Sent: Wednesday, June 17, 2009 4:56 AM
To: Cihula, Joseph
Subject: Re: tboot
Thanks for your fast answer.
I finally installed the trousers package with devel (so trousers and tpm-tools
are working) but for tboot, the problem is still here.
I am trying to understand how TXT is working.
So, I have some questions about TXT and TPM:
- How the values of PCRs are calculated in the first place to be compared to ?
Are they provided directly by manufacturers or is it necessary to run an init
code (assuming there is no malicious softwares installed...) ?
[JC] When SENTER is
executed, it will send the measurement of the SINIT ACM to the TPM and that
will cause the TPM to reset the DRTM PCRs (17-23) to 0 and then extend PCR 17
with the hash of SINIT. SINIT will then execute and extend more values
into PCR 17, as described in sec. 1.9.1 of the TXT MLE Developers Guide.
PCR 18 is extended with the
SHA-1 hash of the MLE.
- Is there a SML (Stored
Measurement Log) file used like described by the TCG ?
[JC] The “log”
of what is measured into PCR 17, as described in sec. 1.9.1, is contained
(mainly) in the SinitMleData struct.
- Is Xen necessary to use TXT or is it just for tboot ?
[JC] tboot is a “generic”
launcher in the sense that it does not really know or care about what it
launches. That said, it only currently knows how to launch a Linux kernel
or an ELF binary (which Xen is). But it could easily be enhanced to understand
other file formats. tboot contains most of the TXT logic.
- I am able to seal data with tpm-tools (tpm_sealdata) but how can I unseal
data ? I saw in the TSS the tpm_UnsealFile function but for beginning I would
like to use a command line if possible.
[JC] tpm-tools doesn’t
provide a command line utility to unseal data, unfortunately. However the
function tpmUnsealFile() in libtpm_unseal does almost exactly this and would
only require a trivial wrapper to make into an executable (caveat: I haven’t
tried this myself). You can get more info on its man page, tpmUnsealFile(3).
I hope my questions are clearly enough, tell me if it is not.
2009/6/15 Cihula, Joseph <email@example.com>
I’m glad to hear that
you’re working with tboot and Intel TXT.
For building TrouSerS, you need
to make sure that you have all the dependent packages installed, per the README
file. You may also be able to find a trousers package (you would need a
TXT only uses PCRs 17 &
18. The SRTM PCRs (0-15) are used by regular software during a normal
boot. The other DRTM PCRs (19-23) are available for software (e.g. tboot)
From: Anthony Dessiatnikoff [mailto:firstname.lastname@example.org]
Sent: Monday, June 15, 2009 7:54 AM
To: Cihula, Joseph
I am a student and I am studying the Trusted Execution Technology from Intel
and the use with TPM.
I would like some information about tboot because I cannot succeed to compile
When I build with the 'make' command, there is a lot of errors (some variables
are not declared, ...) in the Trousers directory, I think I missed something.
Is there some actions to perform before compiling (like replacing some folders)
? (I followed the README instructions so I configured it)
For information, I am on Ubuntu 8.10 with Xen 3.4 installed. I downloaded tboot
Another question: in the MLE developer's guide, only the PCRs 17 and 18 are
described but not the others, so what are they for ?
Thanks for your time.
Student from the University of Limoges (France) in Systems Security and
Master 2 Systems Security and Cryptology
University of Limoges (France)