Trusted boot module for laptop. Trusted boot tools and modules. Examples of existing hardware

Trusted download tools or modules (MDZ, SDZ)- these are software or hardware-software tools that allow you to launch the operating system exclusively from trusted storage media (for example, hard drives). Moreover, such devices can monitor the integrity of software (system files and operating system directories) and technical parameters(compare computer configurations at startup with those that were predefined by the administrator during initialization), and act as identification and authentication tools (using passwords and tokens).

Trusted boot tools allow you to solve problems such as:

Bypassing the operating system hard drive. If the attacker does not know the credentials of legitimate employees, but has physical access To user computer or server, he can load the operating system from a pre-prepared flash drive and thereby gain access to information stored on the hard drive. However, one of the features of trusted boot tools is the presence of a watchdog mechanism. Since booting an operating system from external media requires you to go into the computer's BIOS (or basic input/output system) and manually select a boot tool, this can take quite a long time. If you set the computer to restart, if operating system takes longer to load than usual, the attacker will not have time to change BIOS settings and boot from your device.

Stealing user credentials. Even if an attacker finds out the employee’s login and password to log into the system, he will be deterred by the lack of a personal identifier. In order to load the operating system when the trusted boot module is installed on the computer, the user must provide a personal identifier or token. Without it, downloading will not occur.

Compliance with regulatory requirements. For government information systems and systems in which personal data are processed are required to undergo certification for compliance with the requirements. The requirements include mandatory protection of information systems using means of protection against unauthorized access. More if necessary high level To protect the data stored in the system, security measures require the use of trusted boot hardware.

Trusted download means can be:

• Hardware and software modules for trusted loading at the expansion board level. Such devices are built into the computer case, connecting to motherboard via PCI connector.
• Software. They are divided into trusted funds BIOS boot and level boot entry. The former are built into the BIOS, which allows them to perform their functions before loading the operating system. Others replace the boot record on the hard drive and operate before control reaches the operating system level.

The trusted boot module is intended for computer technology that processes secret and confidential information (including the “top secret” and KA1 levels).

Thanks to working with multi-user groups with equal and different levels of authority and supporting administration schemes with both centralized and decentralized control, Maxim-M1 is a universal solution for use in secure systems.

Main functions

controls access during the initial startup of the PC, before switching to the OS. Identifies and authenticates the user using a two-factor method;

Keeps indelible logs: user authentication, integrity control. Data safety is guaranteed due to non-volatile memory;

checks the validity period of user data (keys, service information) in real time;

controls hardware and software protected system ( RAM, hard disks, file system and FS logs, Windows registry);

protects against password guessing.

Advantages of APM "Maxim-1"

Suitable for installation on the information security administrator's workstation in information systems that work with trade secrets, personal data, and state secrets.

Can be used on a diskless workstation to work with secret and confidential information on a remote server.

The module is compatible with major client Windows versions(2000/XP/Vista/7) and server (2003/2008), as well as systems based on the Linux kernel 2.6.x and 3.x.x and the Astra Linux OS.

Requirements and restrictions when using APMDZ "MAXIM-M1"

For installation and proper operation module, hardware and software must meet the level of requirements for architecture, supply voltage, board configuration, BIOS version, installed updates, power connectors. During the operation of the module, restrictions are set for hardware and software in the system. A complete list of requirements is presented in the documentation for the APMDZ.

Personnel requirements

The user of the DZ module (administrator) must be able to work in basic operating systems, have experience in configuring PCs and external equipment, and in administration automatic systems on local computers, servers, workstations and thin clients.

Concept Basics

• Control of the device from which the BIOS starts loading the OS (usually the computer’s hard drive, but it can also be a reading device removable media, network downloads, etc.);
• Monitoring the integrity and reliability of the device’s boot sector and system files of the running OS;
• Boot sector encryption/decryption, system files OS, or encryption of all device data (optional).
• Authentication, encryption, and storage of secret data such as keys, checksums, and hashes are performed in hardware.

Authentication

User authentication can be done different ways and at different stages of computer boot.

To confirm the identity of the computer launcher, various factors may be required:

• Secret user login and password;
• Floppy disk, CD, flash card with secret authentication information;
• Hardware dongle connected to a computer via USB, serial or parallel ports;
• Hardware key, or biometric information, read into a computer using a separately made hardware module.

Authentication can be multi-factor. Authentication can also be multi-user with shared access rights to the computer. So, one user will only be able to launch the operating system from the hard drive, while another will be able to change the CMOS configuration and select a boot device.

Authentication can occur:

• During BIOS firmware execution;
• Before loading the master boot record (MBR) or operating system boot sector;
• During execution of a boot sector program.

Performing authentication at different stages of boot has its benefits.

Trusted Boot Steps

At different stages of a computer's boot process, a trusted boot can be performed by different means, and therefore will have different functionality.

• Executing BIOS firmware. At this stage, the following can be implemented: checking the integrity of the BIOS firmware, checking the integrity and authenticity of CMOS settings, authentication (protection from starting the computer as a whole, or only from changing the CMOS configuration or boot device selection), control of boot device selection. This boot step must be done entirely in the BIOS firmware by the motherboard manufacturer;
• Transfer control to the boot device. At this point, the BIOS, instead of continuing to boot, may transfer control to the hardware trusted boot module. The hardware module can perform authentication, boot device selection, decryption, and verification of the integrity and validity of boot sectors and operating system system files. In this case, decryption of the boot sector of the operating system can be performed only at this stage. The BIOS firmware must support transfer of control to the hardware module, or the hardware module must emulate a separate boot device, made in the form of a hard drive, removable media, or network boot device;
• Executing the boot sector of the operating system. At this stage, integrity checks, boot loader validity, operating system system files, and authentication can also be performed. However, the executable code of the boot sector is limited in functionality due to the fact that it has restrictions on the size and placement of the code, and also runs before the operating system drivers start.

Hardware Usage

Hardware trusted boot modules have significant advantages over pure software tools. But ensuring trusted booting cannot be done purely in hardware. Main advantages of hardware:

• High degree of security of secret information about passwords, keys and checksums ah system files. Under conditions of stable operation of such a module, there is no way to retrieve such information. (However, some attacks on existing modules, disrupting their performance);
• Possible secrecy of encryption algorithms performed in hardware;
• Inability to start the computer without opening its contents;
• If the boot sector is encrypted, it is impossible to start the user's operating system, even after removing the hardware module;
• In the case of full data encryption, it is impossible to obtain any data after removing the hardware module.

Examples of existing hardware

Intel Trusted Execution Technology

Trusted Execution Technology from Intel.

It is more likely not a means of trusted downloading, but rather protection of the resources of any individual applications at the hardware level as a whole.

TXT is a completely new concept for computer security at the hardware level, including working with virtual PCs.

TXT technology consists of sequentially protected information processing stages and is based on an improved TPM module. The system is based on the safe execution of program code. Each application running in protected mode has exclusive access to computer resources, and no other application can interfere with its isolated environment. Resources for working in protected mode are physically allocated by the processor and a set of system logic. Safe storage data means encrypting it using the same TPM. Any TPM encrypted data can only be retrieved from the media using the same module that performed the encryption.

Intel has also developed a secure data entry system. U malware there will be no way to track the data flow at the computer input, and the keylogger will only receive a meaningless set of characters, since all input procedures (including data transfers via USB and even mouse clicks) will be encrypted. The application's protected mode allows you to transfer any graphic data to the frame buffer of the video card only in encrypted form, so malicious code will not be able to take a screenshot and send it to a hacker.

Hardware trusted boot module "Accord-AMDZ"

It is a hardware controller designed for installation in an ISA (modification 4.5) or PCI (modification 5.0) slot. Accord-AMDZ modules provide trusted loading of operating systems (OS) of any type with the file structure FAT12, FAT 16, FAT32, NTFS, HPFS, UFS, UFS2, EXT2FS, EXT3FS, EXT4FS, QNX 4 filesystem, VMFS Version 3.

The entire software part of the modules (including administration tools), the event log and the list of users are located in the non-volatile memory of the controller. Thus, the functions of user identification/authentication, hardware integrity monitoring and software environment, administration and auditing are performed by the controller itself before loading the OS.

Main features:

• identification and authentication of the user using a TM identifier and password up to 12 characters long;
• blocking PC loading from external media;
• limiting user work time;
• monitoring the integrity of files, equipment and registries;
• recording user logins in the log book;
• administration of the security system (user registration, monitoring the integrity of the PC software and hardware).

Additional features:

• control and blocking of physical lines;
• RS-232 interface for using plastic cards as an identifier;
• hardware sensor random numbers for cryptographic applications;
• additional non-volatile audit device.

Trusted boot module "Krypton-lock/PCI"

Designed to differentiate and control user access to hardware resources of autonomous workstations, workstations and local servers computer network. Allows you to monitor the integrity of the software environment in operating systems using file systems FAT12, FAT16, FAT32 and NTFS.

Peculiarities:

• identification and authentication of users to launch BIOS using Touch Memory identifiers;
• delimitation of computer resources, forced loading of the operating system (OS) from the selected device in accordance with individual settings for each user;
• blocking the computer during unauthorized access, maintaining an electronic event log in its own non-volatile memory;
• calculating reference values ​​of checksums of objects and checking current values ​​of checksums, exporting/importing a list of checked objects to a floppy magnetic disk;
• possibility of integration into other security systems (alarm, fire protection, etc.).

ViPNet SafeBoot- certified high-tech trusted boot software module (TBM) installed in UEFI BIOS various manufacturers. Designed to protect your PC, mobile devices, servers (including virtualization servers) from various unauthorized access threats (ATTs) at the boot stage and from attacks on the BIOS.

Protection for computers and servers must be in effect from the moment they are turned on. The time from the moment of switching on to the start of the operating system is key to trust in the system as a whole. There are risks in the very early stages of loading:

• Transferring control to an untrusted bootloader;
• Downloads malicious code in UEFI;
• Intercepting data and disabling basic security mechanisms.

All this can lead to bypassing all security measures installed in the operating system and stealing information. Embedding the ViPNet SafeBoot trusted boot module protects your computer from these threats and makes the system trusted.

Purpose:

ViPNet SafeBoot designed to identify and authenticate users, differentiate access based on roles, as well as organize trusted loading of the operating system. ViPNet SafeBoot Increases the security level of devices and computers by:

• Authorization at the BIOS level, before loading the main components of the operating system;
• Monitoring the integrity of the BIOS, protected operating system components and hardware;
• Blocking the loading of a non-standard copy of the operating system.

Use cases

Product ViPNet SafeBoot can be used both in conjunction with other ViPNet products and separately. Main problems that can be solved:

• Compliance with the requirements of FSTEC orders*:
• No. 17 on the protection of government information systems (GIS);
• No. 21 on the protection of personal data information systems (ISPDn);
• #31 in defense automated systems management technological process(APCS);
• Protection against unauthorized access at the earliest stages of booting computers or devices with UEFI BIOS.

Advantages

• Software MDZ with the ability to be installed in UEFI BIOS from various manufacturers.
• Non-removability, in contrast to hardware versions of MDZ.
• Simplified methods for setting up MDZ using administration templates.
• Full control of UEFI integrity by checking the integrity of all its modules.
• Russian product.

Certification in FSTEC of Russia

ViPNet SafeBoot complies with the requirements of the governing documents for trusted loading tools of the class 2 basic I/O system level, which allows the product to be used to build:

• ISPDn up to UZ1 inclusive;
• GIS up to security class 1 inclusive;
• Process control system up to 1st security class inclusive.

What's new in ViPNet SafeBoot 1.4

1. Sleep mode is a key feature aimed at the convenience of OEM delivery of SafeBoot in workstations and servers by hardware platform manufacturers. Detailed description in the attached document.
2. Implementation of a licensing system - the product is now licensed by serial number.
3. Support for authorization using Western certificates - increasing the convenience of working with the product. There are customers who use authorization using a token and a certificate issued by Microsoft CA, including through LDAP. It is for this reason that we decided to support this authentication method.
4. Support for JaCarta-2 GOST - expanding the list of supported key media for authentication.

InfoTecs reserves the right to make changes to the supplied products (specifications, appearance, completeness) that do not impair its consumer properties.

Strict two-factor authentication - User authentication using a token with a x.509 certificate (two-factor), a password, or a combination of both. Supported IDs:

• JaCarta PKI
• Rutoken EDS
• Rutoken EDS 2.0
• Rutoken Lite
• Guardant ID

Role-based access

• User.
• Administrator.
• Auditor.

Integrity control. In order for the platform to be trusted, it needs a guarantee that all important modules loaded at system startup are unchanged. That's why ViPNet SafeBoot checks integrity:

• all key UEFI BIOS modules;
• boot sectors of hard disk;
• ACPI, SMBIOS tables, memory distribution maps;
• files on disks with FAT32, NTFS, EXT2, EXT3, EXT4 systems (ViPNet SafeBoot does not matter what operating system is installed);
• Windows registry;
• PCI/PCe configuration space resources;
• CMOS (contents of non-volatile memory);
• transaction completeness - NTFS, EXT3, EXT4.

For the convenience of users, it has become possible to automatically build control lists for Windows OS.

Security event log. For convenience, several logging modes with different levels of detail are provided.