Lines Matching +full:platform +full:- +full:level
6 Technology (Intel(R) TXT), defines platform-level enhancements that
13 - Provides dynamic root of trust for measurement (DRTM)
14 - Data protection in case of improper shutdown
15 - Measurement and verification of launched environment
18 non-vPro systems. It is currently available on desktop systems
30 - LinuxTAG 2008:
31 http://www.linuxtag.org/2008/en/conf/events/vp-donnerstag.html
33 - TRUST2008:
34 http://www.trust-conference.eu/downloads/Keynote-Speakers/
35 3_David-Grawrock_The-Front-Door-of-Trusted-Computing.pdf
37 - IDF, Shanghai:
40 - IDFs 2006, 2007
46 Trusted Boot (tboot) is an open source, pre-kernel/VMM module that
81 By using the hardware-based root of trust that Intel TXT provides,
83 pre-launch components can be removed from the trust chain, DMA
85 of platform configuration checks are performed and values locked,
87 shutdown, and there is support for policy-based execution/verification.
92 Intel-provided firmware).
97 - Tboot is an executable that is launched by the bootloader as
99 - It performs all of the work necessary to determine if the
100 platform supports Intel TXT and, if so, executes the GETSEC[SENTER]
103 - If tboot determines that the system does not support Intel TXT
107 - Tboot will output various information about its progress to the
108 terminal, serial port, and/or an in-memory log; the output
111 - The GETSEC[SENTER] instruction will return control to tboot and
114 - It will wake the APs from the special sleep state the GETSEC[SENTER]
115 instruction had put them in and place them into a wait-for-SIPI
118 - Because the processors will not respond to an INIT or SIPI when
119 in the TXT environment, it is necessary to create a small VT-x
121 simply wait for the INIT-SIPI-SIPI sequence, which will cause
126 - Tboot then applies an (optional) user-defined launch policy to
129 - This policy is rooted in TPM NV and is described in the tboot
132 - Policies are completely under user control and if not present
134 - Policy action is flexible and can include halting on failures
137 - Tboot adjusts the e820 table provided by the bootloader to reserve
139 TXT-related regions.
140 - As part of its launch, tboot DMA protects all of RAM (using the
141 VT-d PMRs). Thus, the kernel must be booted with 'intel_iommu=on'
142 in order to remove this blanket protection and use VT-d's
143 page-level protection.
144 - Tboot will populate a shared page with some data about itself and
147 - The location of the shared page is passed via the boot_params
150 - The kernel will look for the tboot shared page address and, if it
152 - As one of the checks/protections provided by TXT, it makes a copy
153 of the VT-d DMARs in a DMA-protected region of memory and verifies
154 them for correctness. The VT-d code will detect if the kernel was
157 - At this point, tboot and TXT are out of the picture until a
159 - In order to put a system into any of the sleep states after a TXT
164 - The kernel will perform all of its sleep preparation and
166 platform in the desired sleep state.
167 - Then the kernel jumps into tboot via the vector specified in the
169 - Tboot will clean up the environment and disable TXT, then use the
170 kernel-provided ACPI information to actually place the platform
172 - In the case of S3, tboot will also register itself as the resume
173 vector. This is necessary because it must re-establish the
182 and once the measured environment has been re-established, tboot
183 will re-calculate the MAC and verify it against the sealed value.
196 In BIOS, the user must enable: TPM, TXT, VT-x, VT-d. Not all BIOSes
198 which to find them are BIOS-specific.
202 title Linux 2.6.29-tip w/ tboot
205 module /vmlinuz-2.6.29-tip intel_iommu=on ro
207 module /initrd-2.6.29-tip.img
211 Security top-level menu and is called "Enable Intel(R) Trusted
215 platform actually supports Intel TXT and thus whether any of the
223 because it operates at a higher privilege level in the system than
226 SINIT ACM for a system is documented in the SINIT-guide.txt file