Hi Srujan,

I'll start by saying that I don't know the exact answer to your question regarding TPM localities and how they're used. However, there are a couple of other things worth mentioning that you might find useful.

First off, I'll point you to tboot's README.gz, which details the two built-in PCR extension policies used by tboot. I'll summarise the default ("legacy") policy here:
PCR 17: SINIT (by hardware), tboot policy (by tboot)
PCR 18: tboot MLE (by SINIT), rest of tboot (by tboot MLE), xen (by tboot)
PCR 19: linux (by tboot), linux command line (by tboot), linux initrd (by tboot)

You can, of course, specify your own policy.

Second, "ring -1" is a misnomer; the term was invented by Joanna Rutkowska (a *very* skilled platform hacker) to describe a particular class of attack against PC platforms. It's useful in that context, but has no technical meaning. I believe it actually refers to System Management Mode, a CPU mode which is accessible to BIOS writers, and which effectively runs with ring 0 privileges. It might also refer to embedded management controllers, such as DRAC/IPMI or Intel AMT, which are separate pieces of hardware, and thus don't affect the CPU's execution state.

Third, and finally, the TCG PC Client TPM Interface Specification specifies the following uses for TPM localities:
Locality 4: Trusted Hardware. This is the Dynamic RTM.
Locality 3: Auxiliary components. Use of this is optional and, if used, it is implementation dependent. 
Locality 2: This is the “runtime” environment for the Trusted Operating System.
Locality 1: An environment for use by the Trusted Operating System (T/OS).
Locality 0: The legacy environment for the Static RTM and its chain of trust.
While that isn't particularly clear (and may not reflect what real systems code actually does), to my ears it suggests: 0 is used by BIOS, 1 by tboot, 2 by Xen, and 3+ by Linux-Dom0. Again, though, that's a *guess*, and should be fact-checked by reading the code.

Hope that helps!


On 28 July 2014 19:46, Srujan Kotikela <ksrujandas@gmail.com> wrote:


I'm trying to understand how tboot based measured launch system fits into TPM localities. So far I understand that SINIT is extended to PCR 17 by the hardware, TBOOT is extended to PCR 18 (by SINIT), and the kernel (Linux/xen) is extended to 19 (by TBOOT). Correct me if I am wrong and what localities are these extensions performed from?

Now, from ring 3 only PCR 23 is allowed (I'm running xen and Linux on top of it). Are the remaining PCRs extendable from the ring 0 or ring -1? If so, how're their localities distributed?

Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
tboot-devel mailing list