Intel TXT allows
Intel TXT requirements:
The ACMs are Intel digitally signed modules that contain code to be run before the traditional x86 CPU reset vector.
More details can be found here: Intel ACM.
With Intel TXT the first instruction executed on the BSP isn't the reset vector, but the Intel ACM. It initializes the TPM and measures parts of the firmware, the IBB.
Individual files in the CBFS can be marked as IBB.
More details can be found in the Intel TXT IBB chapter.
The IBBs (Initial Boot Blocks) are measured into TPM's PCR0 by the BIOS ACM before the CPU reset vector is executed. To indentify the regions that need to be measured, the FIT contains one ore multiple Type 7 entries, that point to the IBBs.
After the IBBs have been measured, the ACM decides if the boot firmware is trusted. There exists two validation modes:
At the moment only Autopromotion mode is implemented and tested well.
In the next step the ACM terminates and the regular x86 CPU reset vector is being executed on the BSP.
Intel TXT sets the
Secrets in Memory bit, whenever the launch of the SINIT ACM was successful. The bit is reset when leaving the MLE by a regular shutdown or by removing the CMOS battery.
Secrets in Memory bit is set and the IBB isn't trusted, the memory controller won't be unlocked, resulting in a platform that cannot access DRAM.
Secrets in Memory bit is set and the IBB is trusted, the memory controller will be unlocked, and it's the responsibility of the firmware to clear all DRAM and wipe any secrets of the MLE. The platform will be reset after all DRAM has been wiped and will boot with the
Secrets in Memory bit cleared.
The memory regions used by the SINIT ACM need to be prepared and protected against DMA attacks. The SINIT ACM as well as the SINIT handoff data are placed in memory.
As last step the TXT registers are locked.
Whenever the SINIT ACM is invoked, it verifies that the hardware is in the correct state. If it's not the SINIT ACM will reset the platform.
INTEL_TXT and set the following:
INTEL_TXT_BIOSACM_FILE to the path of the BIOS ACM provided by Intel
INTEL_TXT_SINITACM_FILE to the path of the SINIT ACM provided by Intel
Add platform code to print the TXT status as early as possible, as the register is cleared on cold reset.
More information can be found here: