Menu
▾
▴
Re: [tboot-devel] SINIT question
|
From: Emil M. <me...@os...> - 2007-12-17 05:36:20
|
Hello Shane, Thank you very much for your reply. We received this machine a long time ago, but haven't worked with it in depth until recently. [Jeff] recommends that I switch to a Bearlake board, but considering cost and timing issues, this may not be a possibility in the near future. Is there any indication that more updates to ICH8 (or in particular, my board) will be released in the future? Thank you very much for all the information on this mailing list! It's been a great resource for everybody, and especially us students in academia. -emil On Dec 17, 2007 11:05 AM, Wang, Shane <sha...@in...> wrote: > Hi Emil, > > These are some answers from one of my Intel colleagues. (see below) > Wish this will help you. For question 2, please be patient to wait for > response from the other colleague of mine. > > Thanks. > Shane > > > Hal Finney wrote: > > Hello Emil - I had exchanged some email with Joe Cihula a few days ago > > and at that time he said he was leaving on vacation and would not be > > back until the 2nd week of January. So unfortunately he may not be > > able to respond to your questions for some time. I don't know if > > anyone else from Intel monitors this mailing list. > > > > I have a couple of comments although I am afraid I can't be much help: > > > > On Dec 13, 2007 7:46 PM, Emil Meng <me...@os...> > > wrote: > >> I have a quick question regarding the SINIT module. > >> > >> I am currently creating a proof-of-concept of a VMM which can be > >> securely late-launched multiple times. The VMM itself is very similar > >> in design to Intel's LVMM, and I am in the process of getting it to > >> be launched through tboot, but am having a few problems with SINIT > >> executing properly. > > > > I am aiming to do something similar but am not so far along and have > > not yet gotten to the point where I can do a GETSEC[SENTER]. > > > >> I have the "Intel Desktop Board DQ965CO" which i believe is in the > >> ICH8 family, and with the board came the following SINIT module: > >> filename: bwr_sinit_20060922_release.bin > >> sha1sum: 8ad582e50be40df7da9c1b8db6ed77499e920613 > > > > That's interesting, I did not realize that Intel made a motherboard > > that supported TXT. It's encouraging to see that they are getting this > > technology into people's hands. > > > >> Also I have downloaded the SINIT offered from the tboot package: > >> filename: BRLK_SINIT_20070910_release.BIN > >> sha1sum: 46f4e1c199c2983e8a8a115cd90c88353e7b08dc > >> > >> My questions are: > >> > >> 1. Should I be able to use either of the SINIT modules for my > >> hardware, or are they specific to a certain chipset? > [Jeff] AC modules are specific to a chipset. The bwr one is the one > that supports the board mentioned. > > > > > > According to the TXT Preliminary Architectural Specification, the > > SINIT module contains a table that indicates which chipsets it > > supports. The format of this table is described in Tables 17-19 in > > Appendix A.1. Dumping out the relevant data from > > BRLK_SINIT_20070910_release.BIN reveals: > > > > 0004c0 cd d6 24 80 33 47 62 2a d1 f1 3a 89 3b 11 82 bc > > 0004d0 01 02 20 00 e0 04 00 00 03 00 00 00 01 00 01 00 > > 0004e0 01 00 00 00 01 00 00 00 86 80 01 80 07 00 00 00 > > > > The first line is the UUIDs described in Table 17. The "e0 04" of the > > 2nd line means that the supported chipset ID list starts at offset > > 4e0, which is the 3rd line. The 01 00 00 00 at the start means that > > there is just one chipset ID supported by this AC module. The > > remaining entries indicate that the module supports chipsets with > > vendor ID 8086, device ID 8001 and revisionID must have one or more > > bits set that match the 0007 mask. This should then be compared with > > the LT.DIDVID TXT configuration register. My DIDVID register reads as > > 780018086 so that matches this module. > > > > > >> 1b. If they are chipset specific, where can I get the latest version > >> of SINIT for my particular chipset? > [Jeff] The one you have is the last one we had done for that chipset. > Many changes in the ACMs have occurred since then. I would recommend > getting one of the Bearlake boards that has TXT capability as not all > Bearlake boards have this. > > > > > > For that you will have to wait for someone from Intel I think. > > > >> 2. In order to make the proof-of-concept easier to develop and debug, > >> I disabled one of the cores for the time being. However, with a core > >> disabled, neither of the SINIT modules listed above would execute > >> properly. (actually, the one offered on the tboot website doesn't > >> boot at all under any circumstance) What happens is that tboot goes > >> through its first pass, confirms that the SINIT is correct, and then > >> attempts to execute GETSEC[SENTER]. However, it never returns to > >> tboot for the second pass. If I turn both cores on, the > >> bwr_sinit_20060922_release.bin SINIT will at least get back to tboot, > >> and go through a second pass. So here's my question: > >> > >> Does SINIT require multiple cores to be enabled in order for it to > >> work properly? > > > > The only thing I can suggest here is that after a failure, you can > > reboot and then read the LT.ERRORCODE register. The Sourceforge > > download package for the SINIT module includes a table of failure and > > progress codes that get stored in this register by SINIT as it runs. > > By relating the progress/error code to the information in the file > > from the SINIT download package it might shed light on where things > > are going wrong. See also Table 23 in Appendix B of the Arch. spec, > > which shows error codes in case it does not get to the point of > > running the SINIT module. > > > > Sorry I cannot be more help, this technology is very new to me too. I > > hope to have more time over the holidays to get my experiments going - > > just got my machine (HP dc7800) last week - > > > > Hal Finney > > > > > ------------------------------------------------------------------------ > - > > SF.Net email is sponsored by: > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services > > for just about anything Open Source. > > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketp > lace > > _______________________________________________ > > tboot-devel mailing list > > tbo...@li... > > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > |
