> From: Atanas Filyanov [mailto:[email protected]] > Sent: Wednesday, March 25, 2009 1:52 PM > > Hi all, > > I'm currently doing some experiments with dynamic root of trust. From > the tboot boot log I can see that the SENTER instruction is executed and > the PCRs 17 and above are set to 0 and that PCRs 17 and 18 are extended. > My question, if somebody could help me, is how to set PCR 17 or any > other PCR to 0 from the running system and if I understand correctly the > PCR value should change if I boot another XEN domain and should change > back to the original value if I shut it down? Or am I mistaken? > I'd appriciate any help. > > Best, > Atanas
The dynamic PCRs (16-23) are only resettable by the establishment of a hardware root of trust (e.g. GETSEC[SENTER]). Xen uses TXT via the tboot module that performs SENTER at boot time. The measurements for TXT are those of tboot, Xen, and dom0. So non-dom0 domains are not measured as part of the current implementation. Because the SENTER is performed at boot time, it will require a hard or soft reboot to re-execute tboot and the SENTER instruction. Non- tboot or Xen uses of TXT could invoke SENTER multiple times within a single boot (after performing SEXIT) and the PCRs will be reset each time. Joe ------------------------------------------------------------------------------ _______________________________________________ tboot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tboot-devel
