A “launch control” or launch control policy (LCP) is part of a comprehensive endpoint protection solution. Traditional anti-virus scans employ a “black listing” technique that aims to identify known “bad” software. Attack signatures guide the scan engine as it searches platform resources. Compromised resources are flagged for remediation. “White listing” involves creating a list of known “good” software that is supplied to a scan engine that flags resources not on the list for remediation. Black and white listing can work together to account for all resources on a system. A launch control integrates the white list scan engine into a system launch procedure to prevent malware from gaining an opportunity to execute on the system. For example, the whitelist may contain reference measurements of code and data (e.g., hash) used to boot or launch an execution environment (e.g., dynamically launched environment). Thus, launch controls can be used to ensure a “trusted boot” occurs.
Trusted boot usage may impact every stage of the boot flow and may be based on trusted hardware also known as “roots-of-trust”. Trusted Execution Technology (TXT) is an example of a launch control and a root-of-trust technology that can be used to implement a trusted boot usage for virtual environments. Hardware roots-of-trust help trusted boot usage eliminate or lessen the possibility of malware posing as legitimate hardware to the layers above. TXT implements a dynamic root of trust for measurement (RTM) that employs launch control policy to ensure only a trusted environment is launched. Put another way, TXT may be a starting point in a sequence of integrity checks performed for different execution environments in a platform. Thus, TXT may offer a secure starting point in microcode. For example, various launch controls such as the TXT launch control ensure that the virtual machine manager (VMM) Launcher is trustworthy.
A VMM may include a host program that allows a computer to support multiple execution environments. For example, a VMM may provide the means, through emulation, to divide a single, physical machine (e.g., server), allowing multiple operating systems to run securely on the same CPU and increase the CPU utilization. A VMM can manage VMs. A VM may include a software implementation of a machine (i.e. a computer) that executes instructions like a physical machine.
Again regarding the TXT launch control, such launch controls do not ensure subsequently launched VMM infrastructure (e.g., virtual machines (VMs), nested VMMs, nested VMs, and operating system (OS) environments) is also trustworthy. Thus, the launch control can indeed be used to launch a single VMM. However, once the VMM is running TXT model specific registers (MSRs) are set such that TXT is not invoked while a VMM using VMX-root is active. Consequently, when a nested VMM is launched TXT may not be available (e.g., the GETSEC(SENTER) command fails) and the nested VMM may not be securely launched. VMs and nested VMMs are then loaded without application of launch control policy, thereby creating a potential opportunity for a security breach.