Wei, Gang | 29 Sep 05:16 2012
Picon

tboot 1.7.2 released

Source package tboot-1.7.2.tar.gz can be downloaded from sourceforge.net. And 
since 1.7.1 the upstream repository was moved from bughost.org to sf.net at
http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot.
(Note, the check-in notification was fixed, and tboot-changelog mailing list 
can be timely updated now.)

Major changes since 1.7.1 (20120929):

    Add Makefile for docs to install man pages.
    Add man pages for tools
    Add grub-mkconfig helper scripts for tboot case in GRUB2
    Fix for deb build in ubuntu
    Fix S3 issue brought by c/s 308
    Fix a S4 hang issue and a potential shutdown reset issue
    Fix build with new zlib 1.2.7.
    Initialize event log when S3
    Update README to change upstream repo url from bughost.org to sf.net.

Please help testing it, and enjoy it.

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
(Continue reading)

Kent Yoder | 26 Sep 20:44 2012
Picon

PCR event log after TXT launch

Hi,

  Is there a standard way of grabbing the event log after a TXT
launch?  I see it looks like it lives in the os_mle_data_t struct on
the txt heap, but there doesn't seem to be a way to print it from
txt-stat. Is the code missing or can I dump it some other way?

Thanks,
Kent

--

-- 
IBM LTC Security

------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Bauer, Ren | 23 Sep 23:30 2012
Picon

tboot with 32-bit non-PAE kernel

Hey,

I'm trying to do some work with flicker, and it's my understanding that this software requires tboot and a
32-bit non-PAE kernel, but I haven't been able to find any help on setting up tboot with a kernel that
matches these requirements. (Additionally, I'd like to be able to use GRUB2 as I don't have any experience
with GRUB)

If anyone could point me to a kernel that fits these requirements and that could be set up relatively easily
with tboot, I'd appreciate it.

Currently I have the following set up:

Lenovo W520
Fedora 17 32-bit
Custom built 32 bit kernel based on vmlinuz-3.5.4 with TXT options enabled and PAE disabled (I think)  <at> /boot/vmlinuz-3.5.4-txt
tboot 1.7.1  <at> /boot/tboot.gz
2nd_gen_i5_i7-SINIT_51 module  <at> /SINIT_51.bin

The following GRUB2 menu entry:

menuentry 'Fedora 17 32-bit with tboot'{
	load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod ext2
        set root='(hd0,msdos4)'
	if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos4 --hint-efi=hd0,msdos4
--hint-baremetal=ahci0,msdos4 --hint='hd0,msd
(Continue reading)

Jonathan McCune | 31 Aug 15:45 2012
Picon

Re: JTAG and TXT?

Hi Joanna,

On Fri, Aug 31, 2012 at 5:47 AM, Joanna Rutkowska
<joanna <at> invisiblethingslab.com> wrote:
> So, am I asking a wrong question? ;)

I can try to give an answer to a related question...

> On 08/09/12 20:19, Joanna Rutkowska wrote:
>> I'm curious whether activation of the JTAG interface affects PCR values,
>> be that those measured as part of SRTM, or those as part of
>> SENTER/SINIT?

I got started with dynamic root of trust on AMD hardware.  Let me
relate some details for AMD, and then I will talk about Intel.  I had
access to one of AMD's Hardware Debug Tools (HDT) at the time.  To the
best of my knowledge, this device connects directly to some CPU pins
(via a motherboard header that breaks them out).

>From AMD manual 24596 ("System Programming"), Rev 3.20, December 2011:
Section 15.27.6: "Debug Considerations: SKINIT automatically disables
various implementation-specific hardware debug features. A debug
version of the SL can reenable those features by clearing the
VM_CR.DPD flag immediately upon entry."

I empirically determined that, indeed, the HDT is useless in the
interval between executing SKINIT and having an instruction in the
launched code to clear VM_CR.DPD.

On Intel, we did not have any direct debugger device support from
(Continue reading)

gang.wei | 31 Aug 08:05 2012
Picon

[PATCH V2] MAINTAINERS: fix TXT maintainer list and source repo path

From: Gang Wei <gang.wei <at> intel.com>

Signed-off-by: Gang Wei <gang.wei <at> intel.com>
---
 MAINTAINERS |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index fdc0119..987ad0f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
 <at>  <at>  -3666,11 +3666,12  <at>  <at>  F:	Documentation/networking/README.ipw2200
 F:	drivers/net/wireless/ipw2x00/
 
 INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT)
-M:	Joseph Cihula <joseph.cihula <at> intel.com>
+M:	Richard L Maliszewski <richard.l.maliszewski <at> intel.com>
+M:	Gang Wei <gang.wei <at> intel.com>
 M:	Shane Wang <shane.wang <at> intel.com>
 L:	tboot-devel <at> lists.sourceforge.net
 W:	http://tboot.sourceforge.net
-T:	Mercurial http://www.bughost.org/repos.hg/tboot.hg
+T:	hg http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot
 S:	Supported
 F:	Documentation/intel_txt.txt
 F:	include/linux/tboot.h
--

-- 
1.7.7.6

------------------------------------------------------------------------------
(Continue reading)

gang.wei | 30 Aug 07:19 2012
Picon

[PATCH] MAINTAINERS: fix TXT maintainer list and source repo path

From: Gang Wei <gang.wei <at> intel.com>

Signed-off-by: Gang Wei <gang.wei <at> intel.com>
---
 MAINTAINERS |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index fdc0119..987ad0f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
 <at>  <at>  -3666,11 +3666,12  <at>  <at>  F:	Documentation/networking/README.ipw2200
 F:	drivers/net/wireless/ipw2x00/
 
 INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT)
-M:	Joseph Cihula <joseph.cihula <at> intel.com>
+M:	Richard L Maliszewski <richard.l.maliszewski <at> intel.com>
+M:	Gang Wei <gang.wei <at> intel.com>
 M:	Shane Wang <shane.wang <at> intel.com>
 L:	tboot-devel <at> lists.sourceforge.net
 W:	http://tboot.sourceforge.net
-T:	Mercurial http://www.bughost.org/repos.hg/tboot.hg
+T:	Mercurial http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot
 S:	Supported
 F:	Documentation/intel_txt.txt
 F:	include/linux/tboot.h
--

-- 
1.7.7.6

(Continue reading)

Min Li | 15 Aug 17:27 2012
Picon

Intel TXT Launch Environment

Hello,
I plan to launch tboot on server. However I found IA32 Feature Control MSR=5, 
that means BIOS disables SMX and Locks this MSR.

So I am wondering the tboot launch environment specification like motherboard 
vendor and type. 

I will really appreciate for your help

Min

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Joanna Rutkowska | 9 Aug 20:19 2012

JTAG and TXT?

Hello,

I'm curious whether activation of the JTAG interface affects PCR values,
be that those measured as part of SRTM, or those as part of
SENTER/SINIT? Or perhaps SENTER/SINIT aborts if JTAG is enabled (which
would be actually pretty reasonable)?

Unfortunately I couldn't find any reference to JTAG in any of the TXT
documents I looked at, nor in the Grawrock's book...?

Thanks,
joanna.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Joanna Rutkowska | 9 Aug 20:10 2012

Reading embedded EK's certs from a TPM?

Hello,

I would like to be able to (generically) read an embedded Endorsement
Keys certificate from a TPM's NV memory.

Apparently some TPM vendors do embedded such certificates (in addition
to the actual EK key) on the TPM, see e.g. this datasheet:

http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATA_BRIEF/DM00037936.pdf

... where we can read:

"Provisioned with Endorsement key and Endorsement Key certificate"

"NV storage allocated space: 4 Kbytes (1.2 Kbytes used by EK certificate)"

Additionally the actual CA and intermediate certificates are published:

http://www.st.com/internet/mcu/product/252378.jsp

and the Infineon seems to be doing the same:

http://www.infineon.com/cms/en/product/chip-card-and-security-ics/embedded-security/trusted-computing/trusted-platform-module-tpm1.2-pc/channel.html?channel=ff80808112ab681d0112ab6921ae011f

Unfortunately, the datasheet, nor any other document I was able to find,
tells how one could retrieve such a certificate out of the TPM's NV
memory. And ideally that this worked for all the TPMs from all sorts of
vendors...

Of course, without being able to authenticate the EK key, all the Remote
(Continue reading)

Jason Chow | 26 Jul 16:21 2012
Picon

Re: TBOOT supports KVM by including kvm kernel module in the trust chain ?



2012/7/26 Jason Chow <jasonchow.pku <at> gmail.com>
Hi Justin,
 
Thank you for your suggestion. So make the KVM inline in the kernel as a whole rather than a later loaded module is the solution for tboot with kvm. Am I correct ?
 
Regards,
Jason

2012/7/26 Justin King-Lacroix <justin.king-lacroix <at> cs.ox.ac.uk>
Hi Jason,

Tboot measures the kernel and the initrd/initramfs, so you should just need to make sure the KVM modules are in it (and installed at boot, before the root filesystem is mounted, of course).

Regards,
Justin



On 26/07/2012 2:44 PM, Jason Chow wrote:
Hi,
 
   As we all know, tboot can work with bare linux kernel. Howerver, does tboot support KVM as well as Xen ? Since kvm is treated as a kernel module, which will not be measured during the process of trusted boot (In my knowledge, only kernel will be measureed rather than kernel modules.). How can tboot provide a clean hypervisor environment as well as Xen does ? Is there any additional support in tboot to keep KVM module in a well-known status.
 
 
Thanks and regards,
Jason


------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________ tboot-devel mailing list tboot-devel <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Jason Chow | 26 Jul 13:44 2012
Picon

TBOOT supports KVM by including kvm kernel module in the trust chain ?

Hi,
 
   As we all know, tboot can work with bare linux kernel. Howerver, does tboot support KVM as well as Xen ? Since kvm is treated as a kernel module, which will not be measured during the process of trusted boot (In my knowledge, only kernel will be measureed rather than kernel modules.). How can tboot provide a clean hypervisor environment as well as Xen does ? Is there any additional support in tboot to keep KVM module in a well-known status.
 
 
Thanks and regards,
Jason
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Gmane