Next Generation Secure Computing Base NGSCB

New Hardware Components For NGSCB

        The following minimum set of hardware components is required to support the NGSCB architecture and features:

•  An NGSCB-enabled CPU
•  An NGSCB-enabled chipset

• A dedicated SSC that is physically bound to the NGSCB system motherboard

• Secure input devices, including a keyboard and mouse

Abstract

            The next-generation secure computing base (NGSCB) is an industry-wide initiative that combines computer hardware platform enhancements with trustworthy-computing capabilities and services. NGSCB requires changes to the operating system and hardware. Some scenarios will also require enabling via network infrastructure. While existing programs will continue to work on a computer running NGSCB, they must be rewritten to take advantage of the new security provided by NGSCB. 

 Introduction

          Today's personal computing environment is built on flexible, extensible, and feature-rich platforms that enable consumers to take advantage of a wide variety of devices, applications, and services. Unfortunately, the evolution of shared networks and the Internet has made computers more susceptible to attacks at the hardware, software, and operating system levels. 

Authenticated Operation

               One of the key features of NGSCB is authenticated operation. Trusted applications running in the protected operating environment are identified and authenticated by their code identity, which is computed by the nexus. That code identity is the digest of the application's manifest. The user can define policies that restrict access to sealed secrets based on the application's code identity.

Secure Video Hardware

               Secure video hardware and software work together to ensure that secure windows cannot be obscured, captured by unauthorized software, or altered by unauthorized software. The focus of secure video is protecting the path used to transfer video data from the nexus to the graphics adaptor. A secure graphics adaptor can be integrated in the chipset with a special closed path between it and the nexus. For example, as part of this solution, the graphics adaptor could offer a set of registers at a fixed address, accessible only when the system is running in nexus mode. 

Conclusions

              NGSCB provides a protected run environment for programs, which isolates them from other programs. Each program is protected from software attack, even from the operating system. Unlike conventional authentication models, NGSCB is rooted in software authentication and provides software isolation, secure storage, attestation, and secure I/O operations.