Brussels / 1 & 2 February 2020


Improving the Security of Edge Computing Services

Update status of the support for AMD and Intel processors

For the last several years, hypervisors have played a key role in platform security by reducing the possible attack surface. At the same time, the hype surrounding computing and Internet of Things Gateways has led to an increase in network appliance devices. Our target was to create a less-insecure virtual network appliance using TrenchBoot, Trusted Platform Module 2.0 and AMD SKINIT Dynamic Root of Trust for Measurement to establish a Xen hypervisor with a meta-virtualized pfSense firewall. We are going to present it with an update of the status of support of TrenchBoot for AMD processors. This appliance is supported by are supported by apu2, a reliable low-SWaP x86 device from Swiss OEM PC Engines. It can be used as a Single Office / Home Office firewall or an industrial edge device and has mostly open-source hardware, coreboot firmware, mPCIe extensibility and an extended support lifecycle for the embedded Central Processing Unit and motherboard. In this talk, we will show how to create a system, which enables a significant portion of computations to the edge devices while maintaining security. Using a simple, well-known platform, we will conduct a secure boot using the Static Root of Trust for Measurement with coreboot, move to the Dynamic Root of Trust for Measurement by SKINIT in TrenchBoot and use all of this to provide a complete chain of trust for the Xen hypervisor, a virtual firewall appliance isolated by an input–output memory management unit (IOMMU) from the physical network interface controller (NIC) devices. We will present benchmark data on virtualization overhead, explain how this complexity can still be practical and outline the value of this stack. In the second part of presentation we will discuss current status of Intel TXT development in the GRUB and Linux kernel.


Photo of Daniel Kiper Daniel Kiper
Piotr Król