Re: [tboot-devel] TXT questions

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

See below.

Thanks.
Shane

Anthony Dessiatnikoff wrote:
> Thank you for your answer,
> 
> for my second question, maybe I was not clear enough:
> I don't understand how the expected hashes values are coming from (it must be the TPM but it is necessary to save them into it before booting and executing tboot so I would like to know when these hashes are calculated and what is the tool used ?) before to be compared with the current value.
Yes, the expected hashes are in TPM. They are computed based on MLE 
image in advance and stored in TPM NV. For when, it is at the time when 
users think their systems are safe, such as, at the beginning of 
shipping. Or in most cases, even computed and provisioned by OEM vendors 
in the factory. For the tool, see lcp_mlehash in folder lcptools. For 
SINIT, it is signed by Intel.

> 
> about the localities, is it like the ring (0-3) protection system of processors, how is it implemented ? is any software able to declare itself as working in locality 4 ?
I think it is a bit like ring0~3, which is enforced by hardware. For how 
to implement or any software in locality 4, I have no idea to my 
knowledge. But you can refer to TCG spec to find the answers.

> 
> 
> 
> 
> 
> 2009/7/1 Shane Wang <sha...@in...<mailto:sha...@in...>>
> See my comments below.
> 
> Thanks.
> Shane
> 
> Anthony Dessiatnikoff wrote:
> Hi everyone,
> 
> I removed -Werror parameter into config.mk<http://config.mk><http://config.mk> to compile tboot and execute it.
> 
> 
> I have some questions:
> 
> - How can I retrieve the tboot logs (because during the boot, the display time is too short to see anything) ? it is apparently not in the dmesg command or others log files.
> If you have serial port, you can connect your test machine running tboot to another machine with serial line, and see the log in the window of some COM tool (say I am using Tera Term Pro)
> If not, you can set logging=memory in tboot command line in grub.conf and after booting up, you can see the log by a tool txt-stat, which is in tboot/txt-test.
> 
> 
> 
> - So we hash into PCR 17 and 18 the content of SINIT and MLE but we need to compare them to the expected values to be sure they are corrects, right ? so when is this verification ? Because DRTM PCRs are set to zeros after SENTER instruction, it is necessary to obtain the expected hashes values from somewhere before performing current hashes of SINIT and MLE and then comparing them.
> Right, we extend them into PCR 17 and PCR 18 respectively. For SINIT, it should include digital signature, and for MLE, its hash will be compared  in SINIT.
> 
> 
> 
> - What is exactly the e820 table ? Why do we need to secure it ?
> e820 is a table, which is provided by bios to explain memory layout for OS/VMM which range can be used, which can't.
> Because it is very important and we use it to protect tboot/TXT related memory itself. We don't want OS/VMM to touch them.
> 
> 
> 
> - How the localities are they managed, I mean is it a security concern (so not possible to pass through a locality to another) or just a way to separate PCRs use from different softwares (so possible to pass through a locality to another) ?
> It should not be the latter, not only PCRs. Locality is to enable the TPM to differentiation between commands from different local sources, a bit like access permission. In TPM v1.2, locality 0 is for normal application; 1 for trusted application; 2 for trusted OS; 4 for trusted chipset. For more, you can refer to TCG spec.
> 
> 
> 
> Thanks,
> 
> 
> --
> Anthony D.
> 
> 
> 
> 
> 
> 
> --
> Anthony Dessiatnikoff
> Master 2 in Computing Security and Cryptology
> University of Limoges (FR)
> 