Bauer, Ren | 23 Sep 23:30 2012
Picon

tboot with 32-bit non-PAE kernel

Hey,

I'm trying to do some work with flicker, and it's my understanding that this software requires tboot and a
32-bit non-PAE kernel, but I haven't been able to find any help on setting up tboot with a kernel that
matches these requirements. (Additionally, I'd like to be able to use GRUB2 as I don't have any experience
with GRUB)

If anyone could point me to a kernel that fits these requirements and that could be set up relatively easily
with tboot, I'd appreciate it.

Currently I have the following set up:

Lenovo W520
Fedora 17 32-bit
Custom built 32 bit kernel based on vmlinuz-3.5.4 with TXT options enabled and PAE disabled (I think)  <at> /boot/vmlinuz-3.5.4-txt
tboot 1.7.1  <at> /boot/tboot.gz
2nd_gen_i5_i7-SINIT_51 module  <at> /SINIT_51.bin

The following GRUB2 menu entry:

menuentry 'Fedora 17 32-bit with tboot'{
	load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod ext2
        set root='(hd0,msdos4)'
	if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos4 --hint-efi=hd0,msdos4
--hint-baremetal=ahci0,msdos4 --hint='hd0,msd
(Continue reading)

Jonathan McCune | 31 Aug 15:45 2012
Picon

Re: JTAG and TXT?

Hi Joanna,

On Fri, Aug 31, 2012 at 5:47 AM, Joanna Rutkowska
<joanna <at> invisiblethingslab.com> wrote:
> So, am I asking a wrong question? ;)

I can try to give an answer to a related question...

> On 08/09/12 20:19, Joanna Rutkowska wrote:
>> I'm curious whether activation of the JTAG interface affects PCR values,
>> be that those measured as part of SRTM, or those as part of
>> SENTER/SINIT?

I got started with dynamic root of trust on AMD hardware.  Let me
relate some details for AMD, and then I will talk about Intel.  I had
access to one of AMD's Hardware Debug Tools (HDT) at the time.  To the
best of my knowledge, this device connects directly to some CPU pins
(via a motherboard header that breaks them out).

>From AMD manual 24596 ("System Programming"), Rev 3.20, December 2011:
Section 15.27.6: "Debug Considerations: SKINIT automatically disables
various implementation-specific hardware debug features. A debug
version of the SL can reenable those features by clearing the
VM_CR.DPD flag immediately upon entry."

I empirically determined that, indeed, the HDT is useless in the
interval between executing SKINIT and having an instruction in the
launched code to clear VM_CR.DPD.

On Intel, we did not have any direct debugger device support from
(Continue reading)

gang.wei | 31 Aug 08:05 2012
Picon

[PATCH V2] MAINTAINERS: fix TXT maintainer list and source repo path

From: Gang Wei <gang.wei <at> intel.com>

Signed-off-by: Gang Wei <gang.wei <at> intel.com>
---
 MAINTAINERS |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index fdc0119..987ad0f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
 <at>  <at>  -3666,11 +3666,12  <at>  <at>  F:	Documentation/networking/README.ipw2200
 F:	drivers/net/wireless/ipw2x00/
 
 INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT)
-M:	Joseph Cihula <joseph.cihula <at> intel.com>
+M:	Richard L Maliszewski <richard.l.maliszewski <at> intel.com>
+M:	Gang Wei <gang.wei <at> intel.com>
 M:	Shane Wang <shane.wang <at> intel.com>
 L:	tboot-devel <at> lists.sourceforge.net
 W:	http://tboot.sourceforge.net
-T:	Mercurial http://www.bughost.org/repos.hg/tboot.hg
+T:	hg http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot
 S:	Supported
 F:	Documentation/intel_txt.txt
 F:	include/linux/tboot.h
--

-- 
1.7.7.6

------------------------------------------------------------------------------
(Continue reading)

gang.wei | 30 Aug 07:19 2012
Picon

[PATCH] MAINTAINERS: fix TXT maintainer list and source repo path

From: Gang Wei <gang.wei <at> intel.com>

Signed-off-by: Gang Wei <gang.wei <at> intel.com>
---
 MAINTAINERS |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index fdc0119..987ad0f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
 <at>  <at>  -3666,11 +3666,12  <at>  <at>  F:	Documentation/networking/README.ipw2200
 F:	drivers/net/wireless/ipw2x00/
 
 INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT)
-M:	Joseph Cihula <joseph.cihula <at> intel.com>
+M:	Richard L Maliszewski <richard.l.maliszewski <at> intel.com>
+M:	Gang Wei <gang.wei <at> intel.com>
 M:	Shane Wang <shane.wang <at> intel.com>
 L:	tboot-devel <at> lists.sourceforge.net
 W:	http://tboot.sourceforge.net
-T:	Mercurial http://www.bughost.org/repos.hg/tboot.hg
+T:	Mercurial http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot
 S:	Supported
 F:	Documentation/intel_txt.txt
 F:	include/linux/tboot.h
--

-- 
1.7.7.6

(Continue reading)

Min Li | 15 Aug 17:27 2012
Picon

Intel TXT Launch Environment

Hello,
I plan to launch tboot on server. However I found IA32 Feature Control MSR=5, 
that means BIOS disables SMX and Locks this MSR.

So I am wondering the tboot launch environment specification like motherboard 
vendor and type. 

I will really appreciate for your help

Min

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Joanna Rutkowska | 9 Aug 20:19 2012

JTAG and TXT?

Hello,

I'm curious whether activation of the JTAG interface affects PCR values,
be that those measured as part of SRTM, or those as part of
SENTER/SINIT? Or perhaps SENTER/SINIT aborts if JTAG is enabled (which
would be actually pretty reasonable)?

Unfortunately I couldn't find any reference to JTAG in any of the TXT
documents I looked at, nor in the Grawrock's book...?

Thanks,
joanna.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Joanna Rutkowska | 9 Aug 20:10 2012

Reading embedded EK's certs from a TPM?

Hello,

I would like to be able to (generically) read an embedded Endorsement
Keys certificate from a TPM's NV memory.

Apparently some TPM vendors do embedded such certificates (in addition
to the actual EK key) on the TPM, see e.g. this datasheet:

http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATA_BRIEF/DM00037936.pdf

... where we can read:

"Provisioned with Endorsement key and Endorsement Key certificate"

"NV storage allocated space: 4 Kbytes (1.2 Kbytes used by EK certificate)"

Additionally the actual CA and intermediate certificates are published:

http://www.st.com/internet/mcu/product/252378.jsp

and the Infineon seems to be doing the same:

http://www.infineon.com/cms/en/product/chip-card-and-security-ics/embedded-security/trusted-computing/trusted-platform-module-tpm1.2-pc/channel.html?channel=ff80808112ab681d0112ab6921ae011f

Unfortunately, the datasheet, nor any other document I was able to find,
tells how one could retrieve such a certificate out of the TPM's NV
memory. And ideally that this worked for all the TPMs from all sorts of
vendors...

Of course, without being able to authenticate the EK key, all the Remote
(Continue reading)

Jason Chow | 26 Jul 16:21 2012
Picon

Re: TBOOT supports KVM by including kvm kernel module in the trust chain ?



2012/7/26 Jason Chow <jasonchow.pku <at> gmail.com>
Hi Justin,
 
Thank you for your suggestion. So make the KVM inline in the kernel as a whole rather than a later loaded module is the solution for tboot with kvm. Am I correct ?
 
Regards,
Jason

2012/7/26 Justin King-Lacroix <justin.king-lacroix <at> cs.ox.ac.uk>
Hi Jason,

Tboot measures the kernel and the initrd/initramfs, so you should just need to make sure the KVM modules are in it (and installed at boot, before the root filesystem is mounted, of course).

Regards,
Justin



On 26/07/2012 2:44 PM, Jason Chow wrote:
Hi,
 
   As we all know, tboot can work with bare linux kernel. Howerver, does tboot support KVM as well as Xen ? Since kvm is treated as a kernel module, which will not be measured during the process of trusted boot (In my knowledge, only kernel will be measureed rather than kernel modules.). How can tboot provide a clean hypervisor environment as well as Xen does ? Is there any additional support in tboot to keep KVM module in a well-known status.
 
 
Thanks and regards,
Jason


------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________ tboot-devel mailing list tboot-devel <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Jason Chow | 26 Jul 13:44 2012
Picon

TBOOT supports KVM by including kvm kernel module in the trust chain ?

Hi,
 
   As we all know, tboot can work with bare linux kernel. Howerver, does tboot support KVM as well as Xen ? Since kvm is treated as a kernel module, which will not be measured during the process of trusted boot (In my knowledge, only kernel will be measureed rather than kernel modules.). How can tboot provide a clean hypervisor environment as well as Xen does ? Is there any additional support in tboot to keep KVM module in a well-known status.
 
 
Thanks and regards,
Jason
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Jonathan McCune | 23 Jul 21:52 2012
Picon

Release announcement: XMHF (including TrustVisor)

We are pleased to announce the open-source release of the eXtensible,
Modular Hypervisor Framework (XMHF): http://xmhf.org

tl;dr: git clone git://git.code.sf.net/p/xmhf/xmhf

XMHF is a modular hypervisor platform for recent multicore x86
hardware with support for launching via dynamic root of trust and
nested (2-dimensional) paging. It is NOT a full virtual machine
monitor.

XMHF takes a developer-centric approach to hypervisor design and
implementation, and strives to be a comprehensible and flexible
platform for performing hypervisor research and development. XMHF
encapsulates common hypervisor core functionality in a framework that
allows others to build custom hypervisor-based solutions (called
"hypapps"). It currently supports only a single "rich" guest OS.  We
have tested recent 32-bit Ubuntu, and Windows Server 2003 and Windows
XP.

Our flagship hypapp is an implementation of the TrustVisor APIs.  Also
included is a LockDown hypapp that implements a red/green system, the
Trusted Execution Environment SDK for developing small, stand-alone
application components to execute in isolation, and a credential
manager application that leverages TrustVisor and the tee-sdk.

Documentation is maintained in the git repository using markdown,
which is automatically rendered here (scroll down):
https://sourceforge.net/p/xmhf/xmhf/  Academic publications describing
the design and architecture of these components are linked from the
documentation page.  All of the source code that we contribute is
covered under a BSD-style license.  The build process for some of the
example PALs that run on TrustVisor statically links against the
GPL-licensed 'newlib' implementation of the standard C library.  See
the COPYING.md file in the root directory of the git repository for
more information on source code licensing.

Our preferred method for getting support is to use the Discussion
(forums) on the XMHF SourceForge page:
https://sourceforge.net/p/xmhf/discussion/ The Tickets system houses
many known issues.

Please accept our apologies if you receive more than one copy of this
announcement.

Kind Regards,
The XMHF Development Team
--Jon McCune
--Jim Newsome
--Amit Vasudevan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Matthew Podhorniak | 14 Jun 14:35 2012
Picon

Intel TXT

Hello!

I am looking into using tboot on a laptop I have, in a testing environment.  When reading about tboot I see it utilizes something called Intel TXT, is this something only available to machines who have a TPM manufactured by Intel?

Thank you!

Matthew

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Gmane