TXT and Tboot Implementation 2009-2010
Contents
1. DMEM LOGGING and save it This will write all of the serial messagesto a memory buffer Helpful for notebooks that lack serial output port 16 cd 17 make install 18 edit the menu lst to additional grub entry title Fedora Tboot 2 6 18 8 xen root hd0 0 kemel tboot gz logging serialvga memory DU B UN N module xen 3 4 3 gz iommu required module vmlinuz 2 6 18 8 xen ro root ABEL mgb module initrd 2 6 18 8 xe n img module sinit bin 19 Make sure to check the root location and root3 ABEL match with the first grub entry and pointsto the root partition 20 Reboot the system Enable TPM VTD and TXT in the BIOS if not already done 21 The next time you boot into the system you can selectthe option at the boot menu to boot into Fedora Tboot 2 6 18 8 xen Note If the unit hangsafter you boot into Tboot at the boot menu check if you have any USB devices plugged in to yourunit Also disable USB Legacy Support in your BIOS settings under F10 System Configuration gt Device Configurations gt USB legacy Support and try to boot into Tboot again TPM TOOLS 1 3 5 Installation Open the terminal cd 4 If required set the proxy optionsas export http proxy proxy address gt lt port number Install wget if not already installed yum install wget wget http intema p dl sourc eforge net sourceforge trousers tp m tools 1 3 5 tar gz Make sure you have automake autoconf libtool2. gettext gettext devel and trousers installed 7 tar xzvf tpm tools 1 3 5 tar gz 8 cd tpm tools 1 3 5 9 sh bootstra p sh 10 configure 11 make 12 make install ou PWN rH LCP Define Platform Owner Polic y Take TPM Ownership Open the terminal sudo s ldconfig usr local lib in case of FC8 you may have to try sbin Id config us local lib modprobe tpm tis in case of FC8 you may have to try sbin modprobe tpm tis tcsd in case of FC8 you may have to try usr sbin tcsd tpm takeownerhip z Create owner password In case of FC8 you may have to try Tusr local sbin tpm_takeownemip Z ou PWN rH Define TPM NV indicesfor polices 7 For2009 Montevina Platforms only tpmnv defindex i owner p ownerauth password createsowner index For 2010 Calpella Platforms only tpmnv defindex i owner s 0x36 p ownerauth password gt createsowner index 8 tpmnv_defindex i 0x20000001 s 512 pv 0x02 p ownerauth password gt creates index 0x20000001 for verified launch policies This index ishardcoded in tboot source code so you can t use any other index to write the verified launch policies If this command gives emors related to available space in TPM NV try 256 instead of 512 Create and Write LCP policiesto TPM NV implemented by SINIT 9 mkdir p tmp temp 10 cd tmp temp 11 lcp mlehash c logging serial vga memory boot tboot gz tboot hash 12 For 2009 Montevina Pla
3. Trusted Execution Technology and Tboot Implementation 2009 2010 p w Mobile Platforms Montevina Calpella Table of Contents Jolufore Wien lol q RE TETTE poo ODE E LIO 1 System Requiremmeltis NS 2 BOS TAT Set Sa AA a 2 Fedora Installation is 2 AS O INN rc ainia 3 TB0 O0TIAsStala tio scsi biie 4 TPM TOMES 1 3 3 Sati a icu ii 5 LCP Define Plattorm Owner Polley ioni ona 5 Yee qe EUER 7 Formoe JOE ia Ne IL NEIN PUE 19 Introduction HP hasimplemented the Trusted eXecution Technology TXT part of Intel s Safer Computing Initiative on certain models of 2009 2010 commercial notebooks The purpose of this document isto provide a step by step guideline to setup a TXTenabled environment The document will coverthe following areas e BlOSsettingsrelated to TXT e ntel s Trusted Execution Technology e Trusted Boot and e Launch Control Policies Trusted eXecution Technology http www intel com tec hnolog y sec urity a hardware based mechanism that helpsto protect against software based attacksand protectsthe confidentiality and integrity of data stored orcreated on the client PC by means of measured launch and protected execution In other words TXT provides only the launch time protection i e ensure that the code we load isreally what we intended to load secure and not compromised by any virusattacks http download intel com technology security downloads 315168 pdf The technology mainly dependson set of
4. 0x0 TBOOT vtd pmr lo size 0x77400000 TBOOT vtd pmr hi base 0x0 TBOOT vtd pmr hi size OxO TBOOT lcp po base 0x7772014c TBOOT lcp po size 0x50 80 TBOOT capabilities OxO0000002 TBOOT lp wake getsec 0 TBOOT rp wake monitor 1 TBOOT ecx pgtbl O TBO OT setting MTRRs for ac mod base 77700000 size 85c 0 num pages 9 TBO OT executing GETSEC SENTER TBOOT unavailable TBO OT command line logging serialvga memory TBOOT TPM isready TBOOT TPM nv locked TRUE TBOOT read verified launch policy 256 bytes from TPM NV TBOOT polic y TBOOT version 2 TBOOT policy type TB POLTYPE CONT NON FATAL TBOOT hash alg TB HALG SHA1 TBOOT policy control 00000001 EXTEND PCR17 TBOOT num entries 3 TBO OT policy entry 0 TBO OT mod_num 0 TBO OT pcr 18 TBO OT hash_type TB_HTYPE_IMAGE TBO OT num_hashes 1 TBO OT hashes 0 75 e6 10 32 35 f4 72 3d 93 ff ed fd 3b df b6 6c 02 e2 3c 12 TBO OT policy entry 1 TBO OT mod_num 1 TBO OT pcr 19 TBO OT hash_type TB_HTYPE_IMAGE TBO OT num_hashes 1 11 TBO OT hashes 0 90 c6 1f 2d 92 89 a9 ad 57 cc 36 57 79 c8 74 fb ba ald0ae TBOOT policy entry 2 TBOOT mod num 2 TBO OT pcr 19 TBO OT hash_type TB_HTYPE_IMAGE TBO OT num_hashes 1 TBO OT hashes 0 80 14 c6 56 fb 3d 33 ed 97 bd 08 d2 8f 35 f5 54 21 6c d4 3c TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBO OT Eror write TPM eror
5. 0 sig FACP 9 0x773fc 000 TBO OT entry 1 sig HPET 0x773fb 000 13 TBO OT entry 2 sig APIC 9 0x773fa 000 TBOOT acpi table ioapic O 773fa06c address fec 00000 TBO OT RSDP v002 HPQOEM E 0x000f2b 20 TBO OT Seek in XSDT TBO OT entry 0 sig FACP 0x773fc 000 TBO OT entry 1 sig HPET 0x773fb 000 TBO OT entry 2 sig APIC 9 0x773fa 000 TBO OT entry 3 sig MCFG 0x773f9000 TBOOT acpi table mcfg 9 773f9000 base_address e0000000 TBOOT mtrr_def type e 1 fe 1 type 0 rm pm pA TBOOT mtns TBOOT base mask type v TBO OT OffcOO fffcOO 05 1 TBOOT 000000 f80000 06 1 TBO OT 078000 ff8000 00 1 TBO OT 000000 000000 00 0 TBO OT 000000 000000 00 0 TBO OT 000000 000000 00 0 TBO OT 000000 000000 00 0 TBO OT 000000 000000 00 0 TBO OT min lo ram 0x0 max lo ram 0x77400000 TBO OT min hi ram 0x0 max hi ram 0x0 TBOOT MSR for SMM monitor control on ILP 0 is 0x0 TBOOT verifying ILP is opt out orhasthe same MSEG header with TXT MSEG BASE opt out TBOOT succeeded TBOOT enabling SMIs on BSP TBOOT mle join entry point 8031f0 TBOOT mle join seg sel 8 TBOOT mle join gdt base 804000 TBOOT mle join gdt limit 3f TBO OT joining RLPsto MLE with MONITOR wakeup TBO OT lp wakeup _addr 0x77701d10 TBO OT cpu 4 waking up from TXT sleep TBO OT waiting for all APs 3 to enter wait for sipi TBO OT MSR for SMM monitor control on RLP 4 is 0x0 TBO OT verifying ILP s MSR
6. 00000000 retum value 00000002 TBO OT Eror read TPM eror 0x2 TBO OT last boot has no eror TBOOT checking whether module 4 isan SINITAC module TBOOT ACM size istoo small acmod_size 50 sizeof ac m_hdr 4 TBOOT failed TBO OT checking whether module 3 isan SINITAC module TBOOT succeeded TBO OT user provided SINIT found sinitbin TBO OT chipset ids vendor 8086 device a 000 revision f TBOOT 1 ACM chipset id entries TBO OT vendor 8086 device a000 fla gs 1 revision 1 extended 0 TBO OT copied SINIT size 85c 0 to 77700000 TBO OT AC mod base alignment OK TBOOT AC mod size OK TBOOT AC module headerdump for SINIT TBO OT type 0x2 ACM_TYPE_CHIPSET TBOOT length Oxa 1 161 TBO OT version 0 TBO OT chipset id Oxa 000 TBOOT flags 0x0 TBOOT pre production O TBOOT debug signed 0 TBOOT vendor 0x8086 TBOOT date 0x20091020 TBOOT size 4 Ox85c 0 34240 TBOOT code control OxO TBO OT entry point 0x00000008 00006427 TBO OT scratch_size Ox8f 143 TBO OT info_table TBO OT uuid Ox7fc O3aaa 0x46a7 Ox18db Oxac 2e 10x69 Ox8f Ox8d 0x41 Ox7f Ox5a TBO OT ACM_UUID V3 TBO OT chipset acm type 0x1 SINIT TBO OT version 3 TBOOT length 0x28 40 TBOOT chipset id list Ox4e8 TBOOT os sinit data ver 0x5 TBO OT min mle hdr ver 0x00020000 TBOOT capabilities 0x0000000e TBOOT lp wake getsec 0 TBOOT rip wake monitor 1 TBOOT ecx pgtbl 1 TBOOT acm ver 16 TB
7. OT kemel is ELF format TBO OT transfering control to kemel 90x00100000 TBO OT VMXOFF done forcpu 1 TBO OT cpu 1 waking up SPI vector 8c 000 TBO OT VMXOFF done forcpu 4 TBO OT cpu 4 waking up SPI vector 8c 000 TBOOT VMXOFF done forcpu5 TBO OT cpu 5 waking up SPI vector 8c 000 18 For more information HP Technology Center http www hp com go techcenter Intel s Trusted eXecution Technology Home Page http www intel c om tec hnolo g y se c urity Trusted Boot Home Page http sourceforge net projects tboot Trusted Boot Source http www bughost org reposhg tboot hg O 2009 Hewlett Packard Development Company LP The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such productsand services Nothing herein should be construed asconstituting an additional warranty HP shall not be liable for technical oreditorial errors oromissions contained herein Itanium isa trademark orregistered trademark of Intel Corporation or its subsidiaries in the United Statesand other countries April 2009
8. The actual output ma y vary depending on the system configuration Intel r TXT Configuration Registers STS 0x000188c 1 senter done TRUE sexit done FALSE mem unlock FALSE mem config lock TRUE private open TRUE mem config ok TRUE ESTS 0x00 txt reset FALSE tx wake eror FALSE E2STS 0x0000000000000006 sp entry emor FALSE secrets TRUE block mem TRUE reset FALSE ERRORCO DE 0x00000000 DIDVID 0x0000000fa 0008086 vendor id 0x8086 device id Oxa 000 revision id Oxf SINIT BASE 0x77700000 SINIT SIZE 131072B 0x20000 HEAP BASE 0x77720000 HEAP SIZE 917504B 0xe0000 DPR 0x0000000077800041 lock TRUE top 0x77800000 size 4MB 4194304B TXTmeasured launch TRUE secrets flag set TRUE ERROR cannot map heap TBOOTIOg max_size fe 4 cum pos 4ecb buf TBOOT unavailable TBO OT command line logging serial vga memory TBOOT TPM isready TBOOT TPM nv locked TRUE TBO OT read verified launch policy 512 bytes from TPM NV TBO OT policy TBO OT version 2 TBO OT policy type IB POLTYPE CONT NON FATAL TBOOT hash alg TB HALG SHA1 TBOOT policy control 00000001 EXTEND PCR17 TBOOT num entries 3 TBO OT policy entry 0 TBO OT mod_num 0 TBO OT pcr 18 TBO OT hash_type TB_HTYPE_IMAGE TBO OT num_hashes 1 TBO OT hashes O 75 e6 10 32 35 f4 72 3d 93 ff ed fd 3b df b6 6c 02 e2 3c 12 TBOOT policy entry 1 TBOOT mod num 1 TBO OT pcr 19 TBO OT hash
9. e820 table range from 000000000099a 000 to 0000000001153128 is in EB20 RAM TBOOT succeeded TBO OT verifying module 2 of mbi 1154000 18ebdff in e820 table range from 0000000001154000 to 00000000018ebe00 is in EB20 RAM TBO OT succeeded TBO OT verifying module 3 of mbi 18ec 000 18f45bf in e820 table range from 00000000018ec 000 to 00000000018f45c 0 is in E820 RAM TBO OT succeeded TBO OT verifying module 4 of mbi 18f5000 18f504f in e820 table range from 00000000018f5000 to 00000000018f5050 is in E820_RAM TBO OT succeeded TBO OT protecting TXTheap 77720000 777fffff in e820 table TBO OT protecting SINIT 77700000 7771ffff in e820 table TBO OT protecting TXT Private Space fed20000 fed 2ffff in e820 ta ble TBO OT verifying e820 table against SNITMDRs verification succeeded TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBO OT Error write TPM eror 0x2 TBO OT verifying tboot and its page table 800000 878c 73 in e820 table range from 0000000000800000 to 0000000000878c 74 is in E820_RAM TBO OT succeeded TBO OT protecting tboot 800000 878fff in e820 table TBO OT reserving tboot memory log 60000 67fff in e820 table TBO OT adjusted e820 map TBO OT 0000000000000000 0000000000060000 1 TBO OT 0000000000060000 0000000000068000 2 TBO OT 0000000000068000 000000000009fc 00 1 TBOOT 000000000009fc 00 000000000008 0000 2 TBOOT 000000000
10. hardware extensionsto Intel processors and chipsets that boost the platform with security capabilities Trusted Platform Module is another important hardware component The TPM module is used to store and compare hash values of launched environment which provides much greater security than storing them in software oron the hard disk Trusted boot Tboot an open source pre kemel VMM module that uses Intel R Trusted Execution Technology Intel R TXT to perform a measured and verified launch of an OS kemel VMM http sourc eforge net projects tboot http www bughost org repos hg tboot hg Launch Control Policy LCP isa verification mechanism used to verify the Intel TXT verified launch processes Based on the criteria choice defined in the Platform Default PD policy set by the Platform Supplier PS orthe Platform Owner PO policy set by the owner the LCP determines whetherthe current platform configuration orenvironment meetsthe requirements and can be launched System Requirements e Trusted Platform Module TPM 1 2 TXTand Virtualization Technology VT supported chipset vPro platforms e TPM Locked Enabled and Activated VT Enabled TXT Enabled discussed in next section BIO S TXT Settings Enter BIO S Setup by pressing F10 during POSTand execute the following steps 1 Go to Security gt Setup BIOS Administrator Password to enterthe BIOS administrator password 2 Go to Security gt TPM Embedded Se
11. 0 map TBO OT 0000000000000000 000000000009fc 00 1 TBOOT 000000000006fc 00 00000000000a 0000 2 TBOOT 00000000000ef000 0000000000100000 2 TBOOT 0000000000100000 00000000771ab000 1 TBOOT 00000000771a b 000 00000000771b 3000 2 TBOOT 00000000771b 3000 00000000771b 9000 1 TBOOT 00000000771b 9000 0000000077229000 2 TBOOT 0000000077229000 0000000077294000 1 TBOOT 0000000077294000 000000007729a 000 2 TBOOT 000000007729a 000 00000000772bf000 1 TBOOT 00000000772bf000 00000000772cf000 2 TBOOT 00000000772c f000 000000007730d000 4 TBOOT 000000007730d 000 000000007730e000 3 TBOOT 000000007730e 000 00000000773cf000 4 TBOOT 00000000773c f000 00000000773ff000 3 TBOOT 00000000773ff000 0000000077400000 1 15 TBOOT 0000000077400000 0000000077800000 2 TBOOT 0000000077800000 0000000078000000 2 TBOOT 00000000e 0000000 00000000f0000000 2 TBOOT 00000000fec 00000 00000000fec 01000 2 TBOOT 00000000fed 10000 00000000fed 14000 2 TBOOT 00000000fed 19000 00000000fed 1a000 2 TBOOT 00000000fed 1b 000 00000000fed 1c 000 2 TBOOT 00000000fed 1c 000 00000000fed20000 2 TBOOT 00000000fe e 00000 00000000fee01000 2 TBOOT 00000000ffd 00000 0000000100000000 2 TBO OT verifying module 0 of mbi 87a 000 999873 in e820 table range from 000000000087a 000 to 0000000000999874 is in EB20 RAM TBOOT succeeded TBO OT verifying module 1 of mbi 99a 000 1153127 in
12. 00 TBOOT vtd pmr hi base 0x0 TBOOT vtd pmr hi size OxO TBOOT lcp po base 0x7772014c TBOOT lcp po size 0x50 80 TBOOT capabilities OxO0000002 TBOOT lp wake getsec 0 TBOOT rp wake monitor 1 TBO OT ecx_pgtbl 0 TBO OT unsupported SINITto MLE data version 7 TBO OT sinit mle data 777301b0 1f8 TBOOT version 7 TBOOT bios acm id 80 00 00 00 20 09 10 07 00 00 a0 00 ff ff ff ff ff ff ff ff TBOOT edx senter flags 0x00000000 TBOOT mseg valid OxO TBOOT sinit ha sh a7 bb e638 df a0 20 3e be 14 c9 08 69 43 dc 48 34 97 91 ef TBOOT mle hash f9 e1 7c f5 37 07 08c183 c5 80 7d 2d 15 fa b8 c8 4c 1b e3 TBOOT stm hash 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 TBOOT Icp policy hash 08 b3 27 51 a4 52 21 c5 db 45 15 a9 ae 2e ff f9 f8 df e5 8f TBOOT Icp policy control 0x00000000 TBOOT lp wakeup addr 0x77701d10 TBOOT num_mdrs 7 TBO OT mdrs_off 0x98 TBO OT num_vtd_dmars 184 TBO OT vtd dmars off 0x140 TBO OT sinit mdrs TBOOT 0000000000000000 00000000000a 0000 G OOD TBOOT 0000000000100000 0000000000f00000 GO OD TBOOT 0000000001000000 0000000077700000 GOOD TBOOT 0000000000000000 0000000000000000 G O OD TBOOT 0000000000000000 0000000000000000 G O OD TBOOT 0000000077800000 0000000078000000 SM RAM NO N O VERLAY TBOOT 00000000e 0000000 00000000f0000000 PCIE EXTENDED CONFIG TBO OT RSDP v002 HPQ OEM 9 0x000f2b 20 TBO OT Seek in XSDT TBOOT entry
13. 00ef000 0000000000100000 2 TBOOT 0000000000100000 0000000000800000 1 TBOOT 0000000000800000 0000000000879000 5 TBOOT 0000000000879000 0000000000f00000 1 TBOOT 0000000000f00000 0000000001000000 2 wm o 16 TBO OT 0000000001000000 00000000771ab000 1 TBO OT 00000000771ab 000 00000000771b3000 2 TBO OT 00000000771b 3000 00000000771b 9000 1 TBO OT 00000000771b 9000 0000000077229000 2 TBO OT 0000000077229000 0000000077294000 1 TBO OT 0000000077294000 000000007729a 000 2 TBOOT 000000007729a 000 00000000772bf000 1 TBOOT 00000000772bf000 00000000772cf000 2 TBOOT 00000000772cf000 000000007730d000 4 TBOOT 000000007730d 000 000000007730e000 3 TBOOT 000000007730e 000 00000000773cf000 4 TBOOT 00000000773c f000 00000000773ff000 3 TBOOT 00000000773ff000 0000000077400000 1 TBOOT 0000000077400000 0000000077700000 2 TBOOT 0000000077700000 0000000077720000 2 TBOOT 0000000077720000 0000000077800000 2 TBOOT 0000000077800000 0000000078000000 2 TBOOT 00000000e 0000000 00000000f0000000 2 TBOOT 00000000fec 00000 00000000fec 01000 2 TBOOT 00000000fed 10000 00000000fed 14000 2 TBOOT 00000000fed 19000 00000000fed1a000 2 TBOOT 00000000fed 15000 00000000fed 1c 000 2 TBOOT 00000000fed 1c 000 00000000fed20000 2 TBOOT 00000000fed 20000 00000000fed 30000 2 TBOOT 00000000fe e 00000 00000000fee01000 2 TBOOT 00000000
14. 0x2 TBO OT IA32_FEATURE_CONTROL MSR 0000ff07 TBO OT CPU is SMX capable TBO OT CPU is VMX capable TBO OT SMX is enabled TBO OT TXT chipset and all needed capabilities present TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBO OT Eror write TPM eror 0x2 TBO OT LT ERRORC ODE c 0000001 TBOOT AC module enor acm type l progress 00 error 0 TBO OT LT ESTS 0 TBO OT IA32_FEATURE_CONTROL MSR 0000ff07 TBO OT CPU is SMX capable TBO OT CPU is VMX capable TBO OT SM X is enabled TBO OT TXT chipset and all needed capabilities present TBO OT bios data 77720008 2c TBOOT version 3 TBOOT bios sinit size OxO 0 TBOOT lcp pd base 0x0 TBOOT Icp_pd_ size 0x0 0 TBOOT num logical procs 4 TBOOT flags 0x00000000 TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBO OT Eror write TPM eror 0x2 TBO OT measured launch succeeded TBO OT bios data 77720008 2c TBO OT version 3 TBO OT bios sinit size OxO 0 TBOOT lcp pd base 0x0 TBOOT Icp pd size 0x0 0 TBOOT num logical procs 4 TBOOT flags 0x00000000 TBOOT os mle data 977720034 10120 TBO OT version 2 TBO OT mbi 0x0002c ea 0 TBO OT os sinit data 77730154 5c TBO OT version 4 12 TBO OT mle_ptab 0x800000 TBO OT mle_size 0x20000 131072 TBO OT mle_hdr_base 0x17540 TBO OT vtd pmr lo base 0x0 TBOOT vtd pmr lo size 0x774000
15. OOT chipset list TBOOT count 1 TBO OT entry 0 TBO OT flags 0x1 TBO OT vendor id 0x8086 TBOOT device id Oxa 000 TBOOT revision id 0x1 TBOOT extended id 0x0 TBOOT SINITs os sinit data version unsupported 5 TBO OT file addresses TBO OT amp sta rt 00803000 TBO OT amp end 00878c 74 TBO OT amp mle_start 00803000 TBO OT amp mle end 00823000 TBOOT amp post launch entry 00803020 TBOOT amp txt wakeup 008031f0 TBOOT amp g mle hdr 0081a540 TBOOT MLE header TBO OT uuid 0x9082ac 5a 0x476f 0x74a 7 Ox5c Of 10x55 Oxa 2 Oxcb 0x51 0xb6 0x42 TBOOT length 34 TBO OT version 00020001 TBO OT entry_point 00000020 TBO OT first_valid_page 00000000 TBO OT mle_start_off 0 TBOOT mle_end_off 20000 TBOOT capabilities 0x00000007 TBOOT rp wake getsec 1 TBOOT rip wake monitor 1 TBOOT ecx pgtbl 1 TBO OT MLE sta rt 803000 end 823000 size 220000 TBO OT ptab_size 3000 ptab_base 00800000 TBO OT bios data 77720008 2c TBO OT version 3 TBO OT bios sinit size OxO 0 TBOOT Icp pd base 0x0 TBOOT Icp pd size 0x0 0 10 TBO OT num_logical procs 4 TBO OT flags 0x00000000 TBO OT min lo ram 0x0 max lo ram 0x77400000 TBOOT min hi ram 0x0 max hi ram 0x0 TBO OT LCP module found TBOOT os sinit data 077730154 5c TBOOT version 4 TBOOT mle ptab 0x800000 TBOOT mle size 0x20000 131072 TBOOT mle hdr base 0x17540 TBOOT vtd pmr lo base
16. TBO OT vtd pmr lo base 0x0 TBOOT vtd pmr lo size 0x77400000 TBOOT vtd pmr hi base 0x0 TBOOT vtd pmr hi size OxO TBOOT pol hash 63 2f b6 06 cd 4d e5 8e 64 2a d8 a9 f7 33 46 95 4d 23 ec 2e TBOOT VL measurements TBO OT PCR 17 7c b2 7c 30 1c b6 80 70 b8 Of 7e 57 71 f7 6f 9a f7 ae 91 61 TBO OT PCR 18 75 e6 10 32 35 fA 72 3d 93 ff ed fd 3b df b6 6c 02 e2 3c 12 TBO OT PCR 18 75 e6 10 32 35 f4 72 3d 93 ff ed fd 3b df b6 6c 02 e2 3c 12 TBO OT PCR 19 90 c6 1f 2d 92 89 a9 ad 57cc 3657 79 c8 74fb ba ald0ae TBO OT PCR 19 80 14 c 6 56 fb 3d 33 ed 97 bd 08 d2 8f 35 f5 54 21 6c d4 3c TBO OT PCRs before extending TBOOT PCR17 f9 e2 11 49 6c 35 61 5e b8e1a9 la e0 ed 4a 62 42 e2 ec 5e TBOOT PCR 18 e8 4f 85 88 fc d6 9c eb ca 81 ad db Od 2c 78b0 7e a3 ab 20 TBO OT PCRs after extending TBOOT PCR 17 53 03 7e c2 5c 23 41 le e5 c5 ee b3 5a 91 a4 fe a3 8c Oc 08 TBOOT PCR 18 8f 9b fO 01 Of 96 e8 7b aa 78 a8 93 05 01 29 4e 39 24 f6 60 TBOOT tboot shared data TBOOT version 5 TBOOT log addr 0x00060000 TBOOT shutdown entry 0x008031b0 TBOOT shutdown type 0 TBOOT tboot base 0x00803000 TBOOT tboot size 0x75c 74 TBOOT num in wfs 3 TBOOT checking whether module 4 isan SINITAC module TBOOT ACM size istoo small acmod size 50 sizeof acm_hdr 4 TBOOT failed TBOOT checking whether module 3 isan SINITAC module TBOOT succeeded TBO OT user provided SINITfound sinit bin TBO OT LCP module found TBO
17. _IA32 SMM MONITOR _CTLwith RLP 4 s succeeded TBO OT enabling SMIs on cpu 4 TBO OT VMXON done forcpu 4 TBO OT TBO OT cpu 5 waking up from TXT sleep TBO OT launching mini guest for cpu 4 TBO OT MSR for SMM monitor control on RLP 5 is 0x0 TBO OT verifying ILP s MSR IA32 SMM MONITOR CTL with RLP 5 s succeeded 14 TBOOT enabling SMIson cpu 5 TBOOT VM XON done forcpu 5 TBO OT launching mini guest forcpu 5 TBO OT cpu 1 waking up from TXT sleep TBO OT MSR for SMM monitor control on RLP 1 is 0x0 TBO OT verifying ILP s MSR IA32 SMM MONITOR CTL with RLP 1 s succeeded TBO OT enabling SMIson cpu 1 TBO OT VMXON done forcpu 1 TBO OT launching mini guest forcpu 1 TBO OT TBO OT all APs in wait for sipi TBO OT saved IA32_MISC_ENABLE 0x00850089 TBO OT set LT C MD SEC RETS flag TBO OT opened TPM locality 1 TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBO OT Eror write TPM eror 0x2 TBO OT RSDP v002 HPQO EM E 0x000f2b 20 TBO OT Seek in XSDT TBO OT entry 0 sig FACP 0x773fc 000 TBO OT entry 1 sig HPET 0x773fb000 TBO OT entry 2 sig APIC 9 0x773fa 000 TBO OT entry 3 sig MCFG 0x773f9000 TBO OT entry 4 sig TC PA 0x773f7000 TBO OT entry 5 sig 2 SSDT E 0x773d 4000 TBO OT entry 6 sig SSDT 0x773d 3000 TBO OT entry 7 sig SUC 0x773d 2000 TBO OT entry 8 sig DMAR 0x773d 1000 TBO OT DMAR table E 0x773d 1000 saved TBO OT original e82
18. _type TB_HTYPE_IMAGE TBO OT num_hashes 1 TBO OT hashes O 90 c6 1f 2d 92 89 a9 ad 57 cc 36 57 79 c8 74 fb ba ald0ae TBOOT policy entry 2 TBOOT mod num 2 TBO OT pcr 19 TBO OT hash_type TB_HTYPE_IMAGE TBO OT num_hashes 1 TBO OT hashes 0 80 14 c6 56 fb 3d 33 ed 97 bd 08 d2 8f 35 f5 54 21 6c d4 3c TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBOOT Error write TPM error 0x2 TBOOT IA32 FEATURE CONTROL MSR 0000ff07 TBOOT CPU is SMX capable TBO OT CPU is VM X capable TBO OT SMX is enabled TBO OT TXT chipset and all needed capabilities present TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBO OT Error write TPM error 0x2 TBO OT LT ERRO RC O DE 0 TBO OT LT ESTS 0 TBO OT IA32_FEATURE CONTROL MSR 0000ff07 TBO OT CPU is SMX capable TBO OT CPU is VMX capable TBO OT SMX is enabled TBO OT TXT chipset and all needed capabilities present TBO OT bios data 77720008 2c TBO OT version 3 TBO OT bios sinit size OxO 0 TBOOT Icp pd base 0x0 TBOOT Icp pd size 0x0 0 TBOOT num logical procs 4 TBOOT flags 0x00000000 TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBO OT Error write TPM error 0x2 TBO OT CRO and EFLAGSOK TBOOT no machine check errors TBO OT CPU is ready for SENTER TBO OT checking previous errors on the last boot TPM read nv index 20000002 offset
19. cd xen 3 4 3 19 make insta ll xen 20 make install tools 21 edit the menu file boot grub menu lst and add the following grub entry title Fedora Xen 3 4 3 2 6 18 8 xen root hd 0 0 kemel xen 3 4 3 gz iommu required module vmlinuz 2 6 18 8 xen ro rootz LABEL mgb module initrd 2 6 18 8 xe n img 22 Make sure to check the root location and rootz LABEL match with the first grub entry and pointsto the root partition 23 Reboot the system Enable TPM VTD and TXT in the BIOS if not already done 24 The next time you boot into the system you can selectthe option at the boot menu to boot into Fedora Xen 3 4 3 2 6 18 8 xen TBO OT Installation 1 Depending upon the platform copy the appropriate latest snit bin file into boot directory The file can be located at http sourc eforge net projects tbootyfiles Open the terminal cd 4 If required set the proxy optionsas export http proxy proxy address gt lt port number gt yum install mercurial if not installed already wget http downloads sourc eforge net project trousers trousers 0 3 5 trousers 0 3 5 tar gz tar xavf trousers 0 3 5 tar gz 8 cd trousers 0 3 5 9 sh bootstra p sh 10 configure 11 make 12 make install 13 hg clone r9c733d6c 3f40 http www bughost org repos hg tboot hg this downloads tboot package ofthe revision mentioned 14 cd tboot hg tboot 15 edit Config mk un comment remove the line CFLAGS
20. curity gt Embedded Security Device State gt Enabled 3 Go to System Configuration gt Device Configurations gt Virtualization Technology gt Enabled 4 Go to System Configuration gt Device Configurations gt SATA Native Mode gt IDE optional Note If you expect to use RAID option at some point in the future then it is advisable to use AHCI RAID option instead of IDE Switching from IDE to AHCI RAID will result in Kemel Panic message and makesit impossible to boot to Fedora unless you switch the SATA option backto IDE 5 Save settingsand exit F10 and reboot Enter BIOS setup by pressing F10 during POST execute the following steps 1 Go to System Configuration gt Device Configurations gt TXTTechnology gt Enabled 2 Save settingsand exit F10 and reboot Fedora Installation 1 Download the image of Fedora 7 8 64bit and bum it on DVD 2 Start the Fedora installation If you see any Kemel Panic message orifthe installation hangs try adding acpi off askemel arguments hit tab at the grubloader 3 Atthe Disk Partitioning Setup screen select from the Drop down Menu Create custom La yout gt press Next gt 4 Delete any existing partitions 5 Next add 3 partitionsas follows and Press Next gt 1 mount Point boot file type ext3 size 400 2nd file type swap size 2048 37 mount point file type ext3 size fill to max 6 Don t install boot loader password orselect configure a
21. dvance boot loaderoptions Press Next gt 7 Atthe next screen select the time zone and afterthat choose a password of your choice the default usemame is root 8 Install All Software packages 1 office and productivity 2 Software development 3 Web Server Don t install Additional Fedora Software Press Next gt 9 After installation is complete the system will ask fora reboot forthe changesto take effect 10 Afterthe first reboot select the following settings Firewall Disabled Security Enhanced Linux lt SELinux gt Disabled The system will prompt fora restart afterthe settings are made Note When you boot into Fedora atthe login screen if you get an emorstating that X server hasfailed to start try to configure the xserverand set the color depth to Thousands of colors instead of Millionsof colors Forany othersituation where the display isnot visible black screen you may have to edit xorg conf file and make the Default Depth to 16 under Screen section XEN 3 4 3 Installation 1 Bootto Fedora Install the Ethemet drivers if you haven t already done latest drivers are available at http so urc eforge net projects e 1000 files e 1000e 20sta ble 2 Open terminal 3 If required set the proxy optionsas export http proxy proxy address gt lt port number 4 yum install mercurial Installs latest version of mercurial from intemet if you haven t already installed it 5 Install wget
22. ffd 00000 0000000100000000 2 TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBOOT Error write TPM error 0x2 TBO OT verifying module xen 3 4 gz iommu required TBOOT OK 75 e6 10 32 35 f4 72 3d 93 ff ed fd 3b df b6 6c 02 e2 3c 12 TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBOOT Error write TPM error 0x2 TBO OT verifying module vmlinuz 2 6 18 8 xen ro root LABEL 1 mgb TBOOT OK 90 c6 1f 2d 92 89 a9 ad 57 cc 36 57 79 c8 74 fb ba al dO ae TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBOOT Error write TPM error 0x2 TBO OT verifying module initrd 2 6 18 8 xen img TBOOT OK 80 14 c6 56 fb 3d 33 ed 97 bd 08 d2 8f 35 f5 54 21 6c d4 3c TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBOOT Error write TPM error 0x2 TBOOT policy entry for module 3 not found TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 TBOOT Error write TPM error 0x2 TBOOT modules in mbi but not in policy TBOOT policy entry for module 4 not found TBO OT TPM write nv 20000002 offset 00000000 00000004 bytes retum 00000002 veo we we gt ao t AS AS 17 TBO OT Error write TPM error 0x2 TBO OT modules in mbi but not in policy TBO OT all modules are verified TBO OT pre k s3 state
23. if not already installed and download Xen 3 4 3 version into the root directory a yum install wget b wget http bits xensource com oss xen release 3 4 3 xen 3 4 3 ta r gz C wget http bits xe nso urc e c om oss xen release 3 4 0 linux 2 6 18 xen 3 4 0 tar gz download thisin the same root location 6 Check if the following packagesare installed yum list packageaname gt will display installed else it would say fedora If not then install using yum install lt packagename gt yum list gcc make binutils zlib python ncurses openssl bridge utils iproute udev dev86 unifdef ima ke sd n4k utils ia sl 7 tar xvf linux 2 6 18 xen 3 4 0 tar gz 8 cd linux 2 6 18 xen 3 4 0 9 make mrproper 10 make menuconfig 11 In the Linux Kemel Configuration window set select the following options d General Setup gt Local Version xen without the quotes e Processortype and features gt Enable Xen compatible kemel implies built in f Device Drivers gt SCSI device support gt SCSI low level drivers Select M on all excluded options M implies Module g XEN gt Privileged Guest domain O h XEN gt unselect exclude all frontend driver 12 After setting these options keep pressing ESC until prompted to save the kemel configuration Choose Yesto save settings 13 make thistakes 230 minutes 14 make modules install 15 make install 16 cd m 17 tar xavf xen 3 4 3 tar gz 18
24. tforms only Icp_crtpol t hashonly m tboot hash o Icp pol Icp_writepol i owner fIcp pol p ownerauth password gt For 2010 Calpella Platforms only Icp_crtpolelt create type mle ctrl 0x00 out mle elt tboot hash Icp_crtpollist create out list unsig lst mle elt Icp_crtpol2 create type list pol owner list pol data owner list data list unsig lst cp owner list data boot Icp_writepol i owner f owner list pol p lt ownerauth password gt Create and Write Verified Launch policiesto TPM NV implemented by Tboot 13 tb polgen create type nonfataltcb pol 14 tb polgen add num 0 pcr 18 hash image cmdline iommu required image boot xen gztcb pol all in a single line Make sure that the command line para meters via cmdline MUSTmatch the para meters as specified in boot grub menu Ist EXCLUDING the name ofthe file 15 tb_polgen add num 1 pcr 19 hash image cmdline ro root ABELY mgb image boot vmlinuz 2 6 18 8 xen tcb pol all in a single line 16 tb polgen add num 2 pcr 19 hash image cmdline 2 6 18 8 xen img tcb pol all in a single line 17 Icp_writepol i 0x20000001 f tcb pol p lt ownera uth password gt image boot initrd Note Please referto the Intel Trusted Execution Technology Launch Control Polic y Linux Tools User Manual forthe proper usage of otherrelated commands AppendixA Sample Tboot serial output captured on 2010 Calpella platform
Download Pdf Manuals
Related Search