Hello!
I recently went over the experience of installing, configuring and running
tboot, and I want to document my experience in this thread and ask some
questions.
My setup consists on the following:
1. Intel NUC8i7HVK
2. Linux Kernel 5.8.15
3. tboot-1.9.11-2.fc33.x86_64
My first step was to figure out if my hardware supports a Measured Launch. For
that, I guessed that txt-info would help.
The problem is txt-info needs access to /dev/mem, which is forbidden by the
Kernel Lockdown functionality, which is turned on by default with my kernel
version when Secure Boot is detected.
So, txt-info doesn't work unless Kernel Lockdown is disabled. A way of
reproduce this is to boot with Secure Boot disabled, run txt-info successfully,
enable Kernel Lockdown, and try to run txt-info again:
[root@localhost test]# mokutil --sb-state
SecureBoot disabled
[root@localhost test]# cat /sys/kernel/security/lockdown
[none] integrity confidentiality
[root@localhost test]# sudo txt-stat
Intel(r) TXT Configuration Registers:
STS: 0x00000083
....
[root@localhost test]# echo integrity > /sys/kernel/security/lockdown
[root@localhost test]# txt-stat
ERROR: cannot open /dev/mem
So, I need to run with Secure Boot disabled. The output of txt-stat is the
following:
[root@localhost test]# txt-stat
Intel(r) TXT Configuration Registers:
STS: 0x00000083
senter_done: TRUE
sexit_done: TRUE
mem_config_lock: FALSE
private_open: TRUE
locality_1_open: FALSE
locality_2_open: FALSE
ESTS: 0x00
txt_reset: FALSE
E2STS: 0x0000000000000004
secrets: FALSE
ERRORCODE: 0x00000000
DIDVID: 0x00000001b0068086
vendor_id: 0x8086
device_id: 0xb006
revision_id: 0x1
FSBIF: 0xffffffffffffffff
QPIIF: 0x000000009d003000
SINIT.BASE: 0x00000000
SINIT.SIZE: 0B (0x0)
HEAP.BASE: 0x00000000
HEAP.SIZE: 0B (0x0)
DPR: 0x0000000000000000
lock: FALSE
top: 0x00000000
size: 0MB (0B)
PUBLIC.KEY:
2d 67 dd d7 5e f9 33 92 66 a5 6f 27 18 95 55 ae
77 a2 b0 de 77 42 22 e5 de 24 8d be b8 e3 3d d7
***********************************************************
TXT measured launch: TRUE
secrets flag set: FALSE
***********************************************************
unable to find TBOOT log
>From that output, I guessed that I can do a measured launch ("TXT measured
>launch: TRUE"). But I wanted to double check that.
According to [1], I guessed that I need SMX (Safer Mode Extensions) in my CPU
to actually do a Measured Launch (although this is not mentioned in any place
in tboot docs)
Unfortunately, cpuid say that my hardware does not support SMX:
[root@localhost test]# cpuid | grep SMX
SMX: safer mode extensions = false
Anyways, the tboot docs say that it will fall-through to a non-TXT boot in the
case that it is not supported [2].
So, I just set it up to check what happened.
I got my 8th_9th_gen_i5_i7-SINIT_81.zip SINIT ACM module from [3], unzipped it
and copy the bin file to /boot, and updated that grub configuration.
After the initial boot, I got the error message that multiboot2 and relocator
could not be found. So I followed the docs on how to install them. In Fedora
they are provided by the grub2-efi-x64-modules package
After reboot and selecting tboot in the grub menu, boot failed and got a
recovery shell.
By inspecting the generated /run/initramfs/rdsosreport.txt, the relevant error
message I can see is:
systemctl[509]: Failed to switch root: Specified switch root path '/sysroot'
does not seems to be an OS tree. os-release file is missing.
By this I guess that the generated tboot generated grub configuration is broken.
After visual inspection and manual edit of the grub.cfg file, I was able to get
a valid configuration (rootflags was missing)
[root@localhost fedora]# diff grub.cfg grub.cfg.bak
206c206
< module2 /vmlinuz-5.8.15-301.fc33.x86_64
root=UUID=f9f79342-5c5b-445e-ac3a-b4731f57e6e2 ro rootflags=subvol=root rhgb
quiet intel_iommu=on noefi
---
> module2 /vmlinuz-5.8.15-301.fc33.x86_64
> root=UUID=f9f79342-5c5b-445e-ac3a-b4731f57e6e2 ro rhgb quiet intel_iommu=on
> noefi
And after that, I got the following tboot log
[root@localhost fedora]# txt-stat
Intel(r) TXT Configuration Registers:
STS: 0x00000083
senter_done: TRUE
sexit_done: TRUE
mem_config_lock: FALSE
private_open: TRUE
locality_1_open: FALSE
locality_2_open: FALSE
ESTS: 0x00
txt_reset: FALSE
E2STS: 0x0000000000000004
secrets: FALSE
ERRORCODE: 0x00000000
DIDVID: 0x00000001b0068086
vendor_id: 0x8086
device_id: 0xb006
revision_id: 0x1
FSBIF: 0xffffffffffffffff
QPIIF: 0x000000009d003000
SINIT.BASE: 0x00000000
SINIT.SIZE: 0B (0x0)
HEAP.BASE: 0x00000000
HEAP.SIZE: 0B (0x0)
DPR: 0x0000000000000000
lock: FALSE
top: 0x00000000
size: 0MB (0B)
PUBLIC.KEY:
2d 67 dd d7 5e f9 33 92 66 a5 6f 27 18 95 55 ae
77 a2 b0 de 77 42 22 e5 de 24 8d be b8 e3 3d d7
***********************************************************
TXT measured launch: TRUE
secrets flag set: FALSE
***********************************************************
TBOOT log:
max_size=32706
zip_count=0
curr_pos=5308
buf:
TBOOT: *********************** TBOOT ***********************
TBOOT: 2019-11-25 16:00 +0200 1.9.11
TBOOT: *****************************************************
TBOOT: command line: logging=serial,memory
TBOOT: IA32_FEATURE_CONTROL_MSR: 00000005
TBOOT: ERR: CPU does not support SMX
TBOOT: IA32_FEATURE_CONTROL_MSR: 00000005
TBOOT: ERR: CPU does not support SMX
TBOOT: BSP is cpu 0
TBOOT: original e820 map:
TBOOT: 0000000000000000 - 0000000000058000 (1)
TBOOT: 0000000000058000 - 0000000000059000 (2)
TBOOT: 0000000000059000 - 000000000009e000 (1)
TBOOT: 000000000009e000 - 0000000000100000 (2)
TBOOT: 0000000000100000 - 0000000077a3e000 (1)
TBOOT: 0000000077a3e000 - 0000000077a3f000 (4)
TBOOT: 0000000077a3f000 - 0000000077a40000 (2)
TBOOT: 0000000077a40000 - 000000007e6d5000 (1)
TBOOT: 000000007e6d5000 - 000000007eb99000 (2)
TBOOT: 000000007eb99000 - 000000007ebf8000 (3)
TBOOT: 000000007ebf8000 - 000000007ec58000 (4)
TBOOT: 000000007ec58000 - 000000007f72c000 (2)
TBOOT: 000000007f72c000 - 000000007f7fe000 (20)
TBOOT: 000000007f7fe000 - 000000007f7ff000 (1)
TBOOT: 000000007f7ff000 - 0000000080000000 (2)
TBOOT: 00000000e0000000 - 00000000f0000000 (2)
TBOOT: 00000000fe000000 - 00000000fe011000 (2)
TBOOT: 00000000fec00000 - 00000000fec01000 (2)
TBOOT: 00000000fed00000 - 00000000fed01000 (2)
TBOOT: 00000000fee00000 - 00000000fee01000 (2)
TBOOT: 00000000ff000000 - 0000000100000000 (2)
TBOOT: 0000000100000000 - 000000027f000000 (1)
TBOOT: checking if module is an SINIT for this platform...
TBOOT: ACM info_table version mismatch (6)
TBOOT: chipset production fused: 1
TBOOT: chipset ids: vendor: 0x8086, device: 0xb006, revision: 0x1
TBOOT: processor family/model/stepping: 0x906e9
TBOOT: platform id: 0xc000000000000
TBOOT: 1 ACM chipset id entries:
TBOOT: vendor: 0x8086, device: 0xb008, flags: 0x1, revision: 0x1,
extended: 0x0
TBOOT: chipset id mismatch
TBOOT: checking if module is an SINIT for this platform...
TBOOT: ACM size mismatch: acmod_size=2ae9c02, acm_hdr->size*4=c0c0c0c0
TBOOT: no SINIT AC module found
TBOOT: TXT.SINIT.BASE: 0x0
TBOOT: TXT.SINIT.SIZE: 0x0 (0)
TBOOT: SINIT ACM not provided.
TBOOT: reserving tboot memory log (60000 - 67fff) in e820 table
TBOOT: replaced memory map:
TBOOT: 0000000000000000 - 0000000000058000 (1)
TBOOT: 0000000000058000 - 0000000000059000 (2)
TBOOT: 0000000000059000 - 0000000000060000 (1)
TBOOT: 0000000000060000 - 0000000000068000 (2)
TBOOT: 0000000000068000 - 000000000009e000 (1)
TBOOT: 000000000009e000 - 0000000000100000 (2)
TBOOT: 0000000000100000 - 0000000077a3e000 (1)
TBOOT: 0000000077a3e000 - 0000000077a3f000 (4)
TBOOT: 0000000077a3f000 - 0000000077a40000 (2)
TBOOT: 0000000077a40000 - 000000007e6d5000 (1)
TBOOT: 000000007e6d5000 - 000000007eb99000 (2)
TBOOT: 000000007eb99000 - 000000007ebf8000 (3)
TBOOT: 000000007ebf8000 - 000000007ec58000 (4)
TBOOT: 000000007ec58000 - 000000007f72c000 (2)
TBOOT: 000000007f72c000 - 000000007f7fe000 (20)
TBOOT: 000000007f7fe000 - 000000007f7ff000 (1)
TBOOT: 000000007f7ff000 - 0000000080000000 (2)
TBOOT: 00000000e0000000 - 00000000f0000000 (2)
TBOOT: 00000000fe000000 - 00000000fe011000 (2)
TBOOT: 00000000fec00000 - 00000000fec01000 (2)
TBOOT: 00000000fed00000 - 00000000fed01000 (2)
TBOOT: 00000000fee00000 - 00000000fee01000 (2)
TBOOT: 00000000ff000000 - 0000000100000000 (2)
TBOOT: 0000000100000000 - 000000027f000000 (1)
TBOOT: adjusted e820 map:
TBOOT: 0000000000000000 - 0000000000058000 (1)
TBOOT: 0000000000058000 - 0000000000059000 (2)
TBOOT: 0000000000059000 - 0000000000060000 (1)
TBOOT: 0000000000060000 - 0000000000068000 (2)
TBOOT: 0000000000068000 - 000000000009e000 (1)
TBOOT: 000000000009e000 - 0000000000100000 (2)
TBOOT: 0000000000100000 - 0000000077a3e000 (1)
TBOOT: 0000000077a3e000 - 0000000077a3f000 (4)
TBOOT: 0000000077a3f000 - 0000000077a40000 (2)
TBOOT: 0000000077a40000 - 000000007e6d5000 (1)
TBOOT: 000000007e6d5000 - 000000007eb99000 (2)
TBOOT: 000000007eb99000 - 000000007ebf8000 (3)
TBOOT: 000000007ebf8000 - 000000007ec58000 (4)
TBOOT: 000000007ec58000 - 000000007f72c000 (2)
TBOOT: 000000007f72c000 - 000000007f7fe000 (20)
TBOOT: 000000007f7fe000 - 000000007f7ff000 (1)
TBOOT: 000000007f7ff000 - 0000000080000000 (2)
TBOOT: 00000000e0000000 - 00000000f0000000 (2)
TBOOT: 00000000fe000000 - 00000000fe011000 (2)
TBOOT: 00000000fec00000 - 00000000fec01000 (2)
TBOOT: 00000000fed00000 - 00000000fed01000 (2)
TBOOT: 00000000fee00000 - 00000000fee01000 (2)
TBOOT: 00000000ff000000 - 0000000100000000 (2)
TBOOT: 0000000100000000 - 000000027f000000 (1)
TBOOT: got sinit match on module #2
TBOOT: no LCP module found
TBOOT: ELF magic number is not matched, image is not ELF format.
TBOOT: assuming kernel is Linux format
TBOOT: Initrd from 0x7bbeb000 to 0x7e6d4c02
TBOOT: Kernel (protected mode) from 0x1000000 to 0x1b243f0
TBOOT: Kernel (real mode) from 0x69c00 to 0x6d800
TBOOT: Linux cmdline from 0x72900 to 0x72d00:
TBOOT: root=UUID=f9f79342-5c5b-445e-ac3a-b4731f57e6e2 ro rootflags=subvol=roo
TBOOT: t rhgb quiet intel_iommu=on noefi
TBOOT: EFI memmap: memmap base: 0x483b0, memmap size: 0x7b0
TBOOT: EFI memmap: descr size: 0x30, descr version: 0x1
TBOOT: transfering control to kernel @0x1000000...
>From what I see on the log, I have no SMX, and my SINIT ACM is bad (I guess)
Questions
========
1. Any way to test tboot in hardware that does not support SMX/TXT? Any
simulator available?
2. Do I actually need SMX to do a Measured Launch? Or is the presence of "TXT
measured launch: TRUE" string the txt-stat enough to say that my hardware
supports it?
3. Is the invalid tboot generated grub configuration a bug? If so, where should
I submit it?
4. Am I using the correct SINIT ACM module? Is my resulting txt-stat output the
expected one for my scenario?
Many thanks!
References
=========
[1]
https://xem.github.io/minix86/manual/intel-x86-and-64-manual-vol2/o_b5573232dd8f1481-1975.html
[2] http://hg.code.sf.net/p/tboot/code/file/tip/README.md
[3]
https://software.intel.com/content/www/us/en/develop/articles/intel-trusted-execution-technology.html
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
