xref: /openbmc/linux/Documentation/arch/x86/intel_txt.rst (revision 1ac731c529cd4d6adbce134754b51ff7d822b145)
1*ff61f079SJonathan Corbet=====================
2*ff61f079SJonathan CorbetIntel(R) TXT Overview
3*ff61f079SJonathan Corbet=====================
4*ff61f079SJonathan Corbet
5*ff61f079SJonathan CorbetIntel's technology for safer computing, Intel(R) Trusted Execution
6*ff61f079SJonathan CorbetTechnology (Intel(R) TXT), defines platform-level enhancements that
7*ff61f079SJonathan Corbetprovide the building blocks for creating trusted platforms.
8*ff61f079SJonathan Corbet
9*ff61f079SJonathan CorbetIntel TXT was formerly known by the code name LaGrande Technology (LT).
10*ff61f079SJonathan Corbet
11*ff61f079SJonathan CorbetIntel TXT in Brief:
12*ff61f079SJonathan Corbet
13*ff61f079SJonathan Corbet-  Provides dynamic root of trust for measurement (DRTM)
14*ff61f079SJonathan Corbet-  Data protection in case of improper shutdown
15*ff61f079SJonathan Corbet-  Measurement and verification of launched environment
16*ff61f079SJonathan Corbet
17*ff61f079SJonathan CorbetIntel TXT is part of the vPro(TM) brand and is also available some
18*ff61f079SJonathan Corbetnon-vPro systems.  It is currently available on desktop systems
19*ff61f079SJonathan Corbetbased on the Q35, X38, Q45, and Q43 Express chipsets (e.g. Dell
20*ff61f079SJonathan CorbetOptiplex 755, HP dc7800, etc.) and mobile systems based on the GM45,
21*ff61f079SJonathan CorbetPM45, and GS45 Express chipsets.
22*ff61f079SJonathan Corbet
23*ff61f079SJonathan CorbetFor more information, see http://www.intel.com/technology/security/.
24*ff61f079SJonathan CorbetThis site also has a link to the Intel TXT MLE Developers Manual,
25*ff61f079SJonathan Corbetwhich has been updated for the new released platforms.
26*ff61f079SJonathan Corbet
27*ff61f079SJonathan CorbetIntel TXT has been presented at various events over the past few
28*ff61f079SJonathan Corbetyears, some of which are:
29*ff61f079SJonathan Corbet
30*ff61f079SJonathan Corbet      - LinuxTAG 2008:
31*ff61f079SJonathan Corbet          http://www.linuxtag.org/2008/en/conf/events/vp-donnerstag.html
32*ff61f079SJonathan Corbet
33*ff61f079SJonathan Corbet      - TRUST2008:
34*ff61f079SJonathan Corbet          http://www.trust-conference.eu/downloads/Keynote-Speakers/
35*ff61f079SJonathan Corbet          3_David-Grawrock_The-Front-Door-of-Trusted-Computing.pdf
36*ff61f079SJonathan Corbet
37*ff61f079SJonathan Corbet      - IDF, Shanghai:
38*ff61f079SJonathan Corbet          http://www.prcidf.com.cn/index_en.html
39*ff61f079SJonathan Corbet
40*ff61f079SJonathan Corbet      - IDFs 2006, 2007
41*ff61f079SJonathan Corbet	  (I'm not sure if/where they are online)
42*ff61f079SJonathan Corbet
43*ff61f079SJonathan CorbetTrusted Boot Project Overview
44*ff61f079SJonathan Corbet=============================
45*ff61f079SJonathan Corbet
46*ff61f079SJonathan CorbetTrusted Boot (tboot) is an open source, pre-kernel/VMM module that
47*ff61f079SJonathan Corbetuses Intel TXT to perform a measured and verified launch of an OS
48*ff61f079SJonathan Corbetkernel/VMM.
49*ff61f079SJonathan Corbet
50*ff61f079SJonathan CorbetIt is hosted on SourceForge at http://sourceforge.net/projects/tboot.
51*ff61f079SJonathan CorbetThe mercurial source repo is available at http://www.bughost.org/
52*ff61f079SJonathan Corbetrepos.hg/tboot.hg.
53*ff61f079SJonathan Corbet
54*ff61f079SJonathan CorbetTboot currently supports launching Xen (open source VMM/hypervisor
55*ff61f079SJonathan Corbetw/ TXT support since v3.2), and now Linux kernels.
56*ff61f079SJonathan Corbet
57*ff61f079SJonathan Corbet
58*ff61f079SJonathan CorbetValue Proposition for Linux or "Why should you care?"
59*ff61f079SJonathan Corbet=====================================================
60*ff61f079SJonathan Corbet
61*ff61f079SJonathan CorbetWhile there are many products and technologies that attempt to
62*ff61f079SJonathan Corbetmeasure or protect the integrity of a running kernel, they all
63*ff61f079SJonathan Corbetassume the kernel is "good" to begin with.  The Integrity
64*ff61f079SJonathan CorbetMeasurement Architecture (IMA) and Linux Integrity Module interface
65*ff61f079SJonathan Corbetare examples of such solutions.
66*ff61f079SJonathan Corbet
67*ff61f079SJonathan CorbetTo get trust in the initial kernel without using Intel TXT, a
68*ff61f079SJonathan Corbetstatic root of trust must be used.  This bases trust in BIOS
69*ff61f079SJonathan Corbetstarting at system reset and requires measurement of all code
70*ff61f079SJonathan Corbetexecuted between system reset through the completion of the kernel
71*ff61f079SJonathan Corbetboot as well as data objects used by that code.  In the case of a
72*ff61f079SJonathan CorbetLinux kernel, this means all of BIOS, any option ROMs, the
73*ff61f079SJonathan Corbetbootloader and the boot config.  In practice, this is a lot of
74*ff61f079SJonathan Corbetcode/data, much of which is subject to change from boot to boot
75*ff61f079SJonathan Corbet(e.g. changing NICs may change option ROMs).  Without reference
76*ff61f079SJonathan Corbethashes, these measurement changes are difficult to assess or
77*ff61f079SJonathan Corbetconfirm as benign.  This process also does not provide DMA
78*ff61f079SJonathan Corbetprotection, memory configuration/alias checks and locks, crash
79*ff61f079SJonathan Corbetprotection, or policy support.
80*ff61f079SJonathan Corbet
81*ff61f079SJonathan CorbetBy using the hardware-based root of trust that Intel TXT provides,
82*ff61f079SJonathan Corbetmany of these issues can be mitigated.  Specifically: many
83*ff61f079SJonathan Corbetpre-launch components can be removed from the trust chain, DMA
84*ff61f079SJonathan Corbetprotection is provided to all launched components, a large number
85*ff61f079SJonathan Corbetof platform configuration checks are performed and values locked,
86*ff61f079SJonathan Corbetprotection is provided for any data in the event of an improper
87*ff61f079SJonathan Corbetshutdown, and there is support for policy-based execution/verification.
88*ff61f079SJonathan CorbetThis provides a more stable measurement and a higher assurance of
89*ff61f079SJonathan Corbetsystem configuration and initial state than would be otherwise
90*ff61f079SJonathan Corbetpossible.  Since the tboot project is open source, source code for
91*ff61f079SJonathan Corbetalmost all parts of the trust chain is available (excepting SMM and
92*ff61f079SJonathan CorbetIntel-provided firmware).
93*ff61f079SJonathan Corbet
94*ff61f079SJonathan CorbetHow Does it Work?
95*ff61f079SJonathan Corbet=================
96*ff61f079SJonathan Corbet
97*ff61f079SJonathan Corbet-  Tboot is an executable that is launched by the bootloader as
98*ff61f079SJonathan Corbet   the "kernel" (the binary the bootloader executes).
99*ff61f079SJonathan Corbet-  It performs all of the work necessary to determine if the
100*ff61f079SJonathan Corbet   platform supports Intel TXT and, if so, executes the GETSEC[SENTER]
101*ff61f079SJonathan Corbet   processor instruction that initiates the dynamic root of trust.
102*ff61f079SJonathan Corbet
103*ff61f079SJonathan Corbet   -  If tboot determines that the system does not support Intel TXT
104*ff61f079SJonathan Corbet      or is not configured correctly (e.g. the SINIT AC Module was
105*ff61f079SJonathan Corbet      incorrect), it will directly launch the kernel with no changes
106*ff61f079SJonathan Corbet      to any state.
107*ff61f079SJonathan Corbet   -  Tboot will output various information about its progress to the
108*ff61f079SJonathan Corbet      terminal, serial port, and/or an in-memory log; the output
109*ff61f079SJonathan Corbet      locations can be configured with a command line switch.
110*ff61f079SJonathan Corbet
111*ff61f079SJonathan Corbet-  The GETSEC[SENTER] instruction will return control to tboot and
112*ff61f079SJonathan Corbet   tboot then verifies certain aspects of the environment (e.g. TPM NV
113*ff61f079SJonathan Corbet   lock, e820 table does not have invalid entries, etc.).
114*ff61f079SJonathan Corbet-  It will wake the APs from the special sleep state the GETSEC[SENTER]
115*ff61f079SJonathan Corbet   instruction had put them in and place them into a wait-for-SIPI
116*ff61f079SJonathan Corbet   state.
117*ff61f079SJonathan Corbet
118*ff61f079SJonathan Corbet   -  Because the processors will not respond to an INIT or SIPI when
119*ff61f079SJonathan Corbet      in the TXT environment, it is necessary to create a small VT-x
120*ff61f079SJonathan Corbet      guest for the APs.  When they run in this guest, they will
121*ff61f079SJonathan Corbet      simply wait for the INIT-SIPI-SIPI sequence, which will cause
122*ff61f079SJonathan Corbet      VMEXITs, and then disable VT and jump to the SIPI vector.  This
123*ff61f079SJonathan Corbet      approach seemed like a better choice than having to insert
124*ff61f079SJonathan Corbet      special code into the kernel's MP wakeup sequence.
125*ff61f079SJonathan Corbet
126*ff61f079SJonathan Corbet-  Tboot then applies an (optional) user-defined launch policy to
127*ff61f079SJonathan Corbet   verify the kernel and initrd.
128*ff61f079SJonathan Corbet
129*ff61f079SJonathan Corbet   -  This policy is rooted in TPM NV and is described in the tboot
130*ff61f079SJonathan Corbet      project.  The tboot project also contains code for tools to
131*ff61f079SJonathan Corbet      create and provision the policy.
132*ff61f079SJonathan Corbet   -  Policies are completely under user control and if not present
133*ff61f079SJonathan Corbet      then any kernel will be launched.
134*ff61f079SJonathan Corbet   -  Policy action is flexible and can include halting on failures
135*ff61f079SJonathan Corbet      or simply logging them and continuing.
136*ff61f079SJonathan Corbet
137*ff61f079SJonathan Corbet-  Tboot adjusts the e820 table provided by the bootloader to reserve
138*ff61f079SJonathan Corbet   its own location in memory as well as to reserve certain other
139*ff61f079SJonathan Corbet   TXT-related regions.
140*ff61f079SJonathan Corbet-  As part of its launch, tboot DMA protects all of RAM (using the
141*ff61f079SJonathan Corbet   VT-d PMRs).  Thus, the kernel must be booted with 'intel_iommu=on'
142*ff61f079SJonathan Corbet   in order to remove this blanket protection and use VT-d's
143*ff61f079SJonathan Corbet   page-level protection.
144*ff61f079SJonathan Corbet-  Tboot will populate a shared page with some data about itself and
145*ff61f079SJonathan Corbet   pass this to the Linux kernel as it transfers control.
146*ff61f079SJonathan Corbet
147*ff61f079SJonathan Corbet   -  The location of the shared page is passed via the boot_params
148*ff61f079SJonathan Corbet      struct as a physical address.
149*ff61f079SJonathan Corbet
150*ff61f079SJonathan Corbet-  The kernel will look for the tboot shared page address and, if it
151*ff61f079SJonathan Corbet   exists, map it.
152*ff61f079SJonathan Corbet-  As one of the checks/protections provided by TXT, it makes a copy
153*ff61f079SJonathan Corbet   of the VT-d DMARs in a DMA-protected region of memory and verifies
154*ff61f079SJonathan Corbet   them for correctness.  The VT-d code will detect if the kernel was
155*ff61f079SJonathan Corbet   launched with tboot and use this copy instead of the one in the
156*ff61f079SJonathan Corbet   ACPI table.
157*ff61f079SJonathan Corbet-  At this point, tboot and TXT are out of the picture until a
158*ff61f079SJonathan Corbet   shutdown (S<n>)
159*ff61f079SJonathan Corbet-  In order to put a system into any of the sleep states after a TXT
160*ff61f079SJonathan Corbet   launch, TXT must first be exited.  This is to prevent attacks that
161*ff61f079SJonathan Corbet   attempt to crash the system to gain control on reboot and steal
162*ff61f079SJonathan Corbet   data left in memory.
163*ff61f079SJonathan Corbet
164*ff61f079SJonathan Corbet   -  The kernel will perform all of its sleep preparation and
165*ff61f079SJonathan Corbet      populate the shared page with the ACPI data needed to put the
166*ff61f079SJonathan Corbet      platform in the desired sleep state.
167*ff61f079SJonathan Corbet   -  Then the kernel jumps into tboot via the vector specified in the
168*ff61f079SJonathan Corbet      shared page.
169*ff61f079SJonathan Corbet   -  Tboot will clean up the environment and disable TXT, then use the
170*ff61f079SJonathan Corbet      kernel-provided ACPI information to actually place the platform
171*ff61f079SJonathan Corbet      into the desired sleep state.
172*ff61f079SJonathan Corbet   -  In the case of S3, tboot will also register itself as the resume
173*ff61f079SJonathan Corbet      vector.  This is necessary because it must re-establish the
174*ff61f079SJonathan Corbet      measured environment upon resume.  Once the TXT environment
175*ff61f079SJonathan Corbet      has been restored, it will restore the TPM PCRs and then
176*ff61f079SJonathan Corbet      transfer control back to the kernel's S3 resume vector.
177*ff61f079SJonathan Corbet      In order to preserve system integrity across S3, the kernel
178*ff61f079SJonathan Corbet      provides tboot with a set of memory ranges (RAM and RESERVED_KERN
179*ff61f079SJonathan Corbet      in the e820 table, but not any memory that BIOS might alter over
180*ff61f079SJonathan Corbet      the S3 transition) that tboot will calculate a MAC (message
181*ff61f079SJonathan Corbet      authentication code) over and then seal with the TPM. On resume
182*ff61f079SJonathan Corbet      and once the measured environment has been re-established, tboot
183*ff61f079SJonathan Corbet      will re-calculate the MAC and verify it against the sealed value.
184*ff61f079SJonathan Corbet      Tboot's policy determines what happens if the verification fails.
185*ff61f079SJonathan Corbet      Note that the c/s 194 of tboot which has the new MAC code supports
186*ff61f079SJonathan Corbet      this.
187*ff61f079SJonathan Corbet
188*ff61f079SJonathan CorbetThat's pretty much it for TXT support.
189*ff61f079SJonathan Corbet
190*ff61f079SJonathan Corbet
191*ff61f079SJonathan CorbetConfiguring the System
192*ff61f079SJonathan Corbet======================
193*ff61f079SJonathan Corbet
194*ff61f079SJonathan CorbetThis code works with 32bit, 32bit PAE, and 64bit (x86_64) kernels.
195*ff61f079SJonathan Corbet
196*ff61f079SJonathan CorbetIn BIOS, the user must enable:  TPM, TXT, VT-x, VT-d.  Not all BIOSes
197*ff61f079SJonathan Corbetallow these to be individually enabled/disabled and the screens in
198*ff61f079SJonathan Corbetwhich to find them are BIOS-specific.
199*ff61f079SJonathan Corbet
200*ff61f079SJonathan Corbetgrub.conf needs to be modified as follows::
201*ff61f079SJonathan Corbet
202*ff61f079SJonathan Corbet        title Linux 2.6.29-tip w/ tboot
203*ff61f079SJonathan Corbet          root (hd0,0)
204*ff61f079SJonathan Corbet                kernel /tboot.gz logging=serial,vga,memory
205*ff61f079SJonathan Corbet                module /vmlinuz-2.6.29-tip intel_iommu=on ro
206*ff61f079SJonathan Corbet                       root=LABEL=/ rhgb console=ttyS0,115200 3
207*ff61f079SJonathan Corbet                module /initrd-2.6.29-tip.img
208*ff61f079SJonathan Corbet                module /Q35_SINIT_17.BIN
209*ff61f079SJonathan Corbet
210*ff61f079SJonathan CorbetThe kernel option for enabling Intel TXT support is found under the
211*ff61f079SJonathan CorbetSecurity top-level menu and is called "Enable Intel(R) Trusted
212*ff61f079SJonathan CorbetExecution Technology (TXT)".  It is considered EXPERIMENTAL and
213*ff61f079SJonathan Corbetdepends on the generic x86 support (to allow maximum flexibility in
214*ff61f079SJonathan Corbetkernel build options), since the tboot code will detect whether the
215*ff61f079SJonathan Corbetplatform actually supports Intel TXT and thus whether any of the
216*ff61f079SJonathan Corbetkernel code is executed.
217*ff61f079SJonathan Corbet
218*ff61f079SJonathan CorbetThe Q35_SINIT_17.BIN file is what Intel TXT refers to as an
219*ff61f079SJonathan CorbetAuthenticated Code Module.  It is specific to the chipset in the
220*ff61f079SJonathan Corbetsystem and can also be found on the Trusted Boot site.  It is an
221*ff61f079SJonathan Corbet(unencrypted) module signed by Intel that is used as part of the
222*ff61f079SJonathan CorbetDRTM process to verify and configure the system.  It is signed
223*ff61f079SJonathan Corbetbecause it operates at a higher privilege level in the system than
224*ff61f079SJonathan Corbetany other macrocode and its correct operation is critical to the
225*ff61f079SJonathan Corbetestablishment of the DRTM.  The process for determining the correct
226*ff61f079SJonathan CorbetSINIT ACM for a system is documented in the SINIT-guide.txt file
227*ff61f079SJonathan Corbetthat is on the tboot SourceForge site under the SINIT ACM downloads.
228