Download Latest Version
flicker-0.7.tar.gz (148.1 kB)
Get an email when there's a new version of Flicker: Minimal TCB Code Execution
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| README | 2012-06-18 | 4.7 kB | |
| flicker-0.7.tar.gz | 2012-06-18 | 148.1 kB | |
| flicker-0.6.tar.gz | 2012-06-01 | 148.0 kB | |
| flicker-0.5.tar.gz | 2011-05-17 | 143.6 kB | |
| Totals: 4 Items | 444.4 kB | 0 |
Please see the full README file in the source distribution for more
information. All information here is redundant with respect to it.
Flicker is a technique to execute a piece of application logic (PAL)
code with an extremely small TCB, while maintaining compatibility
with a legacy operating system. Flicker requires that the computer
have support for dynamic root of trust. The legacy operating system
for this version is 32-bit non-PAE Linux, or 32-bit non-PAE Windows 7.
Flicker is derived from a research project at CMU:
http://sparrow.ece.cmu.edu/group/flicker.html
Prerequisites
=============
Hardware
--------
To use Flicker, a PC platform supporting dynamic root of trust is
needed. AMD and Intel have implemented this differently. A v1.2 TPM
is also required (and it must be enabled and activated in the BIOS).
The AMD version of Flicker requires a processor supporting the SKINIT
instruction, a v1.2 TPM [2], and a chipset which provides memory
protection for the Flicker code. The SKINIT instruction is available
with newer AMD64 processors [3]. Look for 'svm' in /proc/cpuinfo. In
the BIOS, you must enable hardware virtualization support.
The Intel version of Flicker requires a processor supporting the
GETSEC[SENTER] instruction, a v1.2 TPM [2], and a chipset which
provides memory protection for the Flicker code. These features are
available on vPro-branded systems supporting Intel Trusted eXecution
Technology (TXT) [6]. Look for 'smx' and 'vmx' in /proc/cpuinfo. In
BIOS, you must enable hardware virtualization support (VT), Trusted
eXecution Technology (TXT), and VT-d. There are known-bad (really bad;
you could RUIN YOUR MOTHERBOARD) BIOSes out there for TXT. Upgrade
your BIOS to the newest available version.
To verify that your system has a v1.2 TPM:
$ modprobe tpm_tis force=1 interrupts=0
$ cat `find /sys -name pcrs`
You should have 24 PCRs listed (0-23). If you have only 16 PCRs
(0-15), then you have a v1.1b TPM, and Flicker won't work.
Changelog
#########
flicker-0.1: Initial public release of AMD-specific code
- code corresponds to all claims in the EuroSys paper
flicker-0.2: Add support for Intel TXT
- Intel and AMD versions independent; no integration
flicker-0.3: Intel-only TPM NV RAM experimentation; no public release
flicker-0.4: Memoir-related [9]; no public release
- includes AMD microcode clear support (NO reloading of microcode currently; use at your own risk)
- improvements to AMD version to support large parameters, etc as part of Memoir project
- improvements to AMD version to work without special kernel compilation (i.e., stock Ubuntu non-PAE 32-bit kernel)
flicker-0.5:
- removed all GPL'd code. release is strictly BSD-style licensed or Dual BSD/GPL for Linux kernel module
- code from tboot project obsoletes the TPM-related code from older versions
- unification of Linux kmod across AMD and Intel
- unification of PAL across AMD and Intel, [TODO] Windows and Linux
- added support for Windows 7 32-bit
- Linux version no longer depends on special linux kernel, but must be 32-bit and non-PAE
- run Intel PAL code in ring 3, isolated from the legacy OS state
- clear microcode before SKINIT on AMD processors
- in-memory logging for systems with no serial port
- single unified kernel module and PAL codebase that is processor-agnostic.
- compatible with most distributions' shipped non-PAE 32-bit Linux kernel builds
flicker-0.51 (alpha release for internal testing):
- changes exclusively to Linux x Intel. Linux x AMD unchanged,
Windows probably will not even build.
- minor tweak to sysfs code to keep pace with Linux-internal APIs
- modify Linux kmalloc() invocations to always be 2MB-aligned for PAL
- add support to debug Intel VT-d DMAR configuration information
- add support to explicitly disable VT-d DMAR PMR facility
- invoke disable_vtd_pmr() immediately following Flicker session,
before restoring interrupts
flicker-0.52 (alpha release for internal testing):
- minor bugfixes
flicker-0.53 (alpha release for internal testing):
- refactor Linux kmod to use existing Linux DMAR capabilities
- requires Linux kernel built with CONFIG_DMAR=y
and CONFIG_DMAR_DEFAULT_ON not set
- Ubuntu 11.04 -generic kernels (2.6.38-13-generic) confirmed to work
flicker-0.6:
- fix build issues on Windows
- stability improvements confirmed on Intel, Linux, Ubuntu 11.04
(primarily due to 2MB-aligned PAL and explicit disabling
of VT-d PMRs after a Flicker session completes)
flicker-0.7:
- build successfully with gcc-4.6 on Ubuntu 12.04 LTS
- link with libgcc.a to gain 64-bit emulation, etc.
- add compiler flags -ffreestanding, -nostdlib