Intel Trusted Execution Technology (TXT) support

[DemiMarie]

This can be used for Dynamic Root of Trust for Measurement and will enable Qubes OS Anti-Evil Maid (AEM) support in the future.

[crawfxrd]

Going beyond this, we probably to to ensure compatibility with Intel Converged Boot Guard and Trusted Execution Technology (CBnT).

9elements has implemented support for both in coreboot.

• INTEL_TXT
• INTEL_CNBT_SUPPORT (selects INTEL_TXT)

[ilikenwf]

+1

[tlaurion]

From https://doc.coreboot.org/security/vboot/measured_boot.html#known-limitations

At the moment measuring IBB dynamically and FMAP partitions are not possible but will be added later to the implementation.

Also SoCs making use of VBOOT_RETURN_FROM_VERSTAGE are not able to use the measured boot extension because of platform constraints.

While https://doc.coreboot.org/security/intel/txt_ibb.html

Seems pretty complete, just unsure if coreboot permits to configure IBB from kconfig options directly.

What is currently missing from coreboot side? Which platforms and CPU families are the lowest requirements to implement TXT with sinit+acm to measure bootblock as part of IBB with CPU anchored RoT @DemiMarie? We know Haswell was incomplete.

Is that documented somewhere? Was there upstream discussions @pietrushnic?

Past discussions trails on the subject at https://github.com/linuxboot/heads/pull/1172

[DemiMarie]

@tlaurion I’ll leave that question to 3mdeb engineers.

[tlaurion]

@tlaurion I’ll leave that question to 3mdeb engineers.

Posted

• https://matrix.to/#/!rsKWMJGPMsyPTTjXuh:matrix.org/$ulC6_QitP0vaRQfKmbS1475QnhggPtBEjlqg_kJwy3M?via=matrix.org&via=nitro.chat&via=invisiblethingslab.com
• https://matrix.to/#/!UhZSUDKFQINYdOEfGo:matrix.org/$nbwuu_H2SCLjApKRQp2VbCgk2k8JGFmQXwwvkQdIPSg?via=matrix.org&via=nitro.chat&via=hackliberty.org