See my comments below. Thanks. Shane
Anthony Dessiatnikoff wrote: > Hi everyone, > > I removed -Werror parameter into config.mk<http://config.mk> to compile tboot > and execute it. > > I have some questions: > > - How can I retrieve the tboot logs (because during the boot, the display > time is too short to see anything) ? it is apparently not in the dmesg > command or others log files. If you have serial port, you can connect your test machine running tboot to another machine with serial line, and see the log in the window of some COM tool (say I am using Tera Term Pro) If not, you can set logging=memory in tboot command line in grub.conf and after booting up, you can see the log by a tool txt-stat, which is in tboot/txt-test. > > - So we hash into PCR 17 and 18 the content of SINIT and MLE but we need to > compare them to the expected values to be sure they are corrects, right ? so > when is this verification ? Because DRTM PCRs are set to zeros after SENTER > instruction, it is necessary to obtain the expected hashes values from > somewhere before performing current hashes of SINIT and MLE and then > comparing them. Right, we extend them into PCR 17 and PCR 18 respectively. For SINIT, it should include digital signature, and for MLE, its hash will be compared in SINIT. > > - What is exactly the e820 table ? Why do we need to secure it ? e820 is a table, which is provided by bios to explain memory layout for OS/VMM which range can be used, which can't. Because it is very important and we use it to protect tboot/TXT related memory itself. We don't want OS/VMM to touch them. > > - How the localities are they managed, I mean is it a security concern (so > not possible to pass through a locality to another) or just a way to separate > PCRs use from different softwares (so possible to pass through a locality to > another) ? It should not be the latter, not only PCRs. Locality is to enable the TPM to differentiation between commands from different local sources, a bit like access permission. In TPM v1.2, locality 0 is for normal application; 1 for trusted application; 2 for trusted OS; 4 for trusted chipset. For more, you can refer to TCG spec. > > > Thanks, > > > -- > Anthony D. > > ------------------------------------------------------------------------------ _______________________________________________ tboot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tboot-devel
