Hi Oliver
On Thu, 2021-03-18 at 22:29 +0000, Oliver, Dario N wrote:
> So, I need to run with Secure Boot disabled.
TBOOT will not work with Secure Boot, when Secure Boot is enabled, GRUB
has to verify signature of all components that are going to be launched.
As tboot.gz file does not support signing, it is unable to use it with
Secure Boot.
There is an experimental implementation of Secure Boot support in TBOOT,
it is not officially released, but you can look at 2.x branch if you
want to test it by yourself.
> ***********************************************************
> TXT measured launch: TRUE
> secrets flag set: FALSE
> ***********************************************************
> unable to find TBOOT log
>
> From that output, I guessed that I can do a measured launch ("TXT measured
> launch: TRUE"). But I wanted to double check that.
> According to [1], I guessed that I need SMX (Safer Mode Extensions) in my CPU
> to actually do a Measured Launch (although this is not mentioned in any place
> in tboot docs)
> Unfortunately, cpuid say that my hardware does not support SMX:
>
> [root@localhost test]# cpuid | grep SMX
> SMX: safer mode extensions = false
That's a misleading message, "TXT measured launch" should be false, I
guess that because TXT is not available in your platform, txt-stat reads
some garbage from TXT registers space and by mistake interprets that as
"TXT measured launch: TRUE".
If your CPU does not support SMX there is no possibility to do TXT
measured launch.
> Questions
> ========
>
> 1. Any way to test tboot in hardware that does not support SMX/TXT? Any
> simulator available?
It depends what do you want to test. Without TXT you can only do what
you already did - load TBOOT via multiboot2, verify that platform is not
TXT capable and fallback to standard Linux boot.
> 2. Do I actually need SMX to do a Measured Launch? Or is the presence of "TXT
> measured launch: TRUE" string the txt-stat enough to say that my hardware
> supports it?
In general, you can measure Linux during boot process without SMX,
however the idea of TBOOT is to use TXT to do a measured launch and TXT
requires SMX. No SMX -> no TXT -> TBOOT will not measure anything.
As I point earlier, this message is misleading, your hardware does not
support TXT because "TBOOT: ERR: CPU does not support SMX".
> 3. Is the invalid tboot generated grub configuration a bug? If so, where
> should I submit it?
Looks like a bug, I will take care of it.
> 4. Am I using the correct SINIT ACM module? Is my resulting txt-stat output
> the expected one for my scenario?
TBOOT: chipset ids: vendor: 0x8086, device: 0xb006, revision: 0x1
[...]
TBOOT: 1 ACM chipset id entries:
TBOOT: vendor: 0x8086, device: 0xb008, flags: 0x1, revision: 0x1,
extended: 0x0
TBOOT: chipset id mismatch
Provided SINIT does not support your platform, chipset ids do not match.
Nevertheless, it does not change anything, without SMX you can't run
SINIT.
Thanks,
Lukasz
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
