Jay Schwichtenberg | 4 Mar 19:52 2013
Picon

tboot setup with Ubuntu Server 12.10 and 20_linux_tboot

Hello,

Don't know if this is a Ubuntu thing or tboot but need to start tracking it down somewhere.

I'm trying to get tboot working with Ubuntu Server 12.10 on a dual Xeon Intel server and have not been having
any success. I've read the documents lcptools2 and policy_v2 and those make sense and I can generate a
list.data file. But there is no grub.conf or menu.lst file to work with.

With Ubuntu 12.10 Server they now use a file called boot.cfg that was generated by grub-mkconfig from
scripts in /etc/grub.d. One of these scripts is 20_linux_tboot which generates the tboot section in the
boot.cfg file. I can see that with the procedures in the documents that you'd still need to generate
something that has the private and public keys and also setup the NV indexes. But a lot of the other
information seems to be generated by the 20_linux_tboot script.

Is there any information on how to setup tboot using this 20_linux_boot boot script and the way they're
using grub?

I don't have a serial cable for this thing yet (takes a RJ45 to serial cable) so I don't have a tboot log. Should
have that done by the end of the day.

Thanks in advance.
Jay S.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
Charles.Fisher | 26 Feb 22:39 2013

Haswell SINIT ACM

Hi,

 

Does anyone have an idea of when the SINIT modules for the new Haswell processors will be release?

 

Thanks

 

Charles

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
LE DISEZ Erwan | 15 Feb 11:45 2013

Boot a not relocatable Linux kernel with Tboot

Hello,

I'am trying to boot a Linux kernel (v 2.3.32) compiled as not 
relocatable. The kernel works fine and can be loaded directly from GRUB2 
for example.

When booting using GRUB2+TBOOT I use the following 'simple' 
configuration :
   menuentry "LINUX via TBOOT" {
           set root=(hd0,1)
           multiboot /tboot.gz /tboot.gz logging=vga,memory,serial
           module /lnx /lnx
           module /2nd_gen_i5_i7_SINIT_51.BIN
   }

When loading TBOOT, the last traces just before jumping to Linux are :
   TBOOT: Error: ELF magic number is not matched.
   TBOOT: assuming kernel is Linux format
   TBOOT: kernel type is Linux
   TBOOT: Initrd from 0x7fc39000 to 0x7ffffeb0
   TBOOT: kernel is not relocatable
   TBOOT: load protected-mode part
   TBOOT: Kernel (protected mode) from 0x100000 to 0x4c3ab0
   TBOOT: load real-mode part
   TBOOT: Kernel (real mode) from 0x90000 to 0x93400
   TBOOT: Entry point initialized = 0xf1dbf443

For a not relocated kernel all seems good no ?
   Protected base is 0x100000 (it is a bzImage)
   Read mode base is 0x90000

The jump occurs to  hdr->code32_start =  <at> 0xf1dbf443.

Just after the system reset.

So I have a few questions :
- Have you already tested with a not relocatable Linux kernel ?
- It is normal to jump to 0xf1dbf443, why not the real mode part ?

Thanks !
Best regards

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
Sahil Rihan | 31 Jan 19:56 2013

Re: PCR 17 computation (SinitMleData.Version 8)

I'm using the value from SinitMleData.SinitHash directly. I'm assuming that this is the value of PCR 17 after the first extend based on the following: 

"If the SINIT To MLE Data Table (section C.4) version is 7 or greater, the hash of the SINIT ACM is performed using SHA-256, otherwise it uses 
SHA-1. If a SHA-256 hash was used, the SinitMleData.SinitHash field will contain the value of PCR 17 after the initial extend operation (see below for more details)."

Also, just to be clarify, the SHA-256 is only used for hashing SINIT, the rest of the hashes are performed using SHA-1. Is that correct?


On Thu, Jan 31, 2013 at 10:49 AM, Jonathan McCune <jonmccune <at> gmail.com> wrote:
In MLE dev guide sec 1.9.1: "If the SINIT To MLE Data Table (section
C.4) version is 7 or greater, the hash of the SINIT ACM is performed
using SHA-256, otherwise it uses SHA-1."

Are you using SHA-2 where appropriate?

-Jon


On Thu, Jan 31, 2013 at 10:41 AM, Sahil Rihan <sahil <at> privatecore.com> wrote:
> Hi Jimmy,
>
> Thanks for your quick response. I double checked the data lengths and they
> seem to be correct. I'm copying the Python code I'm using below.
>
> I was able to use a slightly modified version of the function below to
> validate the PCR 17 computed by Jonathan McCune's Perl script
> (http://sourceforge.net/mailarchive/message.php?msg_id=23257129), so I'm
> reasonably confident the basic code (unhexlify, update, etc.) is correct.
>
> Thanks,
> Sahil
>
>
> def computePcr17():
> #    all_zeroes_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00"
>
>     bios_acm_id_ascii = "80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff ff
> ff ff ff"
> #    edx_senter_flags_ascii = "00 00 00 00"
>     mseg_valid_ascii = "00 00 00 00 00 00 00 00"
>
>     sinit_hash_ascii = "7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e e2
> 84 3d 04"
>     mle_hash_ascii = "d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13 d8
> 33 34"
>     stm_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00"
>     lcp_policy_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00"
>
>     lcp_policy_control_ascii = "00 00 00 00"
>     os_sinit_capabilities_ascii = "00 00 00 00"
>     scrtm_status_ascii = "00 00 00 01"
>
> #    all_zeroes_hex = binascii.unhexlify(all_zeroes_ascii.replace(' ', ''))
>     sinit_hash_hex = binascii.unhexlify(sinit_hash_ascii.replace(' ', ''))
> #    edx_senter_flags_hex =
> binascii.unhexlify(edx_senter_flags_ascii.replace(' ', ''))
>
>     bios_acm_id_hex = binascii.unhexlify(bios_acm_id_ascii.replace(' ', ''))
>     mseg_valid_hex = binascii.unhexlify(mseg_valid_ascii.replace(' ', ''))
>     stm_hash_hex = binascii.unhexlify(stm_hash_ascii.replace(' ', ''))
>     lcp_policy_control_hex =
> binascii.unhexlify(lcp_policy_control_ascii.replace(' ', ''))
>     lcp_policy_hash_hex = binascii.unhexlify(lcp_policy_hash_ascii.replace('
> ', ''))
>     os_sinit_capabilities_hex =
> binascii.unhexlify(os_sinit_capabilities_ascii.replace(' ', ''))
>     scrtm_status_hex = binascii.unhexlify(scrtm_status_ascii.replace(' ',
> ''))
>
>     sha1_pcr17_second = hashlib.sha1()
>     sha1_pcr17_second.update(bios_acm_id_hex)
>     sha1_pcr17_second.update(mseg_valid_hex)
>     sha1_pcr17_second.update(stm_hash_hex)
>     sha1_pcr17_second.update(lcp_policy_control_hex)
>     sha1_pcr17_second.update(lcp_policy_hash_hex)
>     sha1_pcr17_second.update(os_sinit_capabilities_hex)
>     sha1_pcr17_second.update(scrtm_status_hex)
>
>     pcr17 = hashlib.sha1()
>     pcr17.update(sinit_hash_hex)
>     pcr17.update(sha1_pcr17_second.digest())
>
>     print "sha1_pcr17_second: " + sha1_pcr17_second.hexdigest()
>     print "final pcr17: " + pcr17.hexdigest()
>
>
> This is the output from tboot that I'm using to initialize the variables in
> the function:
>
> TBOOT: sinit_mle_data ( <at> 0xcf7311b8, 0x224):
> TBOOT:  version: 8
> TBOOT:  bios_acm_id:  80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff ff ff
> ff ff
> TBOOT:  edx_senter_flags: 0x00000000
> TBOOT:  mseg_valid: 0x0
> TBOOT:  sinit_hash: 7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e e2 84 3d
> 04
> TBOOT:  mle_hash: d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13 d8 33
> 34
> TBOOT:  stm_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00
> TBOOT:  lcp_policy_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00
> TBOOT:  lcp_policy_control: 0x00000000
> TBOOT:  rlp_wakeup_addr: 0xcf701220
> TBOOT:  num_mdrs: 7
> TBOOT:  mdrs_off: 0x9c
> TBOOT:  num_vtd_dmars: 224
> TBOOT:  vtd_dmars_off: 0x144
> TBOOT:  sinit_mdrs:
> TBOOT:  0000000000000000 - 00000000000a0000 (GOOD)
> TBOOT:  0000000000100000 - 0000000001000000 (GOOD)
> TBOOT:  0000000001000000 - 00000000cf800000 (GOOD)
> TBOOT:  0000000100000000 - 0000000430000000 (GOOD)
> TBOOT:  0000000000000000 - 0000000000000000 (GOOD)
> TBOOT:  00000000cf800000 - 00000000d0000000 (SMRAM NON-OVERLAY)
> TBOOT:  00000000e0000000 - 00000000e4000000 (PCIE EXTENDED CONFIG)
> TBOOT:  proc_scrtm_status: 0x00000001
>
>
> I expect that it should match the value of PCR 17 after SENTER (and before
> it is extended by tboot):
>
> TBOOT: PCRs before extending:
> TBOOT:   PCR 17: a9 6f c9 dd 99 f7 5d 07 18 eb e5 3d 38 c7 eb 8f 14 9e 76 95
> TBOOT:   PCR 18: a4 1b b3 ef 12 f6 d6 65 58 60 b9 05 4d 72 6f f0 ca 78 21 54
> TBOOT:   PCR 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
>
> On Wed, Jan 30, 2013 at 5:54 PM, Wei, Gang <gang.wei <at> intel.com> wrote:
>>
>> Sahil Rihan wrote on 2013-01-31:
>> > Hi list,
>> >
>> > Like a few before me, I'm trying to calculate in software the value of
>> PCR17
>> > after SENTER. I'm taking the value of the first extend as a given (from
>> > SinitMleData.SinitHash) and am trying to reconstruct the value at the
>> > end
>> of
>> > the second extend.
>> >
>> > I took Jonathan McCune's Perl script as a starting point and was able to
>> > reproduce his result (which I'm assuming is for SinitMleData.Version 6,
>> given
>> > his computation of the first PCR17 extend in his Perl script) using a
>> Python
>> > script I wrote. I then modified my script to use the value from
>> > SinitMleData.SinitHash directly, since my understanding is that it
>> contains the
>> > value of PCR17 after the first extend for SinitMleData.Version 8).
>> >
>> > So my computation is now identical to the one in the MLE Developer's
>> Guide.
>> >
>> > SHA-1 ( SinitMleData.SinitHash  | SHA-1 ( SinitMleData.BiosAcm.ID |
>> > SinitMleData.MsegValid | SinitMleData.StmHash |
>> > SinitMleData.PolicyControl | SinitMleData.LcpPolicyHash |
>> > (OsSinitData.Capabilities, 0) | SinitMleData.ProcessorSCRTMStatus) )
>> >
>> > Unfortunately, I'm not able to get to the value for PCR 17 that tboot
>> dumps,
>> > before it performs its own extend to PCR17.
>> >
>> > If anyone has successfully computed PCR 17 or has thoughts on what I
>> > might
>> be
>> > doing wrong, I'd appreciate your input.
>>
>> Please make sure the data length you used for PCR17 value calculation is
>> right:
>>
>> SinitMleData.MsegValid     8bytes
>> SinitMleData.PolicyControl   4bytes
>> (OsSinitData.Capabilities, 0)  4bytes
>> SinitMleData.ProcessorSCRTMStatus 4bytes
>>
>> And (OsSinitData.Capabilities,0) means:
>>
>> if SinitMleData.PolicyControl.bit2 is 1, use value of
>> OsSinitData.Capabilities
>> if SinitMleData.PolicyControl.bit2 is 0, use a 4-byte 0s.
>>
>> Wish those will help.
>>
>> Jimmy
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> tboot-devel mailing list
> tboot-devel <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Sahil Rihan | 31 Jan 01:31 2013

PCR 17 computation (SinitMleData.Version 8)

Hi list,

Like a few before me, I'm trying to calculate in software the value of PCR17 after SENTER. I'm taking the value of the first extend as a given (from SinitMleData.SinitHash) and am trying to reconstruct the value at the end of the second extend.

I took Jonathan McCune's Perl script as a starting point and was able to reproduce his result (which I'm assuming is for SinitMleData.Version 6, given his computation of the first PCR17 extend in his Perl script) using a Python script I wrote. I then modified my script to use the value from SinitMleData.SinitHash directly, since my understanding is that it contains the value of PCR17 after the first extend for SinitMleData.Version 8).

So my computation is now identical to the one in the MLE Developer's Guide.

SHA-1 ( SinitMleData.SinitHash  | SHA-1 ( SinitMleData.BiosAcm.ID
SinitMleData.MsegValid | SinitMleData.StmHash | SinitMleData.PolicyControl | 
SinitMleData.LcpPolicyHash | (OsSinitData.Capabilities, 0) | 
SinitMleData.ProcessorSCRTMStatus) )

Unfortunately, I'm not able to get to the value for PCR 17 that tboot dumps, before it performs its own extend to PCR17.

If anyone has successfully computed PCR 17 or has thoughts on what I might be doing wrong, I'd appreciate your input.

Thanks,
Sahil
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Wei, Gang | 28 Dec 08:04 2012
Picon

tboot 1.7.3 released

Source package tboot-1.7.3.tar.gz can be downloaded from sourceforge.net.
And since 1.7.3 the upstream repository was moved to:
http://hg.code.sf.net/p/tboot/code .

Major changes since 1.7.2 (20120929):

	Update README with updated code repository url.
	Fix grub2 scripts to be compatible with more distros.
	Update README for RACM launch support
	Add a new option "call_racm=true|false" for revocation acm(RACM)
launch
	Fix potential buffer overrun & memory leak in crtpconf.c
	Fix a potential buffer overrun in lcptools/lock.c
	Print cmdline in multi-lines
	Optional print TXT.ERRORCODE under level error or info
	Fix side effects of tboot log level macros in tools
	Update readme for the new detail log level
	Classify all logs into different log levels
	Add detail log level and the macros defined for log level
	Fix acmod_error_t type to correctly align all bits in 4bytes

Please help testing it, and enjoy it.

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Wei, Gang | 27 Dec 10:40 2012
Picon

OpenAttestation project v1.6 released

The major target of this release is to improve code quality based on v1.5,
some important fixes will be back ported into v1.5 branch.

https://github.com/OpenAttestation/OpenAttestation.git

Key Changes in v1.6:
	Enhanced Reference CLI Curl scripts for API access
	Auto testing scripts covered more than 100 test cases for both APIs
& Reference CLI Curl scripts

Fixed issues:
* API related:
 - The HOST API should be
https://${server}:8443/AttestationService/resources/hosts instead of
https://${server}:8443/AttestationService/resources/host. 
 - Enhancement for "MLE_SEARCH" API
 - "POLLHOST" API exception handling
 - Adding MLE successful when "attestation type" is null, it is wrong
 - In source code, MLE "version" string's length limit is not match with
database
 - When attestation type contains special characters, add MLE successful
 - Delete MLE successful which connected to host
 - PCR value should not be null
 - The result of pollhost is unknown due to configuration in "/etc/hosts"
 - The run time of pollhost one machine is more than pollhost 1000 machines,
is unreasonably
* DB related:
 - OpenAttestation hibernate db communication failure
 - The field did not check the capital or lower character (Won't Fix)
 - Cannot add CONSTRAINT into DB on SLES
* Build & installation:
 - The download_jar_packages.sh should be enhanced for proxy check and
invalid jar package check
 - There is NO PrivacyCA.cer or TrustStore.jks, installed oat-appraiser with
Partner Repository.
 - Uncleaned endorsement certificate and password data in
OATprovisioner.properties of ClientInstallForLinux.zip
 - Tomcat service must be stopped after uninstallation
 - Need to modify spec for jdk version to compatibility with different OS
platform
* Auto Test Scripts:
 - Use auto script to add PCR data failed

Enjoy it!

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Wei, Gang | 25 Dec 07:06 2012
Picon

tboot project upgraded from classic sourceforge platform to the new Allura platform

As requested by SourceForge Community Manager, tboot just finished upgrade
from classic sourceforge platform to the new platform.

As the result of this upgrade, one major change is that the source code
repository URL got changed to:
	http://hg.code.sf.net/p/tboot/code

Please do a fresh checkout using the new repository location.

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 12 Dec 00:23 2012

Buffer overrun and memory leak problems.

All,

 

While doing a routine update of a security review of the tboot code, I found a couple of minor problems – two potential (but very unlikely) buffer overrun problems, and one minor memory leak – although the program is going to terminate almost immediately, so the memory comes back anyway.

 

At any rate, here is a patch to correct the problem.

 

Signed Off by: Charles Fisher charles.fisher <at> gdc4s.com

 

diff -up tboot-1.7.2/lcptools/crtpconf.c.orig tboot-1.7.2/lcptools/crtpconf.c

--- tboot-1.7.2/lcptools/crtpconf.c.orig  2012-12-11 13:16:12.239464000 -0700

+++ tboot-1.7.2/lcptools/crtpconf.c 2012-12-11 16:00:23.097982000 -0700

<at> <at> -109,14 +109,12 <at> <at> main(int argc, char *argv[])

     uint16_t i = 0;

     uint32_t index[MAX_INDEX] = {0};

     uint32_t idx_num = 0;

-    unsigned char *pcr_num[MAX_INDEX] = {NULL};

     FILE *p_file = NULL;

     unsigned char* srtm_data = NULL;

     uint32_t data_len = 0;

     TPM_LOCALITY_SELECTION local_sel;

     lcp_result_t ret_value = LCP_E_COMD_INTERNAL_ERR;

-    uint32_t temp = 0;

     /*

      * No parameter input will print out the help message.

<at> <at> -151,28 +149,13 <at> <at> main(int argc, char *argv[])

         ret_value = LCP_E_INVALID_PARAMETER;

         goto _error_end;

     }

-

-    for (i = 0; i < MAX_INDEX; i++) {

-        pcr_num[i] = (unsigned char *)malloc(10);

-        if ( pcr_num[i] == NULL ) {

-            ret_value = LCP_E_OUTOFMEMORY;

-            goto _error_end;

-        }

-    }

-    if ( str_split((char *)pcr_val, (char **)&pcr_num, &idx_num) < 0 ) {

-        ret_value = LCP_E_INVALID_PARAMETER;

-        goto _error_end;

-    }

+    idx_num = MAX_INDEX;

+    str_split((char *)pcr_val, index, &idx_num);

     for ( i = 0; i < idx_num; i++ ) {

-      if ( strtonum((char *)pcr_num[i], &temp) < 0 ) {

-            ret_value = LCP_E_INVALID_PARAMETER;

-            goto _error_end;

-        }

-        if ( temp > 23 ) {

+        if ( index[i] > 23 ) {

             ret_value = LCP_E_INVALID_PARAMETER;

             goto _error_end;

-        }

-        index[i] = temp;

+     }

     }

     local_sel = (TPM_LOCALITY_SELECTION)locality;

<at> <at> -200,8 +183,7 <at> <at> main(int argc, char *argv[])

             fclose(p_file);

         } else

             print_hexmsg("the PConf data is:\n", data_len, srtm_data);

-        if(srtm_data)

-            free(srtm_data);

+     free(srtm_data);

     } else

         goto _error_end;

<at> <at> -210,10 +192,10 <at> <at> _error_end:

     /*

      * Error when execute.

      */

-    for (i = 0; i < MAX_INDEX; i++)

-        free(pcr_num[i]);

-    free(srtm_data);

+    if (srtm_data)

+     free(srtm_data);

     log_error("\nCommand CrtPConf failed:\n");

     print_error(ret_value);

     return ret_value;

-}

+    }

+   

diff -up tboot-1.7.2/lcptools/lcputils.c.orig tboot-1.7.2/lcptools/lcputils.c

--- tboot-1.7.2/lcptools/lcputils.c.orig  2012-12-11 13:16:30.352217000 -0700

+++ tboot-1.7.2/lcptools/lcputils.c 2012-12-11 15:44:03.076312000 -0700

<at> <at> -217,42 +217,22 <at> <at> print_hexmsg(const char *header_msg, int

}

 /* split the input string in the format: num1,num2,...,numN

- * into the array = {num1, num2, ... , numN}

+ * into the numeric array = {num1, num2, ... , numN}

*/

-int

-str_split(const char *str_in, char **str_out, unsigned int *number)

+void

+str_split(char *str_in, uint32_t ints[], unsigned int *nr_ints)

{

-    char * temp;

-    int num = 0;

-    const char *sep = ",";

-    size_t str_length = 0;

-    char *string = (char *)malloc(strlen(str_in) + 1);

-

-    if ( string == NULL )

-        return -1;

-    if ( str_in == NULL || str_out == NULL || number == NULL ) {

-        free(string);

-        return -1;

-    }

-    strcpy(string, str_in);

-    temp =strtok(string, sep);

-    if ( temp != NULL && str_out[num] )

-        strcpy(str_out[num], temp);//strtok(string, sep));

-    while (str_out[num] != NULL) {

-        str_length += strlen(str_out[num]);

-        num++;

-        temp = strtok(NULL, sep);

-        if ( temp != NULL )

-            strcpy(str_out[num], temp);

-        else

-            str_out[num] = NULL;

+    unsigned int nr = 0;

+

+    while ( true ) {

+        char *str = strsep(&str_in, ",");

+        if ( str == NULL || nr == *nr_ints )

+            break;

+        ints[nr++] = strtoul(str, NULL, 0);

     }

-    free(string);

-    *number = num;

-    str_length += num - 1;

-    if ( str_length != strlen(str_in) )

-        return -1;

-    return 0;

+    if ( nr == *nr_ints )

+        log_error("Error: too many items in list\n");

+    *nr_ints = nr;

}

 uint16_t

diff -up tboot-1.7.2/lcptools/lcputils.h.orig tboot-1.7.2/lcptools/lcputils.h

--- tboot-1.7.2/lcptools/lcputils.h.orig  2012-12-11 15:20:08.106747000 -0700

+++ tboot-1.7.2/lcptools/lcputils.h 2012-12-11 15:42:34.009610000 -0700

<at> <at> -134,6 +134,6 <at> <at> calc_sizeofselect(uint32_t num_indices,

void print_locality(unsigned char loc);

void print_permissions(UINT32 perms, const char *prefix);

-int str_split(const char *str_in, char **str_out, unsigned int *number);

+void str_split(char *str_in, uint32_t ints[], unsigned int *number);

 #endif

diff -up tboot-1.7.2/lcptools/lock.c.orig tboot-1.7.2/lcptools/lock.c

--- tboot-1.7.2/lcptools/lock.c.orig      2012-12-11 14:57:02.784235000 -0700

+++ tboot-1.7.2/lcptools/lock.c     2012-12-11 15:15:43.532763000 -0700

<at> <at> -91,7 +91,8 <at> <at> parse_cmdline(int argc, const char * arg

int

main (int argc, char *argv[])

{

-    char confirm_lock[1024] = {0};

+    char confirm_lock[4] = {0};

+    char c;

     in_nv_definespace_t in_defspace;

     lcp_result_t ret_value = LCP_E_COMD_INTERNAL_ERR;

<at> <at> -119,12 +120,12 <at> <at> main (int argc, char *argv[])

          */

         do {

             log_info("Really want to lock TPM NV? (Y/N) ");

-            dummy = scanf("%s", confirm_lock);

+            dummy = scanf("%3s", confirm_lock);

             if ( dummy <= 0 )

                 return LCP_E_COMD_INTERNAL_ERR;

-        } while (strcmp(confirm_lock, "N") && strcmp(confirm_lock, "n") &&

-           strcmp(confirm_lock, "Y") && strcmp(confirm_lock, "y"));

-        if ( !strcmp(confirm_lock, "N") || !strcmp(confirm_lock, "n") ) {

+         c = confirm_lock[0] | ' ';

+        } while ( (c != 'n') && (c != 'y') );

+        if ( c == 'n') {

             ret_value = LCP_SUCCESS;

             return ret_value;

         }

 

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Patrick Winchester | 2 Dec 12:02 2012

TBoot setup on Ubuntu 12.10

Hi list,

I am trying to get tboot to run my Ubuntu 12.10 environment on a Dell Latitude 6520 laptop (no Xen / Hypervisor involved).
Sadly, I am a little stuck.

I took the following steps to install tboot:

apt-get install tboot

tpm_takeownership -z

Download SINIT from intel.com and place *.BIN in /boot

update-grub

Now, when I try to boot into tboot from the grub menu, I get two sets of results after seeing the message
Loading SINIT <binname>:
2nd_gen_i5_i7-SINIT_51 - the machine just hangs, no more activity or progress
3nd_gen_i5_i7-SINIT_51 (or any other) - the machine restart immediately

I have enabled all necessary options in BIOS and I am trying to EFI boot from a GPT disk (in case this is relevant).

Can someone point me to some resources on how to set this up properly or provide some insight into what is
going wrong?
Any help is appreciated.

Cheers,
 -- Patrick

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net/
Charles.Fisher | 22 Oct 19:23 2012

USB interrupts and scrubbing e820 memory

Patch [2/2]

 

Signed-off-by: Charles Fisher <Charles.Fisher <at> gdc4s.com

 

There are a couple of problems that occur with tboot. The first is on some Dell

laptops, it is necessary to disable the legacy usb interrupts. This patch

provides a mechanism to enable a developer to do so.

 

The second problem is that in certain circumstances, data owners consider the

contents of memory to be sensitive. In these cases, they require that the e820

map be scrubbed. The other portion of this patch provides a capability to do

that scrub.

 

Both options are invoked via the command line, and both default to the current

behavior - i.e. don't disable the usb interrupts, and don't scrub the memory.

 

+bool get_scrub_e820(void)

+{

+    const char *clean_map = get_option_val(g_tboot_cmdline_options,

+                                           g_tboot_param_values, "scrub_e820");

+    if ( clean_map == NULL || ( strcmp(clean_map, "true") != 0 ))

+        return false;

+    return true;

+}

+   

 bool get_tboot_prefer_da(void)

{

     const char *value = get_option_val(g_tboot_cmdline_options,

diff -up tboot-1.7.2/tboot/common/e820.c.orig tboot-1.7.2/tboot/common/e820.c

--- tboot-1.7.2/tboot/common/e820.c.orig  2012-10-09 14:27:01.578660000 -0700

+++ tboot-1.7.2/tboot/common/e820.c 2012-10-09 14:28:48.030072000 -0700

<at> <at> -36,10 +36,14 <at> <at>

#include <config.h>

#include <types.h>

#include <stdbool.h>

+#include <compiler.h>

+#include <string.h>

#include <printk.h>

+#include <processor.h>

#include <cmdline.h>

#include <multiboot.h>

#include <stdarg.h>

+#include <paging.h>

#include <misc.h>

#include <pci_cfgreg.h>

#include <e820.h>

<at> <at> -553,6 +557,118 <at> <at> bool e820_reserve_ram(uint64_t base, uin

     return true;

}

 

+/* Define the virtual address page used to scrub memory     */

+/* tboot data is in page 0 of virtual and physical memory   */

+/* tboot code is on page 4 of virtual an physical memory    */

+/* These are the only pages that can't be used.             */

+/* Define a page that provides a little distance from these */

+/* ALL usable memory is erased by calling memset with       */

+/* the same virtual address. The virtual address is mapped  */

+/* to the proper physical address prior calling memset      */

+/* Page 8 is used for this version                          */

+/* This page is virtual address space 0x01000000            */

+/* With this address, the address space being erased is     */

+/* always in the range 0x01000000 - 0x011FFFFF              */

+#define SCRUB_VIRUTAL_ADDRESS 0x01000000

+#define SCRUB_BLOCK_SIZE (1 << TB_L1_PAGETABLE_SHIFT)

+#define SCRUB_BLOCK_OFFSET (SCRUB_BLOCK_SIZE - 1)

+

+/*

+ * e820_scrub_usable

+ *

+ * Scrub all e820 memory marked as usable.

+ *

+ */

+void e820_scrub_usable(void)

+{

+    printk("scrubbing memory\n");

+

+    /* Enable paging */

+    enable_paging();

+

+    /* Iterate the e820 map */

+    for ( unsigned int i = 0; i < g_nr_map; i++ ) {

+        /* Get the block start and length */

+        memory_map_t *entry = &g_copy_e820_map[i];

+        uint64_t block_start = e820_base_64(entry);

+        uint64_t block_length = e820_length_64(entry);

+

+        /* Is block a usable block? */

+        if(entry->type == E820_RAM) {

+            /* Erase the block */

+            printk("%016Lx - %016Lx\n",

+               (unsigned long long)block_start,

+               (unsigned long long)(block_start + block_length));

+

+            /* Loop over block by physical 'page' */

+            while(block_length > 0) {

+                /*

+                 *

+                 * Map the physical address at block_start to

+                 * virtual address SCRUB_VIRUTAL_ADDRESS

+                 * Since the physical address is specified as a page

+                 * the block does not need to start on a page boundary.

+                 *

+                 */

+                map_pages_to_tboot(

+                    SCRUB_VIRUTAL_ADDRESS,

+                    block_start>>TB_L1_PAGETABLE_SHIFT,

+                    1);

+

+                /*

+                 *

+                 * If block_start is not on a page boundary,

+                 * erase the block from the offset to the end of page.

+                 *

+                 */

+                uint32_t scrub_block_offset = block_start & SCRUB_BLOCK_OFFSET;

+

+                /*

+                 *

+                 * The starting virtual address is the

+                 * SCRUB_VIRUTAL_ADDRESS plus any offset

+                 *

+                 */

+                uint32_t scrub_block_virtual_address =

+                    SCRUB_VIRUTAL_ADDRESS + scrub_block_offset;

+

+                /*

+                 *

+                 * Determine the block size.

+                 * The block size is from the start address to the

+                 * end of the page or block.

+                 *

+                 */

+                uint32_t scrub_block_length =

+                    SCRUB_BLOCK_SIZE - scrub_block_offset;

+                if(scrub_block_length > block_length)

+                    scrub_block_length = block_length;

+

+                /*

+                 *

+                 * The page is mapped.

+                 * The starting virual address and length have been computed.

+                 * Ready to erase.

+                 *

+                 */

+                memset(

+                    (void*)scrub_block_virtual_address,

+                    0,

+                    scrub_block_length);

+

+                /* Advance to the next page */

+                block_length -= scrub_block_length;

+                block_start  += scrub_block_length;

+

+            }

+        }

+    }

+

+    disable_paging();

+    wbinvd();

+    printk("complete\n");

+}

+

void print_e820_map(void)

{

     print_map(g_copy_e820_map, g_nr_map);

diff -up tboot-1.7.2/tboot/common/tboot.c.orig tboot-1.7.2/tboot/common/tboot.c

--- tboot-1.7.2/tboot/common/tboot.c.orig 2012-10-09 14:26:33.211480000 -0700

+++ tboot-1.7.2/tboot/common/tboot.c      2012-10-09 14:28:59.726554000 -0700

<at> <at> -207,6 +207,14 <at> <at> static void post_launch(void)

         if ( !e820_protect_region(base, size, E820_RESERVED) )

             apply_policy(TB_ERR_FATAL);

     }

+

+    /* protect the e820 map */

+    base = TBOOT_E820_COPY_ADDR;

+    size = TBOOT_E820_COPY_SIZE;

+    printk("reserving tboot e820 memory map (%Lx - %Lx) in e820 table\n", base,

+       (base + size - 1));

+    if ( !e820_protect_region(base, size, E820_RESERVED) )

+        apply_policy(TB_ERR_FATAL);

 

     /* replace map in mbi with copy */

     replace_e820_map(g_mbi);

<at> <at> -346,6 +354,10 <at> <at> void begin_launch(multiboot_info_t *mbi)

     /* make the CPU ready for measured launch */

     if ( !prepare_cpu() )

         apply_policy(TB_ERR_FATAL);

+

+    /* disable legacy USB #SMIs */

+    if (get_tboot_no_usb())

+        disable_smis();

 

     /* do s3 launch directly, if is a s3 resume */

     if ( s3_flag ) {

<at> <at> -525,8 +537,9 <at> <at> void shutdown(void)

             tpm_save_state(2);

 

         /* scrub any secrets by clearing their memory, then flush cache */

-        /* we don't have any secrets to scrub, however */

-        ;

+        /* scrub memory if requested on the command line */

+        if (get_scrub_e820())

+            e820_scrub_usable();

 

         /* in mwait "mode", APs will be in MONITOR/MWAIT and can be left there */

         if ( !use_mwait() ) {

[diff -up tboot-1.7.2/tboot/include/cmdline.h.orig tboot-1.7.2/tboot/include/cmdline.h

--- tboot-1.7.2/tboot/include/cmdline.h.orig    2012-10-09 14:25:28.155780000 -0700

+++ tboot-1.7.2/tboot/include/cmdline.h   2012-10-09 14:28:59.728551000 -0700

<at> <at> -47,6 +47,8 <at> <at> extern bool get_tboot_serial(void);

extern void get_tboot_baud(void);

extern void get_tboot_fmt(void);

extern void get_tboot_vga_delay(void);

+extern bool get_tboot_no_usb(void);

+extern bool get_scrub_e820(void);

extern bool get_tboot_mwait(void);

extern bool get_tboot_prefer_da(void);

extern void get_tboot_min_ram(void);

diff -up tboot-1.7.2/tboot/include/e820.h.orig tboot-1.7.2/tboot/include/e820.h

--- tboot-1.7.2/tboot/include/e820.h.orig 2012-10-09 14:26:00.123106000 -0700

+++ tboot-1.7.2/tboot/include/e820.h      2012-10-09 14:28:48.055068000 -0700

<at> <at> -70,6 +70,7 <at> <at> typedef struct __packed {

 

extern bool copy_e820_map(const multiboot_info_t *mbi);

extern bool e820_protect_region(uint64_t addr, uint64_t size, uint32_t type);

+extern void e820_scrub_usable(void);

extern bool e820_reserve_ram(uint64_t base, uint64_t length);

extern void print_e820_map(void);

extern void replace_e820_map(multiboot_info_t *mbi);

 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Gmane