SAN MATEO, Calif. Microsoft Corp. and a handful of partners are providing the first technical details of a long-term strategy to make the PC more secure. The so-called Palladium architecture is ambitious, but just how and when it will be rolled out is still unclear. First specifications of the architecture are not expected until early or mid-2003.
Palladium, as it is currently conceived, will plug many, but not all, of the well-known security holes in the PC architecture. The effort will depend in part on a low-cost encryption chip that stores secure keys as the basis for a secure processing mode initially aimed at preventing virus attacks and protecting e-commerce.
The technique will require generally minor modifications across the PC food chain, including CPUs, chip sets, graphics chips, interconnects, the operating system, peripherals and applications. While the final systems cost to an OEM for Palladium is targeted at less than $10, the breadth of the changes needed raises huge compatibility issues.
The effort faces political controversy on two fronts. Privacy advocates fear a loss of control in the digital world. But Palladium backers say their architecture will be an opt-in system that users will be able to control and that will keep their keys private.
And antitrust concerns have already come to the fore, particularly in the current climate of corporate scandals and Microsoft's ongoing antitrust case. Microsoft pledges to publish the source code to a kind of secure kernel, called the Trusted Operating Root, that will be the basis for Palladium and to keep its overall development process for the project open to public input. To date, however, details have been kept under strict nondisclosure agreements.
At the technical level, Palladium has already raised the hackles of some members of the Trusted Computing Platform Alliance (TCPA), an ad hoc group of 170 companies ironically, including Microsoft that have been working since October 1999 to specify a more secure PC. TCPA members say the Palladium announcement may stifle demand from PC makers for the first-generation chips, called trusted platform modules (TPMs), which were based on a TCPA 1.1 spec and will need to be modified to work with Palladium.
"That Microsoft chose not to speak up when TCPA version 1.1 would not meet their needs is annoying," said Kerry Maletsky, director of Atmel's ASSP Division, which makes TPM chips. "They effectively announced Palladium at the same time that the TPM chips started coming out," which proved a disincentive to building TCPA systems, Maletsky asserted.
Atmel, Infineon, National Semiconductor and STMicroelectronics make TPM chips, although Atmel is believed to be the only company shipping them for a design win, in an IBM notebook (see April 29, page 1).
One source, who asked not to be identified, said chip makers believe they will have to make a fairly modest redesign of the current TPM chips to conform to Palladium once they get technical details from Microsoft. Completion of an upcoming TCPA 2.1 spec should help merge the TCPA and Palladium efforts, the source said.
"There's just enough difference [between the TCPA and Palladium approaches] that the semiconductor makers are all pissed, but everybody is resigned to do it," the source said.
Atmel's Maletsky said TPMs could still be used in PCs before the arrival of Palladium and later in a non-Windows environment for handhelds, point-of-sale systems, set-top boxes and other embedded systems.
"We are not trying to dismantle TCPA, but there are differences in our two approaches," said Mario Juarez, group product manager for Microsoft's content security unit, which is developing Palladium in cooperation with Intel Corp. and Advanced Micro Devices.
Juarez said TCPA members' disgruntlement might be disingenuous. "People have known what we have been doing with Palladium for a long time," he said.
Microsoft held its first design review for Palladium under NDA with about 37 companies at its Redmond, Wash., campus in April, about the time IBM announced it would be the first to use the TPM chips.
"Palladium is about enabling a new processing mode in the system while preserving the legacy computing modes," said Geoffrey Strongin, an AMD platform security architect and one of the core Palladium developers.
Exactly how the secure process works is still unclear, but discussions with Microsoft, AMD and others suggest the following pattern.
Users must first decide to activate the Palladium feature in a new PC. Once the feature is activated, a secure process might start anytime an application or transaction requests the secure mode. Secure processes could be run in parallel with traditional Windows tasks.
A small piece of code which Microsoft calls the Trusted Operating Root (TOR) and Strongin and others call a secure kernel or, more colloquially a "nub" triggers the start of a secure process. The south bridge chip is involved in initiating the process via a handshake that Strongin described as part of the "secret sauce" of Palladium.
That handshake could essentially be the manner in which the nub presents a kind of signature to a separate security processor, essentially an upgraded version of the TPM chip. The TPM chip performs a hashing algorithm probably a high-end RSA algorithm on the signature and its private keys, stores the result and returns it to the nub. If someone tampers with the nub, a future hashing operation will change the result, leaving the nub with keys that do not match and shutting down the security rights of that process.
The CPU includes about half a dozen new registers and as many new instructions to support the secure-processing mode, although Intel and AMD are expected to have diverging implementations. A novel data structure associated with the nub and presented to the CPU initiates the process. Secure processes can be built up and torn down as often as a user wants.
The unique ID created by the nub and the TPM help provide encryption and decryption capabilities for secure RAM or hard-disk storage and secure I/O in the system. A "dongle" or small hardware add-on will secure inputs from USB keyboards and mice in version 1 of Palladium. Graphics chips would be expected to handle encrypted data and/or conditional-access interfaces, closing the door to attacks on data in a graphics frame buffer.
Under Palladium, any bus master device seeking direct access to memory must go through a piece of logic called a device exclusion vector on the memory controller. The logic would check access permission based on stored values in an encrypted lookup table in system RAM. That plugs the hole left open by direct-memory-access devices on the PC.
Some developers have considered removing support for notoriously insecure floppy drives and PS/2 keyboards and mice from Palladium systems, although that would not be a requirement.
Currently Palladium is focused only on securing I/O inside the box, but eventually Microsoft hopes to rally makers of displays using the DVI interface to develop models that can handle encrypted data.
"The collaboration with digital display vendors hasn't been completed yet," said a second source familiar with the effort.
"There is not a significant area penalty" for the CPU, graphics or chip set changes, said Strongin of AMD.
Palladium got its start in Microsoft in 1997 with developer Peter Biddle, who was working on ideas for providing content protection for movies on a PC. Biddle gathered developers from Microsoft Research and its NT group; the team spent more than a year crafting a "blue-sky architecture to meet the studios' challenge in the pre-Hollings era," said Microsoft's Juarez, referring to the copyright protection bill now in Congress.
The group filed a number of patents on its efforts, including a patent for a digital-rights management operating system. But the direction of its work changed as the debates over copyright protection escalated; and, as Juarez said, "by 1999 we realized this had a lot of potential beyond putting movies on a PC."
Microsoft engaged Intel and AMD, which had been working on similar issues. Juarez's group was launched in October to build Palladium. The timing put the move in the shadow of Sept. 11 and the mandate from Washington for greater cyber-security, but "the wheels were in motion [to form the group] last summer," Juarez said.
AMD had its own security initiative, which involved changes to the CPU and operating system, and approached Microsoft in late 1999 to find that company engaged in similar work. "We met in the middle," Strongin said.
(Intel would not discuss its work on Palladium, but president Paul Otellini said in April that Intel was working with Microsoft to put security in CPUs and chip sets.)
Some speculate the first Palladium products will arrive with Longhorn, the next major version of Windows, slated for a 2004 release. Microsoft argues it could take longer.
"It will be in a future version of Windows, but we aren't saying when. We don't even know what Longhorn is yet or exactly what it will take for us to do this," said Juarez.
"We're talking about some pretty daunting technology tasks here, especially for Microsoft. The compatibility issues are huge," said the first unidentified source.
At the April NDA meeting, one Microsoft executive said the echnology would roll out gradually to targeted business users. Chip makers fired back that the capability should be taken quickly to mainstream PCs, a position some analysts still hold.
But Microsoft is sticking to its guns on a go-slow approach initially aimed at business verticals and government users. "Our ambitions are big, but our expectations are modest," said Juarez. "There will need to be a lot of maturing and things to build out" before Palladium is ready for consumers.
"It's hard to predict what people will use this for. Its utility depends on the inventiveness of application developers," Strongin said. "This has relevance to a number of application spaces, including virus checking and tools that guard against a system attack. There is also a whole range of e-commerce applications. And digital-rights management is one that could benefit from having a trusted base to stand on."
"There are all kinds of things you could do with this," said Martin Reynolds, a senior Dataquest analyst who has been briefed on Palladium. He cited improved ability to battle viruses, better digital-rights management for copyrighted content and novel capabilities such as creating e-mails that delete themselves after a fixed time.
Palladium has its limits. For instance, it does not support a secure boot mechanism in its current form, and hackers could craft a phony trusted system given enough time and money.
"We made a judgment call that this will bring a strong foundation at an affordable level," said Strongin. "If you go a lot further down this road, eventually you get to where you need Marines."
Security analyst Bruce Schneier of Counterpane Internet Security Inc. (Cupertino, Calif.) said the Palladium technology seems sound but is suspicious of Microsoft's motives.
"The approach isn't bad, but who is it providing security for the user Microsoft or Disney? The technology is being put in place, but the politics will come later," Schneier said.
Microsoft's potential use of proprietary technology rather than publicly available specs raises further antitrust issues, he added.
Dataquest's Reynolds said Palladium will either be an instant hit or a big flop: "I don't think you'll see it until 2005. But by 2008, it will be on every PC or on none of them," he said.