|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xense-devel] [PATCH] Intel(R) Trusted Execution Technology support
Attached is a patch that adds Intel(R) Trusted Execution Technology (Intel(R) TXT) support to Xen. Intel(R) TXT was formerly known by the codename LaGrande Technology (LT). This version of the patch adds new functionality and re-structuring to the previous version (which was posted in Aug.). Intel(R) TXT in Brief: ---------------------- o Provides dynamic root of trust for measurement (DRTM) o DMA protection (on SDV3/TEP platforms only) o Data protection in case of improper shutdown o Verification and enforcement of launched environment For more information, see http://www.intel.com/technology/security/. This site also has a link to the Intel(R) TXT Preliminary Architecture Specification, which has been updated for the new released platforms. Patch Overview: -------------- The bulk of the TXT code is now hosted at its own SourceForge site, http://sourceforge.net/projects/tboot. This project hosts the code in a mercurial repo at http://tboot.sourceforge.net/hg/tboot.hg and contains tarballs of the source. This site is still very new, so please forgive its incompleteness. Questions on just tboot should be sent to tboot-devel@xxxxxxxxxxxxxxxxxxxxx or posted to the tboot project forum. This patch is now only the Xen changes necessary to integrate with tboot. The top-level Makefile will 'wget' the tboot source tarball from SourceForge, untar it, and then build. Per feedback on the previous patch, the changes are no longer built conditionally (but the code is only executed if a measured launch was performed). This patch applies cleanly against c/s 16157:b28ae5f00553. In addition to this re-structuring, the following additional functionality has been added: o Support for S3/S4/S5 o Verified Launch. Tboot will extend verification from the MLE (itself, as verified by TXT LCP) to the Xen and dom0, using policies similar to the LCP and also stored in TPM NV. These policies can be created and managed by the tb_polgen tool and provisioned into TPM NV using the lcptools. There is more information about the functionality within the tboot/docs files as well as configuration information and policy instructions. The documentation will be improved and flushed out over time so please excuse its current spartan form. Instructions for Use: --------------------- o The new tboot module must be added as the 'kernel' in the grub.conf file. The existing 'kernel' entry should follow as a 'module'. The SINIT AC module (available with systems that support TXT) must be added to the grub.conf boot config as the last module, e.g.: title Xen 3.1.0 w/ Intel(R) Trusted Execution Technology root (hd0,1) kernel /tboot.gz module /xen.gz no-real-mode dom0_mem=524288 com1=115200,8n1 module /vmlinuz-2.6.18-xen root=/dev/VolGroup00/LogVol00 ro module /initrd-2.6.18-xen.img module /BRLK_SINIT_20070910_release.BIN o Xen's command line must include the 'no-real-mode' option to prevent Xen from reading the e820 table from BIOS. The TXT code makes modifications to the table passed via GRUB that the Xen portions of the code need. o Progress of the launch process is indicated via debug printk's to COM1 (hardcoded). These appear before the normal "(XEN)" output and are prefixed by "TBOOT:". Though tboot does initialize the COM port, it is best if this is also done by GRUB - grub.conf should have: serial --speed=115200 --unit=0 terminal console serial Attachment:
txt-xen-1026.patch _______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |