentication Code Modules (ACM), and features for supporting Launch Control Policies (LCP).
In summary, TXT and TPM together can be used to establish the "root of trust" and the "chain of trust" by providing hardware based encrypted identifiers for all software components involved in system initialization, and hardware based mechanisms for blocking the execution of software components that do not match approved versions. In addition, hardware mechanisms are provided for protecting residual secret data from memory snooping and reset attacks, and features are included to support local and remote attestation of the trustworthiness of the system. Of course, usage of TXT and TPM implies system software (BIOS) and operating system involvement, and, indeed, support at both levels is required for the realization of a trusted computing system.
Other important features of the GMS system BIOS include:
- Storage of system parameters and configuration settings in the BIOS Flash instead of the standard battery-backed CMOS. This results in systems that can operate fully without the need of battery in a system.
- Hardware write protect (WP) for the BIOS flash. This feature, which includes a write protect signal at the system interconnect, can be used to eliminate inadvertent and unauthorized changes to the system BIOS and system configuration settings.
GMS welcomes custom BIOS needs which, in most cases, are provided for free to OEM customers.
Software Based Full-Disk and File-System Encryption
Hardware Full-Disk Encryption
Self-Encrypting Drive (SED)
Secure Erase (SE)
GMS also offers, as an option, mass storage with specialized secure erase methods for defense and governmental agency related customers. These methods include DoD 5220.22-M, NSA 9-12, NSA 130-2, as well as Army, Air Force and Navy secure erase specifications. Secure erase for these methods is also triggered by ATA commands and, optionally, by a hardware mechanism. The secure erase, when triggered, cannot be stopped. If power is disconnected from the drive before the secure erase is complete, the secure erase will resume when power is re-applied. Some of the secure erase methods are destructive, such that the drive is not reusable after the erase is complete.
Write Protect (WP)
Tamper Proof (TAMP)
To prevent tampering such as this from being successful, some GMS products include a tamper sensor. This sensor, when activated, sends a signal to the internal and removable drives, as well as the Platform Controller Hub (PCH), which can be used to initiate various responses, such as halting operation, turning off power, disabling subsequent initialization, triggering secure erase of the drives, and triggering erasure of the system BIOS.
Secure Virtual Machine (SVM)
General Micro Systems' Secure Virtual Machine architecture uses none of the system's centralized I/O resources for virtual machine I/O, while providing dedicated (un-shared) connections from the system's root complex to the discrete hardware elements designated for each virtual machine's I/O. This approach addresses security risks by allowing the native I/O device drivers to be resident in the protected virtual machine partitions rather than being emulated by the VMM, and by eliminating any hardware or software coupling between the I/O functions of the virtual machine instances. Thus, the I/O functions of one virtual machine cannot be monitored or interfered with by software running on another virtual machine or by software running on the VMM itself. An added benefit of this architecture is the inherent fault tolerance of dedicated I/O resources; damage or malfunction of the hardware elements designated for one virtual machine does not affect the operation of any of the other virtual machines. For example, a typical embedded computer system has multi-port USB hubs connected to an EHCI USB host controller as part of its central resources. The assignment of these ports by the VMM may span, or even be shared by, more than one virtual machine. A failure or error on one of the ports may affect the hub or the host controller in such a way that communications on the other ports are degraded or compromised. For the GMS Secure Virtual Machine architecture, USB ports assigned to a given virtual machine are provided by host controllers that are dedicated to that specific virtual machine. While damage, malfunction or error at that host controller will affect the operation of the associated virtual machine, there should be no effect on any of the other virtual machines in the system.
Another important aspect of the GMS Secure Virtual Machine architecture is its inherent support for trusted computing. In addition to the Trusted Platform Module (TPM) and the TXT capabilities provided by the processor and chipset, VT-x and VT-d are integral elements of a trusted computing system that hosts virtual machine partitions. VT-d is utilized during both system initialization, and by the VMM during normal operation. During initialization, VT-d provides for protected memory regions (PMR) from which the "launch environment" itself, as well as elements of the VMM, may operate. VT-d is used in the creation and management of the trusted partitions for the virtual machine instantiations, protecting the virtual machine partitions and the VMM from each other, and during normal operation, the VMM may use VT-d to define protected regions for use by integrity monitoring functions.
Multi Domain Platform (MDP)