Hello! I recently went over the experience of installing, configuring and running tboot, and I want to document my experience in this thread and ask some questions. My setup consists on the following:
1. Intel NUC8i7HVK 2. Linux Kernel 5.8.15 3. tboot-1.9.11-2.fc33.x86_64 My first step was to figure out if my hardware supports a Measured Launch. For that, I guessed that txt-info would help. The problem is txt-info needs access to /dev/mem, which is forbidden by the Kernel Lockdown functionality, which is turned on by default with my kernel version when Secure Boot is detected. So, txt-info doesn't work unless Kernel Lockdown is disabled. A way of reproduce this is to boot with Secure Boot disabled, run txt-info successfully, enable Kernel Lockdown, and try to run txt-info again: [root@localhost test]# mokutil --sb-state SecureBoot disabled [root@localhost test]# cat /sys/kernel/security/lockdown [none] integrity confidentiality [root@localhost test]# sudo txt-stat Intel(r) TXT Configuration Registers: STS: 0x00000083 .... [root@localhost test]# echo integrity > /sys/kernel/security/lockdown [root@localhost test]# txt-stat ERROR: cannot open /dev/mem So, I need to run with Secure Boot disabled. The output of txt-stat is the following: [root@localhost test]# txt-stat Intel(r) TXT Configuration Registers: STS: 0x00000083 senter_done: TRUE sexit_done: TRUE mem_config_lock: FALSE private_open: TRUE locality_1_open: FALSE locality_2_open: FALSE ESTS: 0x00 txt_reset: FALSE E2STS: 0x0000000000000004 secrets: FALSE ERRORCODE: 0x00000000 DIDVID: 0x00000001b0068086 vendor_id: 0x8086 device_id: 0xb006 revision_id: 0x1 FSBIF: 0xffffffffffffffff QPIIF: 0x000000009d003000 SINIT.BASE: 0x00000000 SINIT.SIZE: 0B (0x0) HEAP.BASE: 0x00000000 HEAP.SIZE: 0B (0x0) DPR: 0x0000000000000000 lock: FALSE top: 0x00000000 size: 0MB (0B) PUBLIC.KEY: 2d 67 dd d7 5e f9 33 92 66 a5 6f 27 18 95 55 ae 77 a2 b0 de 77 42 22 e5 de 24 8d be b8 e3 3d d7 *********************************************************** TXT measured launch: TRUE secrets flag set: FALSE *********************************************************** unable to find TBOOT log >From that output, I guessed that I can do a measured launch ("TXT measured >launch: TRUE"). But I wanted to double check that. According to [1], I guessed that I need SMX (Safer Mode Extensions) in my CPU to actually do a Measured Launch (although this is not mentioned in any place in tboot docs) Unfortunately, cpuid say that my hardware does not support SMX: [root@localhost test]# cpuid | grep SMX SMX: safer mode extensions = false Anyways, the tboot docs say that it will fall-through to a non-TXT boot in the case that it is not supported [2]. So, I just set it up to check what happened. I got my 8th_9th_gen_i5_i7-SINIT_81.zip SINIT ACM module from [3], unzipped it and copy the bin file to /boot, and updated that grub configuration. After the initial boot, I got the error message that multiboot2 and relocator could not be found. So I followed the docs on how to install them. In Fedora they are provided by the grub2-efi-x64-modules package After reboot and selecting tboot in the grub menu, boot failed and got a recovery shell. By inspecting the generated /run/initramfs/rdsosreport.txt, the relevant error message I can see is: systemctl[509]: Failed to switch root: Specified switch root path '/sysroot' does not seems to be an OS tree. os-release file is missing. By this I guess that the generated tboot generated grub configuration is broken. After visual inspection and manual edit of the grub.cfg file, I was able to get a valid configuration (rootflags was missing) [root@localhost fedora]# diff grub.cfg grub.cfg.bak 206c206 < module2 /vmlinuz-5.8.15-301.fc33.x86_64 root=UUID=f9f79342-5c5b-445e-ac3a-b4731f57e6e2 ro rootflags=subvol=root rhgb quiet intel_iommu=on noefi --- > module2 /vmlinuz-5.8.15-301.fc33.x86_64 > root=UUID=f9f79342-5c5b-445e-ac3a-b4731f57e6e2 ro rhgb quiet intel_iommu=on > noefi And after that, I got the following tboot log [root@localhost fedora]# txt-stat Intel(r) TXT Configuration Registers: STS: 0x00000083 senter_done: TRUE sexit_done: TRUE mem_config_lock: FALSE private_open: TRUE locality_1_open: FALSE locality_2_open: FALSE ESTS: 0x00 txt_reset: FALSE E2STS: 0x0000000000000004 secrets: FALSE ERRORCODE: 0x00000000 DIDVID: 0x00000001b0068086 vendor_id: 0x8086 device_id: 0xb006 revision_id: 0x1 FSBIF: 0xffffffffffffffff QPIIF: 0x000000009d003000 SINIT.BASE: 0x00000000 SINIT.SIZE: 0B (0x0) HEAP.BASE: 0x00000000 HEAP.SIZE: 0B (0x0) DPR: 0x0000000000000000 lock: FALSE top: 0x00000000 size: 0MB (0B) PUBLIC.KEY: 2d 67 dd d7 5e f9 33 92 66 a5 6f 27 18 95 55 ae 77 a2 b0 de 77 42 22 e5 de 24 8d be b8 e3 3d d7 *********************************************************** TXT measured launch: TRUE secrets flag set: FALSE *********************************************************** TBOOT log: max_size=32706 zip_count=0 curr_pos=5308 buf: TBOOT: *********************** TBOOT *********************** TBOOT: 2019-11-25 16:00 +0200 1.9.11 TBOOT: ***************************************************** TBOOT: command line: logging=serial,memory TBOOT: IA32_FEATURE_CONTROL_MSR: 00000005 TBOOT: ERR: CPU does not support SMX TBOOT: IA32_FEATURE_CONTROL_MSR: 00000005 TBOOT: ERR: CPU does not support SMX TBOOT: BSP is cpu 0 TBOOT: original e820 map: TBOOT: 0000000000000000 - 0000000000058000 (1) TBOOT: 0000000000058000 - 0000000000059000 (2) TBOOT: 0000000000059000 - 000000000009e000 (1) TBOOT: 000000000009e000 - 0000000000100000 (2) TBOOT: 0000000000100000 - 0000000077a3e000 (1) TBOOT: 0000000077a3e000 - 0000000077a3f000 (4) TBOOT: 0000000077a3f000 - 0000000077a40000 (2) TBOOT: 0000000077a40000 - 000000007e6d5000 (1) TBOOT: 000000007e6d5000 - 000000007eb99000 (2) TBOOT: 000000007eb99000 - 000000007ebf8000 (3) TBOOT: 000000007ebf8000 - 000000007ec58000 (4) TBOOT: 000000007ec58000 - 000000007f72c000 (2) TBOOT: 000000007f72c000 - 000000007f7fe000 (20) TBOOT: 000000007f7fe000 - 000000007f7ff000 (1) TBOOT: 000000007f7ff000 - 0000000080000000 (2) TBOOT: 00000000e0000000 - 00000000f0000000 (2) TBOOT: 00000000fe000000 - 00000000fe011000 (2) TBOOT: 00000000fec00000 - 00000000fec01000 (2) TBOOT: 00000000fed00000 - 00000000fed01000 (2) TBOOT: 00000000fee00000 - 00000000fee01000 (2) TBOOT: 00000000ff000000 - 0000000100000000 (2) TBOOT: 0000000100000000 - 000000027f000000 (1) TBOOT: checking if module is an SINIT for this platform... TBOOT: ACM info_table version mismatch (6) TBOOT: chipset production fused: 1 TBOOT: chipset ids: vendor: 0x8086, device: 0xb006, revision: 0x1 TBOOT: processor family/model/stepping: 0x906e9 TBOOT: platform id: 0xc000000000000 TBOOT: 1 ACM chipset id entries: TBOOT: vendor: 0x8086, device: 0xb008, flags: 0x1, revision: 0x1, extended: 0x0 TBOOT: chipset id mismatch TBOOT: checking if module is an SINIT for this platform... TBOOT: ACM size mismatch: acmod_size=2ae9c02, acm_hdr->size*4=c0c0c0c0 TBOOT: no SINIT AC module found TBOOT: TXT.SINIT.BASE: 0x0 TBOOT: TXT.SINIT.SIZE: 0x0 (0) TBOOT: SINIT ACM not provided. TBOOT: reserving tboot memory log (60000 - 67fff) in e820 table TBOOT: replaced memory map: TBOOT: 0000000000000000 - 0000000000058000 (1) TBOOT: 0000000000058000 - 0000000000059000 (2) TBOOT: 0000000000059000 - 0000000000060000 (1) TBOOT: 0000000000060000 - 0000000000068000 (2) TBOOT: 0000000000068000 - 000000000009e000 (1) TBOOT: 000000000009e000 - 0000000000100000 (2) TBOOT: 0000000000100000 - 0000000077a3e000 (1) TBOOT: 0000000077a3e000 - 0000000077a3f000 (4) TBOOT: 0000000077a3f000 - 0000000077a40000 (2) TBOOT: 0000000077a40000 - 000000007e6d5000 (1) TBOOT: 000000007e6d5000 - 000000007eb99000 (2) TBOOT: 000000007eb99000 - 000000007ebf8000 (3) TBOOT: 000000007ebf8000 - 000000007ec58000 (4) TBOOT: 000000007ec58000 - 000000007f72c000 (2) TBOOT: 000000007f72c000 - 000000007f7fe000 (20) TBOOT: 000000007f7fe000 - 000000007f7ff000 (1) TBOOT: 000000007f7ff000 - 0000000080000000 (2) TBOOT: 00000000e0000000 - 00000000f0000000 (2) TBOOT: 00000000fe000000 - 00000000fe011000 (2) TBOOT: 00000000fec00000 - 00000000fec01000 (2) TBOOT: 00000000fed00000 - 00000000fed01000 (2) TBOOT: 00000000fee00000 - 00000000fee01000 (2) TBOOT: 00000000ff000000 - 0000000100000000 (2) TBOOT: 0000000100000000 - 000000027f000000 (1) TBOOT: adjusted e820 map: TBOOT: 0000000000000000 - 0000000000058000 (1) TBOOT: 0000000000058000 - 0000000000059000 (2) TBOOT: 0000000000059000 - 0000000000060000 (1) TBOOT: 0000000000060000 - 0000000000068000 (2) TBOOT: 0000000000068000 - 000000000009e000 (1) TBOOT: 000000000009e000 - 0000000000100000 (2) TBOOT: 0000000000100000 - 0000000077a3e000 (1) TBOOT: 0000000077a3e000 - 0000000077a3f000 (4) TBOOT: 0000000077a3f000 - 0000000077a40000 (2) TBOOT: 0000000077a40000 - 000000007e6d5000 (1) TBOOT: 000000007e6d5000 - 000000007eb99000 (2) TBOOT: 000000007eb99000 - 000000007ebf8000 (3) TBOOT: 000000007ebf8000 - 000000007ec58000 (4) TBOOT: 000000007ec58000 - 000000007f72c000 (2) TBOOT: 000000007f72c000 - 000000007f7fe000 (20) TBOOT: 000000007f7fe000 - 000000007f7ff000 (1) TBOOT: 000000007f7ff000 - 0000000080000000 (2) TBOOT: 00000000e0000000 - 00000000f0000000 (2) TBOOT: 00000000fe000000 - 00000000fe011000 (2) TBOOT: 00000000fec00000 - 00000000fec01000 (2) TBOOT: 00000000fed00000 - 00000000fed01000 (2) TBOOT: 00000000fee00000 - 00000000fee01000 (2) TBOOT: 00000000ff000000 - 0000000100000000 (2) TBOOT: 0000000100000000 - 000000027f000000 (1) TBOOT: got sinit match on module #2 TBOOT: no LCP module found TBOOT: ELF magic number is not matched, image is not ELF format. TBOOT: assuming kernel is Linux format TBOOT: Initrd from 0x7bbeb000 to 0x7e6d4c02 TBOOT: Kernel (protected mode) from 0x1000000 to 0x1b243f0 TBOOT: Kernel (real mode) from 0x69c00 to 0x6d800 TBOOT: Linux cmdline from 0x72900 to 0x72d00: TBOOT: root=UUID=f9f79342-5c5b-445e-ac3a-b4731f57e6e2 ro rootflags=subvol=roo TBOOT: t rhgb quiet intel_iommu=on noefi TBOOT: EFI memmap: memmap base: 0x483b0, memmap size: 0x7b0 TBOOT: EFI memmap: descr size: 0x30, descr version: 0x1 TBOOT: transfering control to kernel @0x1000000... >From what I see on the log, I have no SMX, and my SINIT ACM is bad (I guess) Questions ======== 1. Any way to test tboot in hardware that does not support SMX/TXT? Any simulator available? 2. Do I actually need SMX to do a Measured Launch? Or is the presence of "TXT measured launch: TRUE" string the txt-stat enough to say that my hardware supports it? 3. Is the invalid tboot generated grub configuration a bug? If so, where should I submit it? 4. Am I using the correct SINIT ACM module? Is my resulting txt-stat output the expected one for my scenario? Many thanks! References ========= [1] https://xem.github.io/minix86/manual/intel-x86-and-64-manual-vol2/o_b5573232dd8f1481-1975.html [2] http://hg.code.sf.net/p/tboot/code/file/tip/README.md [3] https://software.intel.com/content/www/us/en/develop/articles/intel-trusted-execution-technology.html _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel