WidePoint Corp (WYY)

[Methinks]

Extending Trust to Embedded Mobile Systems

http://www.embedded-computing.com/hardware/extending-trust-to-embedded-mobile-systems

Wave Systems Corp. (fka WAVXQ)

Genz2

Post #245331

With more than 95% market share in smart phone processors, Arm, now a part of Japan's SoftBank Group, has provided compelling reasons for mobile system designers to choose its architecture. The first Windows 10 laptops and convertibles with Arm-based processors started shipping in 2018 with several leading suppliers planning to add to the product offerings. Among the claims for these devices is longer battery life and faster built-in LTE connectivity. Of course, with this connectivity comes the need for increased security and trust to prevent software attacks and/or unauthorized updates.

The Trusted Computing Group’s Trusted Platform Module (TPM) specification has been providing the basis for trust in computing and server applications for almost two decades. The latest version, TPM 2.0, also known as ISO/IEC 11889, allows for discrete, integrated, firmware, software and even virtual implementations to extend its use in mobile and embedded applications. Used to measure the code that will be executed (known as measured boot), a TPM can also authenticate and secure platforms using passwords, certificates, digital signatures, and/or encryption keys. In general, the process of securing a platform with TPM 2.0 starts with the platform system BIOS and its support of any underlying firmware.

As a replacement or enhancement for the BIOS, the Unified Extensible Firmware Interface (UEFI) spec developed by the UEFI Forum defines a new model for the interface between a computer’s operating system (OS) and platform firmware. UEFI firmware performs the equivalence of the BIOS, by initializing the platform and loading the OS. Incorporating TPM 2.0, UEFI firmware with the TCG2 protocol supports a more secure system, a faster boot time and improved performance with UEFI Secure Boot helping to defend against malware attacks before the OS loads. The processor architecture agnostic approach of UEFI firmware supports x86, x64, and Arm designs.

With the recently announced support of American Megatrends (AMI) for TPM on Arm-based systems running the company’s Aptio V UEFI Firmware, Arm implementations of UEFI received a timely boost. By extending its previous TPM support for x86 platforms, AMI gives system designers the alternative to easily use UEFI firmware in their Arm-based systems with the ability to better secure their systems and the information stored within them.

The added TPM support for Arm-based systems includes features specific to Arm, such as TPM driver support within Arm TrustZone technology and Linux OS support. The Arm TrustZone TPM can be accessed by the BIOS and OS via the Command Response Buffer interface using Secure Monitor Calls (SMC). TPM SMC communication libraries within Arm TrustZone are developed by AMI. Other generic features supported by TPM include cryptographic algorithms and measurement of SecureBoot variables.

The Chain of Trust is maintained via the TPM. The TPM is initialized at Arm Boot Stage 1, which begins the chain of trust. Between each stage, a measurement of the next stage is performed. When the AptioV bootloader is given control, the AMI TCG2 module measures the OS Bootloader.

Using UEFI as a secondary bootloader avoids the need for embedded-system designers to learn different security schemes for every silicon platform or microcontroller. TPM-enabled UEFI-based firmware solutions, such as the TCG2 module for Aptio V UEFI BIOS firmware from AMI helps establish a common standards-based way to implement secure and measured boot in next-generation Arm and other platforms.
================================================================
American Megatrends and Wave to Extend UEFI Support in Windows 8 for BIOS Malware Detection

https://www.wavesys.com/buzz/pr/american-megatrends-and-wave-extend-uefi-support-windows-8-bios-malware-detection

Norcross, GA and Lee, MA -

February 24, 2012 -

American Megatrends Inc. (AMI), a leader in BIOS and computing innovations, and Wave Systems Corp. (NASDAQ:WAVX www.wave.com) are collaborating on the development of Windows 8-compatible solutions to assure that platforms remain free of Advanced Persistent Threats (APTs)—sophisticated cyber-attacks that access and steal information from compromised computers. APTs involve malicious code that circumvents common safeguards such as anti-virus software and seek entry before the operating system loads.

Central to Windows 8 is the use of Aptio, AMI’s solution for UEFI (Unified Extensible Firmware Interface), which represents an overhaul of the computer boot environment, while still bearing similarities to the legacy BIOS (Basic Input Output System) it replaces. The UEFI specification introduces advanced firmware features defining boot and runtime protocols for communications between services and device drivers, and offers a standard interface to the operating system. Providing standardized access to boot data optionally stored on either NAND flash or on a hard drive, Aptio provides more space for boot-time diagnostics and running utilities. The result is dramatically faster boot-up times and better performance.

Windows 8 takes advantage of UEFI secure boot architecture to enhance the operating system’s security capabilities. Secure boot allows only signed software to run on the device, adds cryptographic checks to each stage of the boot process and asserts the integrity of all the software images that are executed to prevent unauthorized, modified software from running. Wave solutions report on the execution of the secure boot and verify that anti-malware software has been launched before any third-party boot drivers to prevent malware from bypassing inspection.

Building a “chain of trust” requires the collaboration of multiple partners. AMI provides the first step in the trust chain by assuring that the BIOS components are registered and signed prior to the delivery of the platform. As the computer boots, each component reports its status to the Trusted Platform Module (TPM), which securely records the status measurements. This provides a critical first step that sets the stage for a more trustworthy computing environment.

Wave constitutes the next link in the trust chain with solutions designed to assure that the integrity of the secure boot is reported and attested to the enterprise network or Cloud service. Wave Endpoint Monitor, currently deployed in beta testing, uses the TPM to report on the success of the secure boot and leverages the chip to prove that the process has executed correctly. Endpoint Monitor can then prove to a Cloud service or to an enterprise application that the PC has booted in a known, good state. If a platform is compromised, IT can determine which machine is infected, and take steps to prevent it from accessing sensitive systems to ensure that critical systems and data remain safe.

“Securing the computer from power on is critical to the defense of intellectual property and the corporate infrastructure,” remarked S. Shankar, President and CEO of American Megatrends. “AMI is pleased to provide Microsoft with the foundation of security for Windows 8, and to work with Wave to extend security capabilities that wouldn’t have been possible in a legacy environment.”

Steven Sprague, Wave’s CEO, commented, “AMI and PC manufacturers offer great assurance that the UEFI components are trusted when delivered to the customer. Wave provides IT with a greater level of knowledge and trust in the boot process and assurances that only known devices are on the network. Knowing the identity of the machine and assuring the health of its BIOS represent significant strides forward in combating advanced persistent threats.”

AMI has spent the last year supporting the launch of Windows 8 by ensuring that AMI’s Aptio UEFI firmware is in full compliance with the latest UEFI specification, UEFI 2.3.1. New features include pre-OS security, speed and secure boot. AMI is also working with PC OEMs, developers and partners such as Wave by providing UEFI development PCs for testing within a Windows 8 ecosystem. AMI has worked in partnership with Microsoft to develop this system in order to facilitate the rapid development of Windows 8 throughout the entire developer community. These new UEFI development PCs are powered by the latest version of Aptio® UEFI BIOS, version 4.6.5.1 Aptio 4.6.51 not only offers full support for Windows 8, but also adds support for the latest UEFI specifications, UEFI 2.3.1 and PI 1.2. This makes the latest features of the UEFI specification, such as Secure Boot, UEFI boot mode, fully localizable user interface and more, available to manufacturers in a production-ready UEFI BIOS. Notably, this development system will be the first PC on the market with full UEFI 2.3.1 support, allowing for a complete Windows 8 experience.

In preparation for Windows 8 availability, Wave is using some of the capabilities of the TPM to enable an enterprise infrastructure to support the features in Windows 8 that take advantage of UEFI capabilities. Enterprises stand to benefit from a tool that can detect rootkits, assure the core capabilities of a platform and establish very strong device identity—capabilities that have been missing for the last 20 years and that are critical to establishing a more trustworthy computing environment.
=================================================================
It would be a great extension from computer to mobile with AMI/Wave. As much as I am disappointed with how SKS's leadership turned out, he would have been able to see through the UEFI/TPM with Wave's software from computer to mobile which would seem to be highly lucrative to Wave/ESW. There are probably other ex-Wave employees who would know how to finish the transition above. imo.