Re: [tboot-devel] SINIT question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello Emil - I had exchanged some email with Joe Cihula a few days ago
and at that time he said he was leaving on vacation and would not be
back until the 2nd week of January. So unfortunately he may not be
able to respond to your questions for some time. I don't know if
anyone else from Intel monitors this mailing list.

I have a couple of comments although I am afraid I can't be much help:

On Dec 13, 2007 7:46 PM, Emil Meng <me...@os...> wrote:
> I have a quick question regarding the SINIT module.
>
> I am currently creating a proof-of-concept of a VMM which can be
> securely late-launched multiple times. The VMM itself is very similar
> in design to Intel's LVMM, and I am in the process of getting it to be
> launched through tboot, but am having a few problems with SINIT
> executing properly.

I am aiming to do something similar but am not so far along and have
not yet gotten to the point where I can do a GETSEC[SENTER].

> I have the "Intel Desktop Board DQ965CO" which i believe is in the
> ICH8 family, and with the board came the following SINIT module:
> filename: bwr_sinit_20060922_release.bin
> sha1sum: 8ad582e50be40df7da9c1b8db6ed77499e920613

That's interesting, I did not realize that Intel made a motherboard
that supported TXT. It's encouraging to see that they are getting this
technology into people's hands.

> Also I have downloaded the SINIT offered from the tboot package:
> filename: BRLK_SINIT_20070910_release.BIN
> sha1sum: 46f4e1c199c2983e8a8a115cd90c88353e7b08dc
>
> My questions are:
>
> 1. Should I be able to use either of the SINIT modules for my
> hardware, or are they specific to a certain chipset?

According to the TXT Preliminary Architectural Specification, the
SINIT module contains a table that indicates which chipsets it
supports. The format of this table is described in Tables 17-19 in
Appendix A.1. Dumping out the relevant data from
BRLK_SINIT_20070910_release.BIN reveals:

0004c0 cd d6 24 80 33 47 62 2a d1 f1 3a 89 3b 11 82 bc
0004d0 01 02 20 00 e0 04 00 00 03 00 00 00 01 00 01 00
0004e0 01 00 00 00 01 00 00 00 86 80 01 80 07 00 00 00

The first line is the UUIDs described in Table 17. The "e0 04" of the
2nd line means that the supported chipset ID list starts at offset
4e0, which is the 3rd line. The 01 00 00 00 at the start means that
there is just one chipset ID supported by this AC module. The
remaining entries indicate that the module supports chipsets with
vendor ID 8086, device ID 8001 and revisionID must have one or more
bits set that match the 0007 mask. This should then be compared with
the LT.DIDVID TXT configuration register. My DIDVID register reads as
780018086 so that matches this module.

> 1b. If they are chipset specific, where can I get the latest version
> of SINIT for my particular chipset?

For that you will have to wait for someone from Intel I think.

> 2. In order to make the proof-of-concept easier to develop and debug,
> I disabled one of the cores for the time being. However, with a core
> disabled, neither of the SINIT modules listed above would execute
> properly. (actually, the one offered on the tboot website doesn't boot
> at all under any circumstance) What happens is that tboot goes through
> its first pass, confirms that the SINIT is correct, and then attempts
> to execute GETSEC[SENTER]. However, it never returns to tboot for the
> second pass. If I turn both cores on, the
> bwr_sinit_20060922_release.bin SINIT will at least get back to tboot,
> and go through a second pass. So here's my question:
>
> Does SINIT require multiple cores to be enabled in order for it to
> work properly?

The only thing I can suggest here is that after a failure, you can
reboot and then read the LT.ERRORCODE register. The Sourceforge
download package for the SINIT module includes a table of failure and
progress codes that get stored in this register by SINIT as it runs.
By relating the progress/error code to the information in the file
from the SINIT download package it might shed light on where things
are going wrong. See also Table 23 in Appendix B of the Arch. spec,
which shows error codes in case it does not get to the point of
running the SINIT module.

Sorry I cannot be more help, this technology is very new to me too. I
hope to have more time over the holidays to get my experiments going -
just got my machine (HP dc7800) last week -

Hal Finney