Trusted Boot

Trusted Boot, specifically Intel Trusted Execution Technology (TXT) is Intel's implementation of the Dynamic Root of Trust. This technology can be used and enabled on Gentoo Linux.

Trusted Platform Module
This is the hardware (or, especially on newer computers, firmware) that can store measurements, data, as well as decrypt and sign data. The TPM is limited in power and storage - it can only handle small of data (keys, counters, bitmaps), a has small amount for NVRAM (around 16k is typical), and is slow - TPM operations have a noticeable delay.

Platform Configuration Registers (PCR)
Measurement are stored here. There are 24 PCRs, some of which are reserved. They can't be written to in the standard sense, instead, they are "extended", under the following formula:

H is a secure hash function like SHA-1 or SHA-256, || is the concatenation operator (not logical OR). This operation is neither communicative nor associative. The only way to get a PCR to particular value to measure the same data in the same order as originally.

Static Root of Trust
Under the Static Root of Trust, the first program run on the PC is core root of trust measurement (or CRTM). It then measures the BIOS and extends PCR0 with its contents (Note: Any identifying information, like serial numbers, asset tags, etc are omitted from the data measured. This a group of identical devices configured identically with have the same PCR values). The BIOS then measure other data and extends the appropriate PCRs. Then it invokes bootloader (which may, in turn, extend PCRs as well) and load the operating system. The trust of the system depends on each component above it.

Dynamic Root of Trust
Under the Dynamic Root of Trust, everything starts out the same as the Static Root of Trust. However, after the operating system is chosen but before its loaded, a special program is loaded. A special program - called the Authenticated Code Module (ACM) is loaded. This program acts as a "scout", verifying the various firmware an creating a secure enclave (in processors that support SGX, that is used, if it doesn't it does so through an unspecified mechanism). If everything checks and and the area is secure, it resets PCRs 17-23 (something only this code is allowed to do - in TPM terms Locality 4 is used, and proceeds with the step

TXT Errors
TXT does not deal with mismatches or errors gracefully. If an error occurs any time during the TXT process, (until tboot gains control) a TXT Abort is executed. The does a soft restart of the computer. Fortunately, the TXT error register is NOT cleared upon a soft reboot, so its possible to retrieve the last TXT error and decode it.

Measured Launch Elements
TXT works with a special structure that consists of Measured Launch Elements. There are 5 elements: mle (Measured Launch Environment), pcr (Platform Control Register), custom (can be anything, but in this case is tboot-private data to set up the Verified Launch), sbios, and stm (SMI Transfer Monitor) but only the first 3 of them will be used. The other 2 elements are not useful in defining a Platform Owner policy. sbios only has an effect in the Platform Suppier policy, and stm element does not exist in production.

Kernel Config
The important kernel options are:

BIOS/UEFI Config
The wording will vary,but at least hardware virtualization, Intel VT-d, Intel TXT. For TPM 1.2 the TPM needs to be enabled and active. CSM support must also be enabled, due the way is implemented.

Installation of tboot
Installing tboot is simple:

Note that does not have stable keywords, so please see Knowledge Base:Accepting a keyword for a single package.

Downloading the Authenticated Code Mode (ACM)
Download the appropriate ACM if its not already BIOS (no harm if it is, the newest version is automatically used). The official URL is https://www.intel.com/content/www/us/en/developer/articles/tool/intel-trusted-execution-technology.html. TXT-supporting processors not listed at that site have the ACM built into the BIOS. Extract the ACM from archive and extract into /boot. Note the name of the module is important so the grub scripts can find it.

Run txt-stat
If the bottom says "TXT measured launch: TRUE" it worked. If it does not, sure the ACM is correct for the processor, that it is named properly, and is in /boot.

Create /etc/defaults/grub-tboot
Optional, but we'll need it later:

One change is recommend making is this:

The addition of  changes the way PCR are filled. PCR 17 is extended with the details, and PCR 18 is extended with the authorities. Because the authorities rarely change, PCR 18 will be more stable and easier to seal under, whereas any configuration change will change PCR 17. Additionally old (legacy) way no longer supported by Intel.

Install and start needed utilities and service
Enable tscd (OpenRC)

Enable tcsd (systemd)

Take ownership of the TPM (to set an owner password, which should really be done, leave off the -y . The SRK MUST NOT have password, or tboot will hang on suspend,so -z must remain To change the owner password later:

Setting the Launch Control Policy
Now here be dragons. There a lot of "magic numbers" beyond this point. Some will typed in blindly, without knowing what they means, others looked up in a table, and other guessed

First, lets create workspace for out output files. They'll be quite a few.

Step 1: Measuring tboot and the tboot command line
First, we have to take a hash of the tboot command line and the tboot binary. By, default the options  are passed to tboot

This defines the first Measured Launch Element. The is a requirement of tboot.

Step 2: Measure PCR (optional)
Just like objects in the TPM, boot can "locked" certain PCR values. If the PCR values do not match, TXT will abort. It is recommend to protect at least PCR0, to protect against BIOS corruption attacks

Its possible to specify multiple PCRs

Step 3: Create Verified Launch Policy.
There is where tboot comes into play. The other 4 MLE types are parsed by the ACM, now tboot gets control and processes its elements. First to create an empty verified launch policy.

Note that on a production machine one of the other types should be used, but for development purposes this is fine.

Now to tell tboot about the kernel and initramfs to be verified. Remember, that the tboot grub scripts will append  to the kernel command line. Unfortunately tboot can verify a single kernel, thus its not possible to pick from multiple kernels.

The verified launch policy needs to be wrapped inside an element:

Step 4: Create a TXT policy with the created elements
The elements needs to be combined into a list:

The is required here for TPM 1.2. This creates an unsigned list. Signed lists are preferred, otherwise, every time the policy is updated, the NVRAM of the TPM needs to be written to with the new hash of the list. With signed lists, a hash of the key is used instead of the list itself, thus only requiring the initial write. So create a keypair:

Keep these keys secure, ideally there would be a password on them and maybe they'd be stored in HSM (Hardware Security Module), but for now, this is suitable for a development platform.

Now sign the list:

Create the objects to be passed to tboot and written to the TPM:

MUST be specified (otherwise, it spits out ) but its value depends on the CPU and BIOS. Its another "magic number" that requires some guessing. On the machine this was tested on (Ivy Bridge CPU), both 2.3 and 2.4 worked. Older versions resulted in a TXT abort.

Step 5: Write to TPM and setup Verified Launch
2 indexes must be defined in the TPM. This only needs to be done once.

More magi numbers. tboot stores the last TXT error at. Defining it is optional but helpful. is where TXT is going to look for the Platform Owner policy list. It is required.

Once done, the policy needs to be written to the TPM. If using signed lists, this only needs to be done once (unless the key is changed)

Completing GRUB configuration
Copy list.data to boot. Note that contents of this file will change any time a policy changes.

Edit And finally, update the grub config file

Reboot the computer and choose the tboot option in GRUB, then pick the kernel for verified launch. If it works, the computer should come up normally. If it fails, a TXT Abort will likely occur, in which case, see below.

PCRs 17-20 should be populated from tboot.

The exact values will vary from system to system, of course. To seal some data using the SRK against PCR18 (make sure there's a backup)

Setup tboot - TPM 2.0
TODO (Don't have the hardware)

Diagnosing failure with txt-parse_err
If a TXT Abort occurs, fear not. Start the kernel without TXT. The error will be preserved across a reboot (but not a hard poweroff). Run the following: The archive that the ACM was extracted from contains a list of error code, of which this partially decodes. "Progress" corresponds to the "Class Code", "Error" corresponds to the "Major Code", the "Minor Code" isn't decoded, but in this case its 0xb. That corresponds to "Invalid list version." This particular example was caused by the wrong list version (0x200 instead of 0x100).

Reboot and hangs
Reboot is how TXT deals with errors. See above for getting the error code. Sometimes it'll hang. That usually means doesn't reflect the current configuration - this will often happen after a configuration change. The last steps are to run  and copy the resulting file into /boot.