Skip to content

Phase 1: TrenchBoot Intel TXT and TPM 1.2 support

Past due by over 1 year 0% complete

This is Phase 1 for TrenchBoot as Anti Evil Maid project, as
outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem/
and https://docs.dasharo.com/projects/trenchboot-aem-v2/

  1. Add TPM 1.2 support for Intel TXT in TrenchBoot GRUB2

The TrenchBoot support hasn't been implemented and verified with TPM 1.2 on Intel TXT path.
This requi…

This is Phase 1 for TrenchBoot as Anti Evil Maid project, as
outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem/
and https://docs.dasharo.com/projects/trenchboot-aem-v2/

  1. Add TPM 1.2 support for Intel TXT in TrenchBoot GRUB2

The TrenchBoot support hasn't been implemented and verified with TPM 1.2 on Intel TXT path.
This requirement ensures that the TPM 1.2 is also supported for older Intel hardware with Intel TXT.

  1. Xen Secure Launch - Intel TXT support in Xen for TrenchBoot

Due to the requirements of Intel TXT and how it is utilized, it is impossible to use the Xen boot protocols defined in the UEFI or Multiboot2 specifications. This task aims to create a custom Intel TXT entry point for Xen, which would hand off to the standard Multiboot2 entry point and enable the direct launch of Xen by GRUB via DRTM on Intel hardware. Additionally, there is no support for launching Xen with Intel TXT other than Trusted Boot. It has to be ported from Trusted Boot specific code:

  • constructing MLE header
  • waking up APs
  • restoring MTRRs
  • reserving the TXT memory
  • reenabling SMIs
  • handling TXT shutdown and S3 resume/suspend
  • TPM event log finding
  1. Test the solution on Intel hardware with TPM 1.2 with legacy boot mode
Loading