Intel 'LaGrande' Chipset Ships, First Test of New vPro Trusted Platform
One of the most ambitious new features ever to be built into an x86 motherboard is now publicly available: a hypervisor-based computer that runs both the operating system and its underlying BIOS under the control of a virtual machine monitor.
Underneath these physical and virtual layers is Intel's latest and boldest implementation of the Trusted Computing platform - the highly anticipated, and in some circles dreaded, LaGrande platform, now called Trusted Execution Technology (TXT). It is quite literally a computer that provides the entire universe for another computer, replacing the BIOS with a radically advanced underlying system capable of detecting incursion at the deepest levels.
A careful read of Intel's newly revised documentation (PDF available here) shows what the company has been concentrating on since LaGrande's initial unveiling in March 2006: a completely virtualized computing environment called the Measured Launch Environment (MLE), where every component of what an operating system typically considers as "the PC" is rendered in software. What Windows or Linux - or, perhaps at some future date, Mac OS - perceives as the computer, is actually code that's executed here.
It's the "measured" part that characterizes the road Intel has traveled to get here. The whole point of the underlying TXT platform is to monitor the MLE to detect any sign of corruption, from outside or inside. In order that TXT can trust itself to make that judgment -- to ensure the base platform is also free from corruption -- it establishes a root of trust, which is an inviolable region of code that is closed to the network above.
That code is used to authenticate and validate the integrity of the TXT. With the TXT's validation being maintained, it can continue to use cryptographic hash routines supplied by the root of trust to ensure that system services running in the MLE are not compromised. These services don't even have to know the TXT exists.
It seems logical enough...and if that were the original message Intel sent to customers when it first thought of the idea, we might actually be here sooner than we are. But back even before it was dubbed LaGrande - when Intel and Microsoft were working on it together, and it was called Palladium - word spread that its Trusted platform could conceivably be leveraged by services for validating and ensuring the presence of digital rights management schemes. By 2005, security experts such as the respected cryptography expert Bruce Schneier sounded the alarm.
"It's very much a baby/bathwater thing going on," Schneier told me in October 2005. "In their zeal to stamp out piracy, the media companies might actually stamp out computing. They don't want you to have computers; they want you to have Internet entertainment platforms. To the extent that you have a fully programmable computer, that's a danger, because you could do things that are unauthorized by whoever wants to start giving out authorization...It's not like a television, where you do what we tell you to do."
Fear grew among Intel's customer base of a future where underlying system services were constantly verifying every process the user undertakes, making certain it has nothing to do with piracy, unauthorized copying, unpermitted use of services, use of unlicensed software, or anything else that some agency at some future date may see fit to un-authorize.
But ever since then, Intel's engineers have stated that, although it's technically feasible for Trusted Platform code to be leveraged by DRM schemes, that is not what its vPro technology is designed to do. Nevertheless, Intel did make a decision last year not to sell vPro as a consumer technology, at least not at first, partly due to the negative publicity surrounding it. This is why vPro is billed as a business technology. Notice also notice, that Microsoft is no longer a direct participant in this project.
TXT makes its vPro premiere in Intel's Q35 Express chipset, which appears on Intel's DQ35JO and DQ35MP micro-ATX motherboards.
Today, Intel spoke of a new feature called "system defense filters," which is not something outlined in the new TXT specifications, at least not by that name. As this morning's press release describes them, "These filters can identify greater numbers and varieties of threats in the network traffic flow."
This seems to indicate Intel's intention to run the TXT layer as a true networked computer unto itself, with Internet access and perhaps networked system monitoring capabilities. What this means is nothing less than the official entry of the world's leading PC hardware manufacturer into the system security business.
While Intel characterized today's announcement as a formal unveiling, which typically precedes either a product's release from factories or its premiere on store shelves, BetaNews discovered at least one Fry's Electronics customer who seems to have purchased a DQ35JO several days early, for a curiously low bargain price of $130.
Perhaps this store put it on the shelf not really knowing what it was. Our check of Amazon.com this afternoon shows four DQ35JO boards available at over ten times that price.
The fellow asked fellow members of CompatDB.org whether it was worth his time to build a server out of this thing, or should he take it back to Fry's and get his money back. Hopefully he's reading this now: You might want to hang on to it.