See below. Thanks. Shane
Anthony Dessiatnikoff wrote: > Thank you for your answer, > > for my second question, maybe I was not clear enough: > I don't understand how the expected hashes values are coming from (it must be > the TPM but it is necessary to save them into it before booting and executing > tboot so I would like to know when these hashes are calculated and what is > the tool used ?) before to be compared with the current value. Yes, the expected hashes are in TPM. They are computed based on MLE image in advance and stored in TPM NV. For when, it is at the time when users think their systems are safe, such as, at the beginning of shipping. Or in most cases, even computed and provisioned by OEM vendors in the factory. For the tool, see lcp_mlehash in folder lcptools. For SINIT, it is signed by Intel. > > about the localities, is it like the ring (0-3) protection system of > processors, how is it implemented ? is any software able to declare itself as > working in locality 4 ? I think it is a bit like ring0~3, which is enforced by hardware. For how to implement or any software in locality 4, I have no idea to my knowledge. But you can refer to TCG spec to find the answers. > > > > > > 2009/7/1 Shane Wang <[email protected]<mailto:[email protected]>> > See my comments below. > > Thanks. > Shane > > Anthony Dessiatnikoff wrote: > Hi everyone, > > I removed -Werror parameter into > config.mk<http://config.mk><http://config.mk> to compile tboot and execute it. > > > I have some questions: > > - How can I retrieve the tboot logs (because during the boot, the display > time is too short to see anything) ? it is apparently not in the dmesg > command or others log files. > If you have serial port, you can connect your test machine running tboot to > another machine with serial line, and see the log in the window of some COM > tool (say I am using Tera Term Pro) > If not, you can set logging=memory in tboot command line in grub.conf and > after booting up, you can see the log by a tool txt-stat, which is in > tboot/txt-test. > > > > - So we hash into PCR 17 and 18 the content of SINIT and MLE but we need to > compare them to the expected values to be sure they are corrects, right ? so > when is this verification ? Because DRTM PCRs are set to zeros after SENTER > instruction, it is necessary to obtain the expected hashes values from > somewhere before performing current hashes of SINIT and MLE and then > comparing them. > Right, we extend them into PCR 17 and PCR 18 respectively. For SINIT, it > should include digital signature, and for MLE, its hash will be compared in > SINIT. > > > > - What is exactly the e820 table ? Why do we need to secure it ? > e820 is a table, which is provided by bios to explain memory layout for > OS/VMM which range can be used, which can't. > Because it is very important and we use it to protect tboot/TXT related > memory itself. We don't want OS/VMM to touch them. > > > > - How the localities are they managed, I mean is it a security concern (so > not possible to pass through a locality to another) or just a way to separate > PCRs use from different softwares (so possible to pass through a locality to > another) ? > It should not be the latter, not only PCRs. Locality is to enable the TPM to > differentiation between commands from different local sources, a bit like > access permission. In TPM v1.2, locality 0 is for normal application; 1 for > trusted application; 2 for trusted OS; 4 for trusted chipset. For more, you > can refer to TCG spec. > > > > Thanks, > > > -- > Anthony D. > > > > > > > -- > Anthony Dessiatnikoff > Master 2 in Computing Security and Cryptology > University of Limoges (FR) > ------------------------------------------------------------------------------ _______________________________________________ tboot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tboot-devel
