From: Courtay O. <Oli...@th...> - 2008-09-10 13:28:13
|
Hello, I have successfully installed tboot on a Dell Optiplex 755 (E8500). VMM and dom0 verification is OK. One question. In TBOOT log I have: TBOOT: dom0 is verified. TBOOT: succeeded. TBOOT: invalid module # What is this invalid module ? I have not yet tested sealed process. I have a problem. When Trusted Execution is deactivated on BIOS , kvm run normally. But when I activate TXT, the module load failed (Error: Operation not supported). In the kernel log, I have :"kvm: disable by bios" Is there a conflict between TXT and KVM? Thank you. Olivier |
From: Cihula, J. <jos...@in...> - 2008-09-10 15:46:22
|
Below: -----Original Message----- From: tbo...@li... [mailto:tbo...@li...] On Behalf Of Courtay Olivier Sent: Wednesday, September 10, 2008 5:57 AM To: tbo...@li... Subject: [tboot-devel] TXT and kvm : conflict ? Hello, I have successfully installed tboot on a Dell Optiplex 755 (E8500). VMM and dom0 verification is OK. One question. In TBOOT log I have: TBOOT: dom0 is verified. TBOOT: succeeded. TBOOT: invalid module # What is this invalid module ? [JC] Older versions of tboot displayed this during policy processing, even though there was not an error. What changeset are you using? I have not yet tested sealed process. [JC] FYI, your TPM will need to have an owner and you should have created the SRK with the null auth (use '-z' flag to tpm_takeownership). I have a problem. When Trusted Execution is deactivated on BIOS , kvm run normally. But when I activate TXT, the module load failed (Error: Operation not supported). In the kernel log, I have :"kvm: disable by bios" Is there a conflict between TXT and KVM? [JC] This is a security feature. When you enabled both TXT and VT, BIOS set the bit in the IA32_FEATURE_CONTROL MSR that means that VT can only be used after a TXT launch has occurred. This is to prevent installation of malicious VT-based rootkits. If you want to use VT w/o doing a TXT launch, disable TXT in BIOS and leave VT enabled. Thank you. Olivier ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
From: Courtay O. <Oli...@th...> - 2008-09-11 13:08:56
|
Hello, my response bellow quoted by [OC] -----Original Message----- From: tbo...@li... [mailto:tbo...@li...] On Behalf Of Courtay Olivier Sent: Wednesday, September 10, 2008 5:57 AM To: tbo...@li... Subject: [tboot-devel] TXT and kvm : conflict ? Hello, I have successfully installed tboot on a Dell Optiplex 755 (E8500). VMM and dom0 verification is OK. One question. In TBOOT log I have: TBOOT: dom0 is verified. TBOOT: succeeded. TBOOT: invalid module # What is this invalid module ? [JC] Older versions of tboot displayed this during policy processing, even though there was not an error. What changeset are you using? [OC] Ok, I use the tboot-20080613. I can provide log of my TBOOT if you want. I have not yet tested sealed process. [JC] FYI, your TPM will need to have an owner and you should have created the SRK with the null auth (use '-z' flag to tpm_takeownership). [OC] Ok, I will test that. I have a problem. When Trusted Execution is deactivated on BIOS , kvm run normally. But when I activate TXT, the module load failed (Error: Operation not supported). In the kernel log, I have :"kvm: disable by bios" Is there a conflict between TXT and KVM? [JC] This is a security feature. When you enabled both TXT and VT, BIOS set the bit in the IA32_FEATURE_CONTROL MSR that means that VT can only be used after a TXT launch has occurred. This is to prevent installation of malicious VT-based rootkits. If you want to use VT w/o doing a TXT launch, disable TXT in BIOS and leave VT enabled. [OC] Ok, I will contact KVM to know if they will support TXT like XEN. There is two part for this support: - Intel => be able to launch KVM - KVM => not use the E820 unusable memory That's right ? Thank you Olivier, |
From: Cihula, J. <jos...@in...> - 2008-09-11 15:46:37
|
Below [JC2] (sorry but Outlook 2007 doesn't quote well): -----Original Message----- From: tbo...@li... [mailto:tbo...@li...] On Behalf Of Courtay Olivier Sent: Thursday, September 11, 2008 6:09 AM To: tbo...@li... Subject: [tboot-devel] RE : TXT and kvm : conflict ? Hello, my response bellow quoted by [OC] -----Original Message----- From: tbo...@li... [mailto:tbo...@li...] On Behalf Of Courtay Olivier Sent: Wednesday, September 10, 2008 5:57 AM To: tbo...@li... Subject: [tboot-devel] TXT and kvm : conflict ? Hello, I have successfully installed tboot on a Dell Optiplex 755 (E8500). VMM and dom0 verification is OK. One question. In TBOOT log I have: TBOOT: dom0 is verified. TBOOT: succeeded. TBOOT: invalid module # What is this invalid module ? [JC] Older versions of tboot displayed this during policy processing, even though there was not an error. What changeset are you using? [OC] Ok, I use the tboot-20080613. I can provide log of my TBOOT if you want. [JC2] I think this is harmless in that version. But I would suggest using the latest code from the mercurial repo. I have not yet tested sealed process. [JC] FYI, your TPM will need to have an owner and you should have created the SRK with the null auth (use '-z' flag to tpm_takeownership). [OC] Ok, I will test that. I have a problem. When Trusted Execution is deactivated on BIOS , kvm run normally. But when I activate TXT, the module load failed (Error: Operation not supported). In the kernel log, I have :"kvm: disable by bios" Is there a conflict between TXT and KVM? [JC] This is a security feature. When you enabled both TXT and VT, BIOS set the bit in the IA32_FEATURE_CONTROL MSR that means that VT can only be used after a TXT launch has occurred. This is to prevent installation of malicious VT-based rootkits. If you want to use VT w/o doing a TXT launch, disable TXT in BIOS and leave VT enabled. [OC] Ok, I will contact KVM to know if they will support TXT like XEN. There is two part for this support: - Intel => be able to launch KVM - KVM => not use the E820 unusable memory That's right ? [JC2] We are currently working on support tboot for Linux, which will give us KVM support as well. We have all of the code working and are going through a Linux code patch review before posting to LKML. Thank you Olivier, ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |