Skip to content



AFRL developed SecureView in 2010 for government agencies that wanted a single workstation/laptop system that supported multiple need-to-know groups and classification levels. The underlying OpenXT is very similar in architecture to Qubes], with more "enterprise features", such as remote revocation of access, provisioning, etc. They also support Windows guests, in addition to the normal Linux ones.

The systems can be configured with separate network cards per classification level, or use separate VMs as network encryptors between the guest and network VM. This way the guest VM doesn't have access to the keys and a compromised network device also doesn't have access. This allows "High over Low" to "tunnel classified traffic over NIPRNET infrastructure".

SecureView supports only a small number of laptops and desktops, which allows them to ensure that the firmware has been audited and that they can maintain a chain of trust from power on to TPM key unsealing. They use tboot TXT for late launch verification of the firmware as well.

There is a project underway at NSA to replace the Linux dom0 kernel with a much smaller dedicated kernel that has hard-coded resource allocations to setup the other guest domains using Xen's API. This would remove Linux entirely from their TCB. The Qubes world is considering similar things, including the Mirage OS project to replace parts with safer languages like OCaml.

There are some clever features, such as "GlowView", which changes the keyboard backlight to reflect the security domain that currently has focus.

SMM integrity monitoring

The NSA has developed a virtualized SMM Transfer Monitor (STM) called STM/PE that allows them to run enclave-like code in System Management Mode, where it is somewhat protected from attackers who can escalate to ring0. They promised to release this code, although it isn't on the NSA github page yet.

They have published a paper about LKIM, the Linux Kernel Integrity Measurer that monitors the Linux kernel from SMM, and they have mentioned that there have a Xen specific integrity monitor.

2018 Security

Last update: November 8, 2020