BitLocker: BootMgr kernel check before handoff?

When using TPM, is there an integrity check performed on the kernel itself
before that final handoff from the BootMgr to the Vista kernel?

I know this may not be what BitLocker was designed for, but this seems like
a way to thwart kernel rootkits.

Pre-boot integrity is performed by TPM via BitLocker, and after boot by the
kernel. Its the handoff from BitLocker to the kernel that seems like a gap...

Thanks!

Maybe with the new virtualization features of the CPUs, it might be a good
idea for ntdetect to be a hypervisor. This would prevent a hypervisor virus
from running all the operating systems under it so no possible antivirus
program could detect them.

"tavis" <tavis@discussions.microsoft.com> wrote in message
news:9C5B4E3D-F73B-4DEB-A7DD-F6C04B55056D@microsoft.com...
> When using TPM, is there an integrity check performed on the kernel itself
> before that final handoff from the BootMgr to the Vista kernel?
>
> I know this may not be what BitLocker was designed for, but this seems
> like
> a way to thwart kernel rootkits.
>
> Pre-boot integrity is performed by TPM via BitLocker, and after boot by
> the
> kernel. Its the handoff from BitLocker to the kernel that seems like a
> gap...
>
> Thanks!

To Tavis:
BIOS performs integrity checks on itself (CRTM) and on "Initial Program
Load" (to load MBR)
This chain follows through to BOOTMGR
BOOTMGR (common to multiple OSes) then uses a table to validate other boot
components (e.g. winload.exe). I will get a paper out on this before RTM,
but essentially there is a table of valid boot components and settings that
is MAC'd.
WINLOAD.EXE (specific to the booting OS) then uses code-integrity to
validate OS components, the remainder of the trust chain utilizes
code-integrity.
Using a TPM chain of trust past BOOTMGR becomes very fragile due to code
load/execution branches, however the integrity chain is maintained through
other mechanisms that are more applicable to the load/execution branches.

To David:
I will only note that there is a good reason why BitLocker came from the
group previously known as NGSCB (it's now called System Integrity). This was
an early design goal, but the virtualization and firmware interaction poses
some issues. Another version...
(BTW, ntldr/ntdetect has been replaced by the BOOTMGR/WINLOAD.EXE
architecture).
--
Jamie Hunter [MS]

"David J. Craig" <Dave@yoshimuni.com> wrote in message
news:uYHFtcKpGHA.2292@TK2MSFTNGP05.phx.gbl...
> Maybe with the new virtualization features of the CPUs, it might be a good
> idea for ntdetect to be a hypervisor. This would prevent a hypervisor
> virus from running all the operating systems under it so no possible
> antivirus program could detect them.
>
> "tavis" <tavis@discussions.microsoft.com> wrote in message
> news:9C5B4E3D-F73B-4DEB-A7DD-F6C04B55056D@microsoft.com...
>> When using TPM, is there an integrity check performed on the kernel
>> itself
>> before that final handoff from the BootMgr to the Vista kernel?
>>
>> I know this may not be what BitLocker was designed for, but this seems
>> like
>> a way to thwart kernel rootkits.
>>
>> Pre-boot integrity is performed by TPM via BitLocker, and after boot by
>> the
>> kernel. Its the handoff from BitLocker to the kernel that seems like a
>> gap...
>>
>> Thanks!
>
>