Trusted Boot

Trusted Boot, specifically Intel Trusted Execution Technology (TXT) is Intel's implementation of the Dynamic Root of Trust. This technology can be used and enabled on Gentoo Linux.

Trusted Platform Module
This is the hardware (or, especially on newer computers, firmware) that case store measurements, data, as well as decrypt and sign data. The TPM is very limited in power in storage - it can only handle small of data (keys, counters, bitmaps), has a very limited amount of stored (around 16k) and it very slow - its not unusual for key generate to take a minute.

Platform Configuration Register (PCR)
Measurement are stored here. There are 24 PCRs, some of which are reserved. They can't be written to in the standard sense, instead, they are "extended", under the following formula:

H is a secure hash function like SHA-1 or SHA-256, || is the concatenation operator (not logical OR). This operation is neither communicative nor associative. The only way to get a PCR to particular value to measure the data data in the same order as it was originally done

Static Root of Trust
Under the Static Root of Trust, the first program run on the PC is core root of trust measurement (or CRTM). It then measures the BIOS and extends PCR0 with its contents (Note: Any identifying information, like serial numbers, asset tags, etc are omitted from the data measured. This a group of identical devices configured identically with have the same PCR values). The BIOS then measure other data and extends the appropriate PCRs. Then it invokes bootloader (which may, in turn, extend PCRs as well) and load the operating system. The trust of the system depends on each component above it.

Dynamic Root of Trust
Under the Dynamic Root of Trust, everything starts out the same as the Static Root of Trust. However, after the operating system is chosen but before its loaded, a special program is loaded. A special program - called the Authenticated Code Module (ACM) is loaded. This program acts as a "scout", verifying the various firmware an creating a secure enclave (in processors that support SGX, that is used, if it doesn't it does so through an unspecified mechanism). If everything checks and and the area is secure, it resets PCRs 17-23 (something only this code is allowed to do - in TPM terms Locality 4 is used, and proceeds with the step

TXT Errors
XT does not deal with mismatches or errors gracefully. If an error occurs any time during the TXT process, (until tboot gains control) a TXT Abort is executed. The does a soft restart of the computer. Fortunately, the TXT error register is NOT cleared upon a soft reboot, so its possible to retrieve the last TXT error and decode it.

Kernel Config
The important kernel options are:

BIOS/UEFI Config
The wording will vary,but you need to enable at least hardware virtualization, Intel VT-d, Intel TXT. For TPM 1.2 the TPM needs to be enable and active. CSM support must also be enabled, due the way is implemented.

Installation of tboot
Installing tboot is simple:

Note that does not have stable keywords, so please see Knowledge Base:Accepting a keyword for a single package.

Downloading the Authenticated Code Mode (ACM)
You may need to download the appropriate ACM if its not in your BIOS (no harm if it is). The official URL is https://www.intel.com/content/www/us/en/developer/articles/tool/intel-trusted-execution-technology.html. If you processor isn't listed, but supports TXT, then the ACM is probably already present in your BIOS. Extract the ACM from archive and extract into /boot. Note the name of the module is important so the grub scripts can find it.

Run txt-stat
If the bottom says "TXT measured launch: TRUE" it worked. If it does not, sure sure you have the correct ACM, that it is named properly, and is in /boot.

Create /etc/defaults/grub-tboot
Optional, but we'll need it later:

One change is recommend making is this:

The addition of  changes the way PCR are filled. PCR 17 is extended with the details, and PCR 18 is extended with the authorities. Because the authorities rarely change, PCR 18 will be more stable and easier to seal under, whereas any configuration change will change PCR 17. Additionally old (legacy) way no longer supported by Intel.

Install and start needed utilities and service
Enable tscd (OpenRC)

Enable tcsd (systemd)

Take ownership of the TPM (to set an owner password, which should really be done, leave off the -y . The SRK MUST NOT have password, or tboot will hang on suspend,so -z must remain To change the owner password later:

Setting the Launch Control Policy
Now here be dragons. There a lot of "magic numbers" beyond this point. Some will typed in blindly, without knowing what they means, others looked up in a table, and other guessed

First, lets create workspace for out output files. They'll be quite a few.

Step 1: Measuring tboot and the tboot command line
First, we have to take a hash of the tboot command line and the tboot binary. By, default the options  are passed to tboot

This defines the first "Measure Launch Element". There are 5 types of measures launch elements, but only 3 of them will be used. The other 2 - The "sbios" and "stm" element are not useful in defining a Platform Owner policy. The former can only be defined by the Platform Supplier (OEM), there latter (SMI Transfer Monitor) does not exist in production. As far as the, this is a requirement of tboot.

Step 2: Measure PCR (optional)
Just like objects in the TPM, we can "lock" measured boot to certain PCR values. If the PCR values do not match, TXT will abort. It is recommend to protect at least PCR0, to protect against BIOS corruption attacks

TXT only supports one PCR element, but multiple PCRs can be matched in an element. In that case, all must match, or TXT will abort.

Step 3: Create Verified Launch Policy.
There is where tboot comes into play. The other 4 MLE types are parsed by the ACM, now tboot gets control and processes its elements. First to create an empty verified launch policy.

Note that on a production machine you should probably use one of the other types, but for development purposes this is fine.

Now to tell tboot about the kernel and initramfs to be verified. Remember, that the tboot grub scripts will append  to the kernel command line. Unfortunately tboot can verify a single kernel, thus its not possible to pick from multiple kernels.

The verified launch policy needs to be wrapped inside an element:

Step 4: Create a TXT policy with the created elements
The elements needs to be combined into a list:

The is required here for TPM 1.2. This creates an unsigned list. Signed lists are preferred, otherwise, every time the policy is updated, the NVRAM of the TPM needs to be written to with the new hash of the list. With signed lists, a hash of the key is used instead of the list itself, thus only requiring the initial write. So create a keypair:

Keep these keys secure, ideally there would be a password on them and maybe they'd be stored in HSM (Hardware Security Module), but for now, this is suitable for a development platform.

Now sign the list:

Create the objects to be passed to tboot and written to the TPM:

MUST be specified (otherwise, it spits out ) but its value depends on the CPU and BIOS. Its another "magic number" that requires some guessing. On the machine this was tested on (Ivy Bridge CPU), both 2.3 and 2.4 worked. Older versions resulted in a TXT abort.

Step 5: Write to TPM and setup Verified Launch
2 indexes must be defined in the TPM. This only needs to be done once.

More magi numbers. tboot stores the last TXT error at. Defining it is optional but helpful. is where TXT is going to look for the Platform Owner policy list. It is required.

Once done, the policy needs to be written to the TPM. If using signed lists, this only needs to be done once (unless the key is changed)

Completing GRUB configuration
Copy list.data to boot. Note that contents of this file will change any time a policy changes.

Edit And finally, update the grub config file

Reboot the computer and choose the tboot option in GRUB, then pick the kernel for verified launch. If it works, the computer should come up normally. If it fails, a TXT Abort will likely occur, in which case, see below.

PCRs 17-20 should be populated from tboot.

The exact values will vary from system to system, of course. To seal some data using the SRK against PCR18 (make sure there's a backup)

Setup tboot - TPM 2.0
TODO (Don't have the hardware)

Diagnosing failure with txt-parse_err
If a TXT Abort occurs, fear not. Start your kernel without TXT. The error will be preserved across a reboot (but not a hard poweroff). Run the following: The archive that the ACM was extracted from contains a list of error code, of which this partially decodes. "Progress" corresponds to the "Class Code", "Error" corresponds to the "Major Code", the "Minor Code" isn't decoded, but in this case its 0xb. That corresponds to "Invalid list version." This particular example was caused by the wrong list version (0x200 instead of 0x100).

Reboot and hangs
Reboot is how TXT deals with errors. See above for getting the error code. Sometimes it'll hang. That usually means doesn't reflect the current configuration - this will often happen after a configuration change. The last steps are to run