On Sep 8, 2014 23:45, Benjamin Block wrote: > Hello, > > just a short question about some of the more bloody details of Intel > TXT. There are 2 specs atm - Intel TXT SDG (May 2014, rev 11) and the > Intel 64/IA-32 Arch SDM (June 2014, rev. 51). Both define the state of > the platform after SINIT ran and returned control to the user (the mle). > Both manuals contract each other. The Intel TXT SDG even contracts > itself.
IA SDM and TXT SDG(MLE DG) define two completely different states: after SENTER and after SINIT. SDM describes CPU state after GETSEC.SENTER *instruction*. This state is in effect when SINIT module gets control i.e. at the very first SINIT instruction. This state is interesting only to SINIT module code developer and is of no interest to MLE developer. MLE DG describes the state of platform after GETSEC.EXITAC *instruction*. This is state when SINIT modules returns control to MLE i.e. at the very first MLE instruction. This state is the only one important for MLE developer, and this state is a *convention* which is concluded between SINIT developer and MLE developer. > I'd like to know what I should use as reference and reliable information. So definitely to write a MLE we should refer to MLE DG. > My problem is, at compile-time I don't know at which address my MLE > will be located once it has been loaded. That means, I have to write > address-independent code, at least for the boot-strapping. For this I > need the value of EIP. > > In the Intel TXT SDG it is specified that the value of EIP will also > be written to EBX. In the Instruction Manual EBX contains SINIT.BASE. > > If I don't have access to the EIP through EBX, than I need a good > stack to make a call+pop to get the EIP value. Again, in the Intel TXT > spec, all segments but CS are "undefined" (also ESP/EBP). In the > Instruction Manual these are defined to be values supplied from SINIT > (without defining the value of ESP, but with EBP). > > Further the Intel TXT SDG contracts itself in the same table. For EBX > it lists, that it contains the same value as EIP. But further down it > writes "SINIT.Base (EBX)", which is not the value of EIP (but which > would be correct according to the Instruction Manual). "SINIT.Base (EBX)" is really a confused express. The EBX in this is refer to actually the value at beginning of SINIT, not at start of MLE. This confused expression will be updated in next revision of MLE DG. > So, what am I supposed to use? I need a valid address of my current > environment to boot-strap the rest (load gdt, set segement-registers, > ...). > > I would be very thankful for any concrete information. I only know > tboot and flicker as users of txt, where I can read the sources. Tboot > knows its place in memory from the start and doesn't need to find out > the value of EIP. flicker uses the call+pop idiom, which is not > reliable according to both specs (Instruction Manual defines a (sort > of) valid stack, but doesn't supply a value for ESP). To simplify life of MLE writer MMX registers was preserved in SINIT - this is also part of convention. This can be used to pass information from pre-MLE state. Thanks Jimmy ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
