Download Latest Version flicker-0.7.tar.gz (148.1 kB)
Email in envelope

Get an email when there's a new version of Flicker: Minimal TCB Code Execution

Home
Name Modified Size InfoDownloads / Week
README 2012-06-18 4.7 kB
0
flicker-0.7.tar.gz 2012-06-18 148.1 kB
0
flicker-0.6.tar.gz 2012-06-01 148.0 kB
1 1 weekly downloads
flicker-0.5.tar.gz 2011-05-17 143.6 kB
0
Totals: 4 Items   444.4 kB 1 
Please see the full README file in the source distribution for more
information.  All information here is redundant with respect to it.

Flicker is a technique to execute a piece of application logic (PAL)
code with an extremely small TCB, while maintaining compatibility
with a legacy operating system.  Flicker requires that the computer
have support for dynamic root of trust.  The legacy operating system
for this version is 32-bit non-PAE Linux, or 32-bit non-PAE Windows 7.

Flicker is derived from a research project at CMU:
http://sparrow.ece.cmu.edu/group/flicker.html

Prerequisites
=============

Hardware
--------

To use Flicker, a PC platform supporting dynamic root of trust is
needed.  AMD and Intel have implemented this differently. A v1.2 TPM
is also required (and it must be enabled and activated in the BIOS).

The AMD version of Flicker requires a processor supporting the SKINIT
instruction, a v1.2 TPM [2], and a chipset which provides memory
protection for the Flicker code.  The SKINIT instruction is available
with newer AMD64 processors [3]. Look for 'svm' in /proc/cpuinfo. In
the BIOS, you must enable hardware virtualization support.

The Intel version of Flicker requires a processor supporting the
GETSEC[SENTER] instruction, a v1.2 TPM [2], and a chipset which
provides memory protection for the Flicker code.  These features are
available on vPro-branded systems supporting Intel Trusted eXecution
Technology (TXT) [6]. Look for 'smx' and 'vmx' in /proc/cpuinfo. In
BIOS, you must enable hardware virtualization support (VT), Trusted
eXecution Technology (TXT), and VT-d. There are known-bad (really bad;
you could RUIN YOUR MOTHERBOARD) BIOSes out there for TXT.  Upgrade
your BIOS to the newest available version.

To verify that your system has a v1.2 TPM:
$ modprobe tpm_tis force=1 interrupts=0
$ cat `find /sys -name pcrs`

You should have 24 PCRs listed (0-23).  If you have only 16 PCRs
(0-15), then you have a v1.1b TPM, and Flicker won't work.

Changelog
#########

flicker-0.1: Initial public release of AMD-specific code
  - code corresponds to all claims in the EuroSys paper
flicker-0.2: Add support for Intel TXT
  - Intel and AMD versions independent; no integration
flicker-0.3: Intel-only TPM NV RAM experimentation; no public release
flicker-0.4: Memoir-related [9]; no public release
  - includes AMD microcode clear support (NO reloading of microcode currently; use at your own risk)
  - improvements to AMD version to support large parameters, etc as part of Memoir project
  - improvements to AMD version to work without special kernel compilation (i.e., stock Ubuntu non-PAE 32-bit kernel)
flicker-0.5:
  - removed all GPL'd code.  release is strictly BSD-style licensed or Dual BSD/GPL for Linux kernel module
  - code from tboot project obsoletes the TPM-related code from older versions
  - unification of Linux kmod across AMD and Intel 
  - unification of PAL across AMD and Intel, [TODO] Windows and Linux 
  - added support for Windows 7 32-bit
  - Linux version no longer depends on special linux kernel, but must be 32-bit and non-PAE
  - run Intel PAL code in ring 3, isolated from the legacy OS state
  - clear microcode before SKINIT on AMD processors
  - in-memory logging for systems with no serial port
  - single unified kernel module and PAL codebase that is processor-agnostic.
  - compatible with most distributions' shipped non-PAE 32-bit Linux kernel builds
flicker-0.51 (alpha release for internal testing):
  - changes exclusively to Linux x Intel. Linux x AMD unchanged,
    Windows probably will not even build.
  - minor tweak to sysfs code to keep pace with Linux-internal APIs
  - modify Linux kmalloc() invocations to always be 2MB-aligned for PAL
  - add support to debug Intel VT-d DMAR configuration information
  - add support to explicitly disable VT-d DMAR PMR facility
  - invoke disable_vtd_pmr() immediately following Flicker session,
    before restoring interrupts
flicker-0.52 (alpha release for internal testing):
  - minor bugfixes
flicker-0.53 (alpha release for internal testing):
  - refactor Linux kmod to use existing Linux DMAR capabilities
  - requires Linux kernel built with CONFIG_DMAR=y
    and CONFIG_DMAR_DEFAULT_ON not set
  - Ubuntu 11.04 -generic kernels (2.6.38-13-generic) confirmed to work
flicker-0.6:
  - fix build issues on Windows
  - stability improvements confirmed on Intel, Linux, Ubuntu 11.04
    (primarily due to 2MB-aligned PAL and explicit disabling
    of VT-d PMRs after a Flicker session completes)
flicker-0.7:
  - build successfully with gcc-4.6 on Ubuntu 12.04 LTS
  - link with libgcc.a to gain 64-bit emulation, etc.
  - add compiler flags -ffreestanding, -nostdlib
Source: README, updated 2012-06-18