> From: Atanas Filyanov [mailto:[email protected]] > Sent: Monday, April 06, 2009 8:21 AM > > Cihula, Joseph wrote: > >> From: Atanas Filyanov [mailto:[email protected]] > >> Sent: Wednesday, March 25, 2009 1:52 PM > >> > >> Hi all, > >> > >> I'm currently doing some experiments with dynamic root of trust. From > >> the tboot boot log I can see that the SENTER instruction is executed and > >> the PCRs 17 and above are set to 0 and that PCRs 17 and 18 are extended. > >> My question, if somebody could help me, is how to set PCR 17 or any > >> other PCR to 0 from the running system and if I understand correctly the > >> PCR value should change if I boot another XEN domain and should change > >> back to the original value if I shut it down? Or am I mistaken? > >> I'd appriciate any help. > >> > >> Best, > >> Atanas > >> > > > > The dynamic PCRs (16-23) are only resettable by the establishment of a > > hardware root of > trust (e.g. GETSEC[SENTER]). Xen uses TXT via the tboot module that performs > SENTER at boot > time. The measurements for TXT are those of tboot, Xen, and dom0. So > non-dom0 domains are > not measured as part of the current implementation. Because the SENTER is > performed at boot > time, it will require a hard or soft reboot to re-execute tboot and the > SENTER instruction. > > > > Non- tboot or Xen uses of TXT could invoke SENTER multiple times within a > > single boot (after > performing SEXIT) and the PCRs will be reset each time. > > > > Joe > > > > Hi Joe, > > Thank you very much for the reply. Could you also give some hints about > invoking the SEXIT and SENTER instructions in order to reset the dynamic > PCRs without reboot?
Since SEXIT is going to end the dynamic environment, you need to first make sure that you've protected any data that you do not want compromised. You should also cap the PCRs, close private space, etc. (see tboot code). If what you're looking for is Linux code that launches a TXT environment for a while then shuts it down and then can do it again, you should look at the Flicker project (http://sparrow.ece.cmu.edu/group/flicker.html). It uses a kernel module to invoke and then tear down a small TXT environment. Joe ------------------------------------------------------------------------------ _______________________________________________ tboot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tboot-devel
