Here is a functional block diagram of the Palladium software, based on a recent presentation by Microsoft. My notes were a bit sketchy as I rushed to copy down this slide, so there may be some slight errors. But this is basically what was shown. (Use a monospace font to see it properly.) Normal Mode Trusted Mode +-----------------------------------------------------------------+ | +-------+ | +-------+ | | Nubsys | App |---o | o---| Agent | | USER | exe | PdLib | | | PdLib | | | o +-------+ | +-------+ | | | | o | | | | | | |--------|----------------------------+-----------|---------------| | \-----------------\ | | | | | | | | | +---------+ +--------+ | +------------------+ | | | Main OS | | NubMgr |--o | o--| Secure Executive | | KERNEL | ++----+----+----+ | sys | | | Nexus | | | | HAL | Drivers | +--------+ | +------------------+ | | +-----+---------+ | | | | | +-----------------------------------------------------------------+ The idea is that initially only the left half exists. To launch Palladium the user runs the Nubsys.exe program. This goes into kernel mode and loads the NubMgr.sys module, which initiates trusted mode and launches the secure executive or "nexus". (This is what is also sometimes called the Nub or the TOR.) When a Palladium-aware app is launched in user mode, it is linked with a PdLib and requests to the Nexus to load the corresponding Trusted Agent. The Agent runs trusted in user mode, and has its own PdLib which lets it make system calls into the Nexus. The Trusted Agent and the application then communicate back and forth across the trusted/normal mode boundary.