Re: [tboot-devel] SINIT question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I've just gotten back from vacation, so sorry for the delay.  I think
that I can address all of your questions/issues.

As Jeff said, your chipset/motherboard requires the bwr_ version of
SINIT.  This was our first TXT-capable chipset and was only available in
very limited production systems from MPC and in our SDPs.  It does not
support LCP, VT-d, etc.  You really should either switch to a newer
commercial TXT-capable system or one of our Weybridge SDPs, both based
on the ICH9 chipset (the SINIT for which is on the tboot site).

Appendix A of the spec has some fields that are only in the ICH9+
versions of AC Modules (i.e. not in the bwr_ version)--it is an error on
our part that we didn't call this out and note them.

As for the multiple cores, Hal was right--the chipset has a mechanism to
determine how many cores are in the system and the SENTER process will
spin until all detected cores acknowledge the SENTER.  So if BIOS lets
the to-be-disabled core execute some code before it disables the core
then the chipset will detect it and SENTER will hang.

I hope this helps and if you have any further questions, please feel
free to post again.

Joe

On Sunday, December 16, 2007 9:36 PM, Emil Meng wrote:
> Hello Shane,
>=20
> Thank you very much for your reply. We received this machine a long
> time ago, but haven't worked with it in depth until recently.
>=20
> [Jeff] recommends that I switch to a Bearlake board, but considering
> cost and timing issues, this may not be a possibility in the near
> future. Is there any indication that more updates to ICH8 (or in
> particular, my board) will be released in the future?
>=20
> Thank you very much for all the information on this mailing list! It's
> been a great resource for everybody, and especially us students in
> academia.
>=20
> -emil
>=20
> On Dec 17, 2007 11:05 AM, Wang, Shane <sha...@in...> wrote:
>> Hi Emil,
>>=20
>> These are some answers from one of my Intel colleagues. (see below)
>> Wish this will help you. For question 2, please be patient to wait
for
>> response from the other colleague of mine.
>>=20
>> Thanks.
>> Shane
>>=20
>>=20
>> Hal Finney wrote:
>>> Hello Emil - I had exchanged some email with Joe Cihula a few days
ago
>>> and at that time he said he was leaving on vacation and would not be
>>> back until the 2nd week of January. So unfortunately he may not be
>>> able to respond to your questions for some time. I don't know if
>>> anyone else from Intel monitors this mailing list.
>>>=20
>>> I have a couple of comments although I am afraid I can't be much
help:
>>>=20
>>> On Dec 13, 2007 7:46 PM, Emil Meng <me...@os...>
>>> wrote:
>>>> I have a quick question regarding the SINIT module.
>>>>=20
>>>> I am currently creating a proof-of-concept of a VMM which can be
>>>> securely late-launched multiple times. The VMM itself is very
similar
>>>> in design to Intel's LVMM, and I am in the process of getting it to
>>>> be launched through tboot, but am having a few problems with SINIT
>>>> executing properly.
>>>=20
>>> I am aiming to do something similar but am not so far along and have
>>> not yet gotten to the point where I can do a GETSEC[SENTER].
>>>=20
>>>> I have the "Intel Desktop Board DQ965CO" which i believe is in the
>>>> ICH8 family, and with the board came the following SINIT module:
>>>> filename: bwr_sinit_20060922_release.bin
>>>> sha1sum: 8ad582e50be40df7da9c1b8db6ed77499e920613
>>>=20
>>> That's interesting, I did not realize that Intel made a motherboard
>>> that supported TXT. It's encouraging to see that they are getting
this
>>> technology into people's hands.
>>>=20
>>>> Also I have downloaded the SINIT offered from the tboot package:
>>>> filename: BRLK_SINIT_20070910_release.BIN
>>>> sha1sum: 46f4e1c199c2983e8a8a115cd90c88353e7b08dc
>>>>=20
>>>> My questions are:
>>>>=20
>>>> 1. Should I be able to use either of the SINIT modules for my
>>>> hardware, or are they specific to a certain chipset?
>> [Jeff] AC modules are specific to a chipset.  The bwr one is the one
>> that supports the board mentioned.
>>=20
>>=20
>>>=20
>>> According to the TXT Preliminary Architectural Specification, the
>>> SINIT module contains a table that indicates which chipsets it
>>> supports. The format of this table is described in Tables 17-19 in
>>> Appendix A.1. Dumping out the relevant data from
>>> BRLK_SINIT_20070910_release.BIN reveals:
>>>=20
>>> 0004c0 cd d6 24 80 33 47 62 2a d1 f1 3a 89 3b 11 82 bc
>>> 0004d0 01 02 20 00 e0 04 00 00 03 00 00 00 01 00 01 00
>>> 0004e0 01 00 00 00 01 00 00 00 86 80 01 80 07 00 00 00
>>>=20
>>> The first line is the UUIDs described in Table 17. The "e0 04" of
the
>>> 2nd line means that the supported chipset ID list starts at offset
>>> 4e0, which is the 3rd line. The 01 00 00 00 at the start means that
>>> there is just one chipset ID supported by this AC module. The
>>> remaining entries indicate that the module supports chipsets with
>>> vendor ID 8086, device ID 8001 and revisionID must have one or more
>>> bits set that match the 0007 mask. This should then be compared with
>>> the LT.DIDVID TXT configuration register. My DIDVID register reads
as
>>> 780018086 so that matches this module.
>>>=20
>>>=20
>>>> 1b. If they are chipset specific, where can I get the latest
version
>>>> of SINIT for my particular chipset?
>> [Jeff] The one you have is the last one we had done for that chipset.
>> Many changes in the ACMs have occurred since then.  I would recommend
>> getting one of the Bearlake boards that has TXT capability as not all
>> Bearlake boards have this.=20
>>=20
>>=20
>>>=20
>>> For that you will have to wait for someone from Intel I think.
>>>=20
>>>> 2. In order to make the proof-of-concept easier to develop and
debug,
>>>> I disabled one of the cores for the time being. However, with a
core
>>>> disabled, neither of the SINIT modules listed above would execute
>>>> properly. (actually, the one offered on the tboot website doesn't
>>>> boot at all under any circumstance) What happens is that tboot goes
>>>> through its first pass, confirms that the SINIT is correct, and
then
>>>> attempts to execute GETSEC[SENTER]. However, it never returns to
>>>> tboot for the second pass. If I turn both cores on, the
>>>> bwr_sinit_20060922_release.bin SINIT will at least get back to
tboot,
>>>> and go through a second pass. So here's my question:
>>>>=20
>>>> Does SINIT require multiple cores to be enabled in order for it to
>>>> work properly?
>>>=20
>>> The only thing I can suggest here is that after a failure, you can
>>> reboot and then read the LT.ERRORCODE register. The Sourceforge
>>> download package for the SINIT module includes a table of failure
and
>>> progress codes that get stored in this register by SINIT as it runs.
>>> By relating the progress/error code to the information in the file
>>> from the SINIT download package it might shed light on where things
>>> are going wrong. See also Table 23 in Appendix B of the Arch. spec,
>>> which shows error codes in case it does not get to the point of
running the
>>> SINIT module.=20
>>>=20
>>> Sorry I cannot be more help, this technology is very new to me too.
I
>>> hope to have more time over the holidays to get my experiments going
-
>>> just got my machine (HP dc7800) last week -
>>>=20
>>> Hal Finney
>>>=20
>>>=20
>>
------------------------------------------------------------------------
>> -
>>> SF.Net email is sponsored by:
>>> Check out the new SourceForge.net Marketplace.
>>> It's the best place to buy or sell services
>>> for just about anything Open Source.
>>>=20
>>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketp
>> lace
>>> _______________________________________________
>>> tboot-devel mailing list
>>> tbo...@li...
>>> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>>=20
>>=20
>=20
>
------------------------------------------------------------------------
-
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services
> for just about anything Open Source.
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketp
lace
> _______________________________________________
> tboot-devel mailing list
> tbo...@li...
> https://lists.sourceforge.net/lists/listinfo/tboot-devel