Hi Oliver On Thu, 2021-03-18 at 22:29 +0000, Oliver, Dario N wrote: > So, I need to run with Secure Boot disabled.
TBOOT will not work with Secure Boot, when Secure Boot is enabled, GRUB has to verify signature of all components that are going to be launched. As tboot.gz file does not support signing, it is unable to use it with Secure Boot. There is an experimental implementation of Secure Boot support in TBOOT, it is not officially released, but you can look at 2.x branch if you want to test it by yourself. > *********************************************************** > TXT measured launch: TRUE > secrets flag set: FALSE > *********************************************************** > unable to find TBOOT log > > From that output, I guessed that I can do a measured launch ("TXT measured > launch: TRUE"). But I wanted to double check that. > According to [1], I guessed that I need SMX (Safer Mode Extensions) in my CPU > to actually do a Measured Launch (although this is not mentioned in any place > in tboot docs) > Unfortunately, cpuid say that my hardware does not support SMX: > > [root@localhost test]# cpuid | grep SMX > SMX: safer mode extensions = false That's a misleading message, "TXT measured launch" should be false, I guess that because TXT is not available in your platform, txt-stat reads some garbage from TXT registers space and by mistake interprets that as "TXT measured launch: TRUE". If your CPU does not support SMX there is no possibility to do TXT measured launch. > Questions > ======== > > 1. Any way to test tboot in hardware that does not support SMX/TXT? Any > simulator available? It depends what do you want to test. Without TXT you can only do what you already did - load TBOOT via multiboot2, verify that platform is not TXT capable and fallback to standard Linux boot. > 2. Do I actually need SMX to do a Measured Launch? Or is the presence of "TXT > measured launch: TRUE" string the txt-stat enough to say that my hardware > supports it? In general, you can measure Linux during boot process without SMX, however the idea of TBOOT is to use TXT to do a measured launch and TXT requires SMX. No SMX -> no TXT -> TBOOT will not measure anything. As I point earlier, this message is misleading, your hardware does not support TXT because "TBOOT: ERR: CPU does not support SMX". > 3. Is the invalid tboot generated grub configuration a bug? If so, where > should I submit it? Looks like a bug, I will take care of it. > 4. Am I using the correct SINIT ACM module? Is my resulting txt-stat output > the expected one for my scenario? TBOOT: chipset ids: vendor: 0x8086, device: 0xb006, revision: 0x1 [...] TBOOT: 1 ACM chipset id entries: TBOOT: vendor: 0x8086, device: 0xb008, flags: 0x1, revision: 0x1, extended: 0x0 TBOOT: chipset id mismatch Provided SINIT does not support your platform, chipset ids do not match. Nevertheless, it does not change anything, without SMX you can't run SINIT. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel