I've been fortunate enough over the past few years to work directly with customers wanting more security in their datacenters. There have been guides published, video demos, and many trade-shows and events have information about specific items in regards to security at the hardware level. Using Intel Trusted Execution Technology (Intel TXT) on a per-platform basis gives you the 'root level trust' that is essential in establishing a solid and secure baseline for securing your workloads. To use higher level use-cases, you need to be able to scale across multiple systems by using scripting and automation. Fortunately, many OEMs and ISVs are implementing tools that allow for scale deployment. If you have setup the BIOS on a server platform, implementation of Intel TXT on a per-server basis is simple enough. However, scaling the technology across your datacenter has it's challenges depending on the OEM vendor and tools that are available for scale automation.
In order to build higher level use-cases, many of our customers have wanted simpler implementation methods for the multitude of systems that reside in their datacenters to implement security use-cases such as Trusted Compute Pools which is showcased in a very simple diagram below. Notice the 3 step process. Step #1 is the root of trust on the hardware itself, this is where Intel TXT along with the Trusted Platform Module (TPM) scans the platform to create a cryptographic hash of the Platform Configuration Registers (PCRs). This is done in accordance with the Trust Computing Group (TCG) specifications.
If the Intel TXT platform (#1) meets the policies and measurements (#2) of the use-case, then the OS and apps (#3) are allowed to launch on the secured platform. #3 is the ISV focus space, which resides above the hardware and operating system. The software vendors in the #3 space are primarily focused on the end-state of secure provisioning of the hypervisor and establishing a 'whitelist' of supported hardware. What is not currently supported by the ISVs in this environment is the setup and configuration of the hardware to get you to that 'trusted host' model. This is where the OEMs come into play for step #1.
The attached documents are One-Stop Intel TXT Activation Guides that will help you implement Intel TXT on your Intel Xeon Processor based platform. This will help you establish Step #1 and test Step #2. There are screen-shots provided to help you visualize the process enable each of those platforms on a standalone basis. Scripting framework is provided that can be utilized to automate the deployment of the technology in your datacenter on those particular platforms. Once your platforms are setup and have Intel TXT functioning, you will be ready to start deploying your hypervisor of choice that supports Trusted Boot (tboot) and implement your security use-case model from that point forward.
Current documentation published and attached to this blog is for the following OEMs: DELL, IBM, Supermicro, Intel PCSD, HP and Cisco. A few notes: HP and Cisco have not fully implemented Intel TXT as part of their scale deployment strategy but the baseline configuration can still be performed on a per-server basis. Check with your OEM representative on the Intel TXT readiness of their platforms and software support models to help implement Intel TXT in scale. If you have different OEM systems and can provide more documentation and/or scripting for that particular solution, please join in the discussion to assist others to become more familiar with your scenario.
Intel Server Intel® TXT One-Stop Activation Guide
For a full list of Intel TXT supported platforms, please reference the server platforms support matrix.