tboot-devel

[tboot-devel] new release of tboot and SINIT AC modules

[Cihula, J. <jos...@in...>]

I have just checked in a new release of the tboot project.  The changes
are quite significant and numerous:
        Removed support for Technology Enabling Platform (TEP)
        Removed support for SINIT AC module versions <16 (i.e. <=
20070910)
        Updated per changes in May 2008 Intel(R) TXT MLE Developer's
Manual:
            Updated to MLE (header) version 2.0
            Updated OsSinitData, SinitMleData structs
            Updated AC module InfoTable struct
            Support Capabilities fields
            Support MONITOR-based RLP wakeup
        Added acminfo app to parse and display AC module information
        Updated for v3 of BiosData struct
        Reduced TPM-related serial output
        Fixed sealing of hashes for restoring PCRs after S3 resume
        Misc. fixes and code cleanup

The most important of the changes is that the new code no longer
supports either the TEP or older SINIT ACMs.  So along with the new
tboot code I have also posted new versions of the SINIT ACM for the
Intel(r) Q35 and X38 chipsets (and a guide that helps to determine which
one to use for a given platform).  One of these new SINITs *must* be
used with the new tboot code--using the previous tboot code with the new
SINIT or using the new tboot with the previous SINIT will both result in
failure of the launch.

The TXT Preliminary Architecture Specification has also been updated.
The content on the SMX instructions is now in the "Intel(r) 64 and IA-32
Architectures Software Developer's Manual" volume 2B Chapt. 6.  In place
of the Preliminary Architecture Spec is the "Intel(r) Trusted Execution
Technology Measured Launched Environment Developer's Guide", still
located at http://www.intel.com/technology/security/.  It contains much
updated content and describes all of the changes to the data structures,
handoffs, etc. that the new tboot code implements.

The new SINIT ACMs can be used on all existing TXT-capable systems
without any changes to those systems or any re-provisioning of the TPM.
As they also contain a security-related change, future platforms may be
configured by the manufacturer to no longer permit using the previous
version of SINIT.  As such, MLE developers are encouraged to move to the
new SINIT as soon as possible.

Joe, Shane, Jimmy

Re: [tboot-devel] new release of tboot and SINIT AC modules

[Jun K. <jun...@gm...>]

On 6/14/08, Cihula, Joseph <jos...@in...> wrote:
> I have just checked in a new release of the tboot project.  The changes
>  are quite significant and numerous:
>         Removed support for Technology Enabling Platform (TEP)
>         Removed support for SINIT AC module versions <16 (i.e. <=
>  20070910)
>         Updated per changes in May 2008 Intel(R) TXT MLE Developer's
>  Manual:
>             Updated to MLE (header) version 2.0
>             Updated OsSinitData, SinitMleData structs
>             Updated AC module InfoTable struct
>             Support Capabilities fields
>             Support MONITOR-based RLP wakeup
>         Added acminfo app to parse and display AC module information
>         Updated for v3 of BiosData struct
>         Reduced TPM-related serial output
>         Fixed sealing of hashes for restoring PCRs after S3 resume
>         Misc. fixes and code cleanup
>
>  The most important of the changes is that the new code no longer
>  supports either the TEP or older SINIT ACMs.  So along with the new
>  tboot code I have also posted new versions of the SINIT ACM for the
>  Intel(r) Q35 and X38 chipsets (and a guide that helps to determine which
>  one to use for a given platform).  One of these new SINITs *must* be
>  used with the new tboot code--using the previous tboot code with the new
>  SINIT or using the new tboot with the previous SINIT will both result in
>  failure of the launch.
>
>  The TXT Preliminary Architecture Specification has also been updated.
>  The content on the SMX instructions is now in the "Intel(r) 64 and IA-32
>  Architectures Software Developer's Manual" volume 2B Chapt. 6.  In place
>  of the Preliminary Architecture Spec is the "Intel(r) Trusted Execution
>  Technology Measured Launched Environment Developer's Guide", still
>  located at http://www.intel.com/technology/security/.

I cannot find the "Developer guide" at
http://www.intel.com/technology/security/. Perhaps it is not ready
yet??

Thanks for the update, Joseph.

Jun

Re: [tboot-devel] new release of tboot and SINIT AC modules

[Jun K. <jun...@gm...>]

On 6/16/08, Jun Koi <jun...@gm...> wrote:
> On 6/14/08, Cihula, Joseph <jos...@in...> wrote:
>  > I have just checked in a new release of the tboot project.  The changes
>  >  are quite significant and numerous:
>  >         Removed support for Technology Enabling Platform (TEP)
>  >         Removed support for SINIT AC module versions <16 (i.e. <=
>  >  20070910)
>  >         Updated per changes in May 2008 Intel(R) TXT MLE Developer's
>  >  Manual:
>  >             Updated to MLE (header) version 2.0
>  >             Updated OsSinitData, SinitMleData structs
>  >             Updated AC module InfoTable struct
>  >             Support Capabilities fields
>  >             Support MONITOR-based RLP wakeup
>  >         Added acminfo app to parse and display AC module information
>  >         Updated for v3 of BiosData struct
>  >         Reduced TPM-related serial output
>  >         Fixed sealing of hashes for restoring PCRs after S3 resume
>  >         Misc. fixes and code cleanup
>  >
>  >  The most important of the changes is that the new code no longer
>  >  supports either the TEP or older SINIT ACMs.  So along with the new
>  >  tboot code I have also posted new versions of the SINIT ACM for the
>  >  Intel(r) Q35 and X38 chipsets (and a guide that helps to determine which
>  >  one to use for a given platform).  One of these new SINITs *must* be
>  >  used with the new tboot code--using the previous tboot code with the new
>  >  SINIT or using the new tboot with the previous SINIT will both result in
>  >  failure of the launch.
>  >
>  >  The TXT Preliminary Architecture Specification has also been updated.
>  >  The content on the SMX instructions is now in the "Intel(r) 64 and IA-32
>  >  Architectures Software Developer's Manual" volume 2B Chapt. 6.  In place
>  >  of the Preliminary Architecture Spec is the "Intel(r) Trusted Execution
>  >  Technology Measured Launched Environment Developer's Guide", still
>  >  located at http://www.intel.com/technology/security/.
>
>
> I cannot find the "Developer guide" at
>  http://www.intel.com/technology/security/. Perhaps it is not ready
>  yet??
>

ah, it is still under the old name "Intel(R) Trusted Execution
Technology Preliminary Architecture Specification"

Thanks,
Jun

Re: [tboot-devel] new release of tboot and SINIT AC modules

[Cihula, J. <jos...@in...>]

>> I cannot find the "Developer guide" at
>>  http://www.intel.com/technology/security/. Perhaps it is not ready
>>  yet??
>>
>
> ah, it is still under the old name "Intel(R) Trusted Execution
> Technology Preliminary Architecture Specification"

Yes, sorry about that.  I've already asked that the link be fixed.

Joe

-----Original Message-----
From: Jun Koi [mailto:jun...@gm...] 
Sent: Sunday, June 15, 2008 7:03 PM
To: Cihula, Joseph
Cc: tbo...@li...
Subject: Re: [tboot-devel] new release of tboot and SINIT AC modules

On 6/16/08, Jun Koi <jun...@gm...> wrote:
> On 6/14/08, Cihula, Joseph <jos...@in...> wrote:
>  > I have just checked in a new release of the tboot project.  The
changes
>  >  are quite significant and numerous:
>  >         Removed support for Technology Enabling Platform (TEP)
>  >         Removed support for SINIT AC module versions <16 (i.e. <=
>  >  20070910)
>  >         Updated per changes in May 2008 Intel(R) TXT MLE
Developer's
>  >  Manual:
>  >             Updated to MLE (header) version 2.0
>  >             Updated OsSinitData, SinitMleData structs
>  >             Updated AC module InfoTable struct
>  >             Support Capabilities fields
>  >             Support MONITOR-based RLP wakeup
>  >         Added acminfo app to parse and display AC module
information
>  >         Updated for v3 of BiosData struct
>  >         Reduced TPM-related serial output
>  >         Fixed sealing of hashes for restoring PCRs after S3 resume
>  >         Misc. fixes and code cleanup
>  >
>  >  The most important of the changes is that the new code no longer
>  >  supports either the TEP or older SINIT ACMs.  So along with the
new
>  >  tboot code I have also posted new versions of the SINIT ACM for
the
>  >  Intel(r) Q35 and X38 chipsets (and a guide that helps to determine
which
>  >  one to use for a given platform).  One of these new SINITs *must*
be
>  >  used with the new tboot code--using the previous tboot code with
the new
>  >  SINIT or using the new tboot with the previous SINIT will both
result in
>  >  failure of the launch.
>  >
>  >  The TXT Preliminary Architecture Specification has also been
updated.
>  >  The content on the SMX instructions is now in the "Intel(r) 64 and
IA-32
>  >  Architectures Software Developer's Manual" volume 2B Chapt. 6.  In
place
>  >  of the Preliminary Architecture Spec is the "Intel(r) Trusted
Execution
>  >  Technology Measured Launched Environment Developer's Guide", still
>  >  located at http://www.intel.com/technology/security/.
>
>
> I cannot find the "Developer guide" at
>  http://www.intel.com/technology/security/. Perhaps it is not ready
>  yet??
>

ah, it is still under the old name "Intel(R) Trusted Execution
Technology Preliminary Architecture Specification"

Thanks,
Jun