HP EliteBook 8000 Trusted Execution Technology and Tboot Implementation
HP EliteBook 8000 Manual
 |
View all HP EliteBook 8000 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP EliteBook 8000 manual content summary:
- HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 1
Installation ...3 TBOOT Installation...4 TPM TOOLS 1.3.4 Installation ...5 LCP: Define Platform Owner Policy ...5 Appendix A ...7 For more information ...19 Introduction HP has implemented the Trusted eXecution Technology (TXT), part of Intel's Safer Computing Initiative, on certain models of 2009 - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 2
environment meets the requirements and can be launched. System Requirements • Trusted Platform Module (TPM 1.2), TXT and Virtualization Technology (VT) supported chipset (vPro platforms). • TPM - Locked, Enabled and Activated, VT- Enabled, TXT- Enabled (discussed in next section) BIOS TXT Settings - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 3
(without the quotes) e. Processor type and features Enable Xen compatible kernel - * (implies built-in) f. Device Drivers SCSI device support SCSI low-level drivers - Select 'M' on all excluded options (M, implies Module) g. XEN Privileged Guest (domain 0) - * h. XEN - unselect/exclude all - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 4
17. tar -xzvf xen-3.4.3.tar.gz 18. cd xen-3.4.3 19. make install-xen 20. make install-tools 21. edit the menu file (/boot/grub/menu.lst) and add the following grub entry: title Fedora Xen 3.4.3 (2.6.18.8-xen) root (hd0,0) kernel /xen-3.4.3.gz iommu=required module /vmlinuz-2.6.18.8-xen ro root=LABEL - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 5
check if you have any USB devices plugged in to your unit. Also disable USB Legacy Support in your BIOS settings (under F10: System Configuration Device Configurations USB legacy Support) and try to boot into Tboot again. TPM TOOLS 1.3.5 Installation 1. Open the terminal 2. cd ~/ 3. If required - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 6
in a single line) 17. lcp_writepol -i 0x20000001 -f tcb.pol -p Note: Please refer to the "Intel Trusted Execution Technology- Launch Control Policy: Linux Tools User Manual" for the proper usage of other related commands 6 - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 7
Appendix A Sample Tboot serial output captured on 2010 Calpella platform(The actual output may vary depending on the system configuration): Intel(r) TXT Configuration Registers: STS: 0x000188c1 senter_done: TRUE sexit_done: FALSE mem_unlock: FALSE mem_config_lock: TRUE private_open: TRUE - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 8
TBOOT: command line: logging=serial,vga,memory TBOOT: TPM is ready TBOOT: TPM nv_locked: TRUE TBOOT: read verified launch policy (512 bytes) from TPM NV TBOOT: policy: TBOOT: version: 2 TBOOT: policy_type: TB_POLTYPE_CONT_NON_FATAL TBOOT: hash_alg: TB_HALG_SHA1 TBOOT: policy_control: - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 9
TBOOT: bios_sinit_size: 0x0 (0) TBOOT: lcp_pd_base: 0x0 TBOOT: lcp_pd_size: 0x0 (0) TBOOT: num_logical_procs: 4 TBOOT: flags: 0x00000000 TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: Error: write TPM error: 0x2. TBOOT: CR0 and EFLAGS OK TBOOT: no - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 10
TBOOT: length: 0x28 (40) TBOOT: chipset_id_list: 0x4e8 TBOOT: os_sinit_data_ver: 0x5 TBOOT: min_mle_hdr_ver: 0x00020000 TBOOT: capabilities: 0x0000000e TBOOT: rlp_wake_getsec: 0 TBOOT: rlp_wake_monitor: 1 TBOOT: ecx_pgtbl: 1 TBOOT: acm_ver: 16 TBOOT: chipset list: TBOOT: count: 1 - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 11
TBOOT: num_logical_procs: 4 TBOOT: flags: 0x00000000 TBOOT: min_lo_ram: 0x0, max_lo_ram: 0x77400000 TBOOT: min_hi_ram: 0x0, max_hi_ram: 0x0 TBOOT: LCP module found TBOOT: os_sinit_data (@77730154, 5c): TBOOT: version: 4 TBOOT: mle_ptab: 0x800000 TBOOT: mle_size: 0x20000 (131072) TBOOT: - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 12
TBOOT: hashes[0]: 90 c6 1f 2d 92 89 a9 ad 57 cc 36 57 79 c8 74 fb ba a1 d0 ae TBOOT: policy entry[2]: TBOOT: mod_num: 2 TBOOT: pcr: 19 TBOOT: hash_type: TB_HTYPE_IMAGE TBOOT: num_hashes: 1 TBOOT: hashes[0]: 80 14 c6 56 fb 3d 33 ed 97 bd 08 d2 8f 35 f5 54 21 6c d4 3c TBOOT: TPM: write nv - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 13
TBOOT: mle_ptab: 0x800000 TBOOT: mle_size: 0x20000 (131072) TBOOT: mle_hdr_base: 0x17540 TBOOT: vtd_pmr_lo_base: 0x0 TBOOT: vtd_pmr_lo_size: 0x77400000 TBOOT: vtd_pmr_hi_base: 0x0 TBOOT: vtd_pmr_hi_size: 0x0 TBOOT: lcp_po_base: 0x7772014c TBOOT: lcp_po_size: 0x50 (80) TBOOT: capabilities: - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 14
TBOOT: entry[2] sig = APIC @ 0x773fa000 TBOOT: acpi_table_ioapic @ 773fa06c, .address = fec00000 TBOOT: RSDP (v002 HPQOEM) @ 0x000f2b20 TBOOT: Seek in XSDT... TBOOT: entry[0] sig = FACP @ 0x773fc000 TBOOT: entry[1] sig = HPET @ 0x773fb000 TBOOT: entry[2] sig = APIC @ 0x773fa000 TBOOT: entry - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 15
TBOOT: enabling SMIs on cpu 5 TBOOT: VMXON done for cpu 5 TBOOT: launching mini-guest for cpu 5 TBOOT: cpu 1 waking up from TXT sleep TBOOT: MSR for SMM monitor control on RLP(1) is 0x0 TBOOT: .verifying ILP's MSR_IA32_SMM_MONITOR_CTL with RLP(1)'s . : succeeded. TBOOT: enabling SMIs on cpu 1 TBOOT: - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 16
TBOOT: 0000000077400000 - 0000000077800000 (2) TBOOT: 0000000077800000 - 0000000078000000 (2) TBOOT: 00000000e0000000 - 00000000f0000000 (2) TBOOT: 00000000fec00000 - 00000000fec01000 (2) TBOOT: 00000000fed10000 - 00000000fed14000 (2) TBOOT: 00000000fed19000 - 00000000fed1a000 (2) TBOOT: - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 17
TBOOT: 0000000001000000 - 00000000771ab000 (1) TBOOT: 00000000771ab000 - 00000000771b3000 (2) TBOOT: 00000000771b3000 - 00000000771b9000 (1) TBOOT: 00000000771b9000 - 0000000077229000 (2) TBOOT: 0000000077229000 - 0000000077294000 (1) TBOOT: 0000000077294000 - 000000007729a000 (2) TBOOT: - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 18
TBOOT: Error: write TPM error: 0x2. TBOOT: modules in mbi but not in policy. TBOOT: all modules are verified TBOOT: pre_k_s3_state: TBOOT: vtd_pmr_lo_base: 0x0 TBOOT: vtd_pmr_lo_size: 0x77400000 TBOOT: vtd_pmr_hi_base: 0x0 TBOOT: vtd_pmr_hi_size: 0x0 TBOOT: pol_hash: 63 2f b6 06 cd 4d e5 8e - HP EliteBook 8000 | Trusted Execution Technology and Tboot Implementation - Page 19
to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
 |
 |
1
Trusted Execution Technology and
Tboot Implementation
2009-2010 p/w Mobile Platforms (Montevina/Calpella)
Table of Contents:
Introduction
..............................................................................................................................................
1
System Requirements
.........................................................................................................................
2
BIOS TXT Settings
......................................................................................................................................
2
Fedora Installation
..................................................................................................................................
2
XEN 3.4.0 Installation
...............................................................................................................................
3
TBOOT Installation
....................................................................................................................................
4
TPM TOOLS 1.3.4 Installation
..................................................................................................................
5
LCP: Define Platform Owner Policy
.....................................................................................................
5
Appendix A
..............................................................................................................................................
7
For more information
............................................................................................................................
19
Introduction
HP has implemented the Trusted eXecution Technology (TXT), part of Intel’s Safer
Computing Initiative, on certain models of 2009-2010 commercial notebooks. The purpose
of this document is to provide a step by step guideline to setup a TXT enabled environment.
The document will cover the following areas:
•
BIOS settings related to TXT,
•
Intel’s Trusted Execution Technology,
•
Trusted Boot and
•
Launch Control Policies
Trusted eXecution Technology (
), a hardware-
based mechanism that helps to protect against software-based attacks and protects the
confidentiality and integrity of data stored or created on the client PC by means of
measured launch and protected execution. In other words, TXT provides only the launch-
time protection, i.e. ensure that the code we load, is really what we intended to load -
secure and not compromised by any virus attacks.
(
).
The technology mainly depends on set of hardware extensions to Intel processors and
chipsets that boost the platform with security capabilities. Trusted Platform Module is
another important hardware component. The TPM module is used to store and compare
hash values (of launched environment), which provides much greater security than storing
them in software or on the hard disk
Trusted boot (Tboot), an open source, pre- kernel/VMM module that uses Intel(R) Trusted
Execution Technology (Intel(R) TXT) to perform a measured and verified launch of an OS
kernel/VMM (
http://sourceforge.net/projects/tboot
,
).