Menu
▾
▴
Re: [tboot-devel] SINIT question
|
From: Wang, S. <sha...@in...> - 2007-12-17 02:05:52
|
Hi Emil, These are some answers from one of my Intel colleagues. (see below)=20 Wish this will help you. For question 2, please be patient to wait for=20 response from the other colleague of mine. Thanks. Shane Hal Finney wrote: > Hello Emil - I had exchanged some email with Joe Cihula a few days ago > and at that time he said he was leaving on vacation and would not be > back until the 2nd week of January. So unfortunately he may not be > able to respond to your questions for some time. I don't know if > anyone else from Intel monitors this mailing list. >=20 > I have a couple of comments although I am afraid I can't be much help: >=20 > On Dec 13, 2007 7:46 PM, Emil Meng <me...@os...> > wrote:=20 >> I have a quick question regarding the SINIT module. >>=20 >> I am currently creating a proof-of-concept of a VMM which can be >> securely late-launched multiple times. The VMM itself is very similar >> in design to Intel's LVMM, and I am in the process of getting it to >> be launched through tboot, but am having a few problems with SINIT >> executing properly. >=20 > I am aiming to do something similar but am not so far along and have > not yet gotten to the point where I can do a GETSEC[SENTER]. >=20 >> I have the "Intel Desktop Board DQ965CO" which i believe is in the >> ICH8 family, and with the board came the following SINIT module: >> filename: bwr_sinit_20060922_release.bin >> sha1sum: 8ad582e50be40df7da9c1b8db6ed77499e920613 >=20 > That's interesting, I did not realize that Intel made a motherboard > that supported TXT. It's encouraging to see that they are getting this > technology into people's hands. >=20 >> Also I have downloaded the SINIT offered from the tboot package: >> filename: BRLK_SINIT_20070910_release.BIN >> sha1sum: 46f4e1c199c2983e8a8a115cd90c88353e7b08dc >>=20 >> My questions are: >>=20 >> 1. Should I be able to use either of the SINIT modules for my >> hardware, or are they specific to a certain chipset? [Jeff] AC modules are specific to a chipset. The bwr one is the one that supports the board mentioned. =20 >=20 > According to the TXT Preliminary Architectural Specification, the > SINIT module contains a table that indicates which chipsets it > supports. The format of this table is described in Tables 17-19 in > Appendix A.1. Dumping out the relevant data from > BRLK_SINIT_20070910_release.BIN reveals: >=20 > 0004c0 cd d6 24 80 33 47 62 2a d1 f1 3a 89 3b 11 82 bc > 0004d0 01 02 20 00 e0 04 00 00 03 00 00 00 01 00 01 00 > 0004e0 01 00 00 00 01 00 00 00 86 80 01 80 07 00 00 00 >=20 > The first line is the UUIDs described in Table 17. The "e0 04" of the > 2nd line means that the supported chipset ID list starts at offset > 4e0, which is the 3rd line. The 01 00 00 00 at the start means that > there is just one chipset ID supported by this AC module. The > remaining entries indicate that the module supports chipsets with > vendor ID 8086, device ID 8001 and revisionID must have one or more > bits set that match the 0007 mask. This should then be compared with > the LT.DIDVID TXT configuration register. My DIDVID register reads as > 780018086 so that matches this module. >=20 >=20 >> 1b. If they are chipset specific, where can I get the latest version >> of SINIT for my particular chipset? [Jeff] The one you have is the last one we had done for that chipset. Many changes in the ACMs have occurred since then. I would recommend getting one of the Bearlake boards that has TXT capability as not all Bearlake boards have this. >=20 > For that you will have to wait for someone from Intel I think. >=20 >> 2. In order to make the proof-of-concept easier to develop and debug, >> I disabled one of the cores for the time being. However, with a core >> disabled, neither of the SINIT modules listed above would execute >> properly. (actually, the one offered on the tboot website doesn't >> boot at all under any circumstance) What happens is that tboot goes >> through its first pass, confirms that the SINIT is correct, and then >> attempts to execute GETSEC[SENTER]. However, it never returns to >> tboot for the second pass. If I turn both cores on, the >> bwr_sinit_20060922_release.bin SINIT will at least get back to tboot, >> and go through a second pass. So here's my question: >>=20 >> Does SINIT require multiple cores to be enabled in order for it to >> work properly? >=20 > The only thing I can suggest here is that after a failure, you can > reboot and then read the LT.ERRORCODE register. The Sourceforge > download package for the SINIT module includes a table of failure and > progress codes that get stored in this register by SINIT as it runs. > By relating the progress/error code to the information in the file > from the SINIT download package it might shed light on where things > are going wrong. See also Table 23 in Appendix B of the Arch. spec, > which shows error codes in case it does not get to the point of > running the SINIT module. >=20 > Sorry I cannot be more help, this technology is very new to me too. I > hope to have more time over the holidays to get my experiments going - > just got my machine (HP dc7800) last week - >=20 > Hal Finney >=20 > ------------------------------------------------------------------------ - > SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services > for just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketp lace > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel |
