Page of 20

HP 2730p - EliteBook - Core 2 Duo 1.86 GHz Manual

Trusted execution technology and tboot implementation.
Hide thumbs

Advertisement

Trusted Execution Technology and
Tboot Implementation
2008 Mobile Platforms
Table of Contents:
Introduction .................................................................................................................................... 1
System Requirements .................................................................................................................. 2
BIOS TXT Settings ............................................................................................................................ 2
Fedora Installation .......................................................................................................................... 2
XEN 3.3.0 Installation ..................................................................................................................... 3
TBOOT Installation .......................................................................................................................... 4
TPM TOOLS 1.3.1 Installation .......................................................................................................... 5
LCP: Define Platform Owner Policy ................................................................................................... 5
Appendix A .................................................................................................................................... 7
Appendix B ................................................................................................................................... 19
For more information .................................................................................................................... 20
Introduction
HP has implemented the Trusted eXecution Technology (TXT), part of Intel's Safer Computing Initiative,
on certain models of 2008 commercial notebooks. The purpose of this document is to provide a step
by step guideline to setup a TXT enabled environment.
The document will cover the following areas:
BIOS settings related to TXT,
Intel's Trusted Execution Technology,
Trusted Boot and
Launch Control Policies
Trusted eXecution Technology (http://www.intel.com/technology/security/), a hardware-based
mechanism that helps to protect against software-based attacks and protects the confidentiality and
integrity of data stored or created on the client PC by means of measured launch and protected
execution. In other words, TXT provides only the launch-time protection, i.e. ensure that the code we
load, is really what we intended to load - secure and not compromised by any virus attacks.
(http://download.intel.com/technology/security/downloads/315168.pdf).
The technology mainly depends on set of hardware extensions to Intel processors and chipsets that
boost the platform with security capabilities. Trusted Platform Module is another important hardware
component. The TPM module is used to store and compare hash values (of launched environment),
which provides much greater security than storing them in software or on the hard disk
 
 
 
 
 
 
 
 
 
 
 
 

Advertisement

   Related Manuals for HP 2730p - EliteBook - Core 2 Duo 1.86 GHz

   Summary of Contents for HP 2730p - EliteBook - Core 2 Duo 1.86 GHz

  • Page 1

    Trusted Execution Technology and Tboot Implementation 2008 Mobile Platforms Table of Contents: Introduction ............................ 1   System Requirements ........................2   BIOS TXT Settings ..........................2   Fedora Installation .......................... 2   XEN 3.3.0 Installation ........................3   TBOOT Installation .......................... 4  ...

  • Page 2: System Requirements

    Trusted boot (Tboot), an open source, pre- kernel/VMM module that uses Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured and verified launch of an OS kernel/VMM (http://sourceforge.net/projects/tboot, http://www.bughost.org/repos.hg/tboot.hg). Launch Control Policy (LCP) is a verification mechanism used to verify the Intel TXT ‘verified launch processes.

  • Page 3

    Don’t install boot loader password or select ‘configure advance boot loader options’. Press <Next> At the next screen, select the time zone and after that choose a password of your choice (the default username is ‘root’). Install All Software packages, 1) office and productivity, 2) Software development, 3) Web Server. Don’t install ‘Additional Fedora Software’.

  • Page 4

    cd .. tar -xzvf xen-3.3.0.tar.gz cd xen-3.3.0 make install-xen make install-tools edit the menu file (/boot/grub/menu.lst) as follows: Before the ‘title’ add: serial --unit=0 --speed=115200 --parity=no --stop=1 terminal --timeout=10 serial console Add an additional grub entry: title Fedora Core (Xen with VTD) root (hd0,0) kernel /xen.gz com1=115200,8n1 vtd=1 console=com1 module /vmlinuz-2.6.18.8-xen root=LABEL=/ ro console=tty0 console=ttyS0, 115200,...

  • Page 5

    cd tboot.hg/txt-test make install (this will create txt-test executable file, run ‘./txt-stat’ to read the serial messages from the memory buffer. Refer Appendix A for the sample tboot serial output). edit the menu.lst to additional grub entry: title Fedora Core (Xen 3.3.0 with TXT) root (hd0,0) kernel /tboot.gz module /xen.gz iommu=required com1=115200,8n1 console=com1...

  • Page 6

    modprobe tpm_tis (in case of FC8 you may have to try ‘/sbin/modprobe tpm_tis’) tcsd (in case of FC8 you may have to try ‘/usr/sbin/tcsd’) tpm_takeownerhip –z (create owner password. In case of FC8 you may have to try ‘/usr/local/sbin/tpm_takeownerhip –z’) Define TPM NV indices for polices: tpmnv_defindex -i owner -p <ownerauth password>...

  • Page 7

    Appendix A Sample Tboot Serial Output (The output may vary depending on the system configuration): Intel(r) TXT Configuration Registers: STS: 0x188d1 senter_done: TRUE sexit_done: FALSE mem_unlock: TRUE mem_config_lock: TRUE private_open: TRUE mem_config_ok: TRUE ESTS: 0x0 txt_reset: FALSE txt_wake_error: FALSE E2STS: 0x200000016 slp_entry_error: FALSE secrets: TRUE block_mem: TRUE...

  • Page 8

    TBOOT: ********************************************* TBOOT: TPM is ready TBOOT: TPM nv_locked: TRUE TBOOT: read verified launch policy (512 bytes) from TPM NV TBOOT: policy: TBOOT: version: 2 policy_type: TB_POLTYPE_CONT_NON_FATAL TBOOT: TBOOT: hash_alg: TB_HALG_SHA1 TBOOT: policy_control: 00000001 (EXTEND_PCR17) num_entries: 3 TBOOT: TBOOT: policy entry[0]: TBOOT: mod_num: 0 TBOOT:...

  • Page 9

    TBOOT: lcp_pd_size: 0x0 (0) TBOOT: num_logical_procs: 2 TBOOT: flags: 0x00000001 TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: Error: write TPM error: 0x2. TBOOT: CR0 and EFLAGS OK TBOOT: no machine check errors TBOOT: CPU is ready for SENTER TBOOT: checking previous errors on the last boot.

  • Page 10

    TBOOT: capabilities: 0x00000002 TBOOT: rlp_wake_getsec: 0 TBOOT: rlp_wake_monitor: 1 TBOOT: acm_ver: 16 TBOOT: chipset list: TBOOT: count: 1 TBOOT: entry 0: TBOOT: flags: 0x1 TBOOT: vendor_id: 0x8086 TBOOT: device_id: 0x9000 TBOOT: revision_id: 0x3f TBOOT: extended_id: 0x0 TBOOT: file addresses: TBOOT: &_start=01003000 TBOOT: &_end=01033b9c...

  • Page 11

    TBOOT: os_sinit_data (@3aa20154, 5c): TBOOT: version: 4 TBOOT: mle_ptab: 0x1000000 TBOOT: mle_size: 0x16000 (901 12) TBOOT: mle_hdr_base: 0x10e60 TBOOT: vtd_pmr_lo_base: 0x1000000 TBOOT: vtd_pmr_lo_size: 0x200000 TBOOT: vtd_pmr_hi_base: 0x0 TBOOT: vtd_pmr_hi_size: 0x0 TBOOT: lcp_po_base: 0x0 TBOOT: lcp_po_size: 0x0 (0) TBOOT: capabilities: 0x00000002 TBOOT: rlp_wake_getsec: 0 TBOOT:...

  • Page 12

    TBOOT: hash_type: TB_HTYPE_IMAGE TBOOT: num_hashes: 1 TBOOT: hashes[0]: 85 30 2b 7c 37 21 ba 9b 43 d6 1 1 86 d7 05 e5 e9 1 1 ed 5f 77 TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: Error: write TPM error: 0x2.

  • Page 13

    TBOOT: vtd_pmr_hi_size: 0x0 TBOOT: lcp_po_base: 0x0 TBOOT: lcp_po_size: 0x0 (0) TBOOT: capabilities: 0x00000002 TBOOT: rlp_wake_getsec: 0 TBOOT: rlp_wake_monitor: 1 TBOOT: sinit_mle_data (@3aa201b0, 260): TBOOT: version: 6 TBOOT: bios_acm_id: 80 00 00 00 20 08 05 15 00 00 2a 40 00 00 00 00 ff ff ff ff TBOOT: edx_senter_flags: 0x00000000 TBOOT:...

  • Page 14

    TBOOT: entry[1] sig = HPET @ 0x3a7fb000 TBOOT: entry[2] sig = APIC @ 0x3a7fa000 TBOOT: entry[3] sig = MCFG @ 0x3a7f9000 TBOOT: acpi_table_mcfg @ 3a7f9000, .base_address = e0000000 TBOOT: mtrr_def_type: e = 1, fe = 1, type = 0 TBOOT: mtrrs: TBOOT: base mask...

  • Page 15

    TBOOT: all APs in wait-for-sipi TBOOT: enabling SMIs on BSP TBOOT: set LT.CMD.SECRETS flag TBOOT: opened TPM locality 1 TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: Error: write TPM error: 0x2. TBOOT: RSDP (v002 HPQOEM) @ 0x000f6910 TBOOT: Seek in XSDT...

  • Page 16

    TBOOT: 00000000fed1c000 - 00000000fed20000 (2) TBOOT: 00000000fee00000 - 00000000fee01000 (2) TBOOT: 00000000ffe80000 - 0000000100000000 (2) TBOOT: verifying module 0 of mbi (1035000 - 1 1 13753) in e820 table (range from 0000000001035000 to 0000000001 1 13754 is in E820_RAM) TBOOT: : succeeded. TBOOT: verifying module 1 of mbi (1 1 14000 - 18461bf) in e820 table (range from 0000000001 1 14000 to 00000000018461c0 is in E820_RAM) TBOOT: : succeeded.

  • Page 17

    TBOOT: 000000003a800000 - 000000003aa00000 (2) TBOOT: 000000003aa00000 - 000000003aa20000 (5) TBOOT: 000000003aa20000 - 000000003ab00000 (5) TBOOT: 000000003ab00000 - 000000003ac00000 (2) TBOOT: 000000003ac00000 - 000000003f000000 (2) TBOOT: 00000000e0000000 - 00000000f0000000 (2) TBOOT: 00000000fec00000 - 00000000fec01000 (2) TBOOT: 00000000fed10000 - 00000000fed14000 (2) TBOOT: 00000000fed18000 - 00000000fed19000 (2) TBOOT:...

  • Page 18

    TBOOT: shutdown_entry32: 0x010030a0 TBOOT: shutdown_entry64: 0x010030f0 TBOOT: shutdown_type: 0 TBOOT: s3_tb_wakeup_entry: 0x0008a000 TBOOT: s3_k_wakeup_entry: 0x00000000 TBOOT: &acpi_sinfo: 0x0101c02c TBOOT: tboot_base: 0x01003000 TBOOT: tboot_size: 0x30b9c TBOOT: g_log: TBOOT: uuid={0xc0192526, 0x6b30, 0x4db4, 0x844c, {0xa3, 0xe9, 0x53, 0xb8, 0x81, 0x74}} TBOOT: max_size=4fe4 TBOOT: curr_pos=43a6 TBOOT: transfering control to xen @0x00100000...

  • Page 19

    Appendix B Procedure to install drivers for Intel Gigabit Ethernet Adapter: Download the drivers from http://voxel.dl.sourceforge.net/sourceforge/e1000/e1000e-0.4.1.7.tar.gz Copy e1000e-0.4.1.7.tar.gz to desktop Open terminal cd Desktop/ rpmbuild –tb e1000e-0.4.1.7.tar.gz tar -xzvf e1000e-0.4.1.7.tar.gz cd e1000e-0.4.1.7/src make install modprobe e1000e insmod /lib/modules/2.6.23.1-42.fc7/kernel/drivers/net/e1000e/e1000e.ko init 6  ...

  • Page 20: For More Information

    Trusted Boot Source http://www.bughost.org/repos.hg/tboot.hg/ © 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

Comments to this Manuals

Symbols: 0
Latest comments: