Intel DQ35JO + tboot + xen

Try Intel TXT with Q35 motherboard.

BIOS update to the latest one

2008/1/30でBIOS Update 0757 [JOQ3510J.86A]]

From: http://www.intel.com/products/motherboard/DQ35JO/index.htm

Install Fedora 8

No problem

TPM Driver

# /sbin/modprobe tpm_tis
# dmesg

tpm_tis 00:07: tpm_transmit: tpm_send: error 4294967234

Try like this

# /sbin/modprobe tpm_tis force=1 interrupts=0

Missing BIOS ACPI Table (Eventlog)


TrouSerS

tboot installs TrousSerS too.

tpm-tools

# yum gettext gettext-devel
# sh bootstrap.sh
# ./configure --prefix=/user
# make
# make install

Setup the TPM

# /usr/sbin/tcsd
# /usr/sbin/tpm_version
# /usr/sbin/tpm_createek
# /usr/sbin/tpm_takeownership


Xen

# yum install xen kernel-xen

(Somehow X was broken, reconfigure the X)

Xen-3.2

http://xen.org/download/docs/xen-3.2.0-0xs.fc8.README.txt

http://xen.org/download/

xen-3.2.0-0xs.fc8.i386.rpm
xen-devel-3.2.0-0xs.fc8.i386.rpm
xen-libs-3.2.0-0xs.fc8.i386.rpm

# rpm -i --force xen*



Xen-unstable (NG)

# yum install mercurial dev86
# hg clone http://xenbits.xensource.com/xen-unstable.hg
# cd xen-unstable.hg
# make world
# make install
# /sbin/mkinitrd /boot/initrd-2.6.18.8-xen.img 2.6.18.8-xen
No module pata_marvell found for kernel 2.6.18.8-xen, aborting.

vi /etc/modprobe.conf
#alias scsi_hostadapter1 pata_marvell
#alias scsi_hostadapter2 ata_piix
#alias scsi_hostadapter3 ata_generic

# /sbin/chkconfig --add xend
Edit /boot/grub/grub.conf

# reboot

Boot fail at kernel.
Maybe 2.6.18 is old for this motherboard.

tboot

http://sourceforge.net/projects/tboot
からソースとSINITモジュールをダウンロード
ソースを展開し

# make install

Modify grub.conf

                                                            • -

title Fedora (2.6.21.7-2.fc8xen) XEN 3.2 w/ TBOOT
root (hd0,4)
kernel /boot/tboot.gz
module /boot/xen.gz-3.2 vtd=1 com1=115200,8n1
module /boot/vmlinuz-2.6.21.7-2.fc8xen ro root=LABEL=/1
module /boot/initrd-2.6.21.7-2.fc8xen.img
module /boot/BRLK_SINIT_20070910_release.BIN

                                                          • -

Start TSS

# /sbin/modprobe tpm_tis force=1 interrupts=0
# /usr/sbin/tcsd


# lcptools/lcp_mlehash /boot/tboot.gz > mle_hash

# sha1sum /boot/tboot.gz
524ed83445539f1071da91613064f445dfc09307 /boot/tboot.gz

# cat mle_hash
df 7b ac e3 5f a2 3d 23 d4 fe 1a 4a 25 8b 4e 4e b0 c2 64 a4

# lcptools/lcp_crtpol -t hashonly -m mle_hash -o lcp.pol

hexdump -C lcp.pol
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 df 7b |...............{|
00000010 ac e3 5f a2 3d 23 d4 fe 1a 4a 25 8b 4e 4e b0 c2 |.._.=#...J%.NN..|
00000020 64 a4 |d.|


# tb_polgen/tb_polgen --create --policy_type nonfatal --uuid vmm --hash_type hash --file tcb.pol --cmdline "module /boot/boot/xen.gz-3.2 vtd=1 com1=115200,8n1" /boot/xen.gz-3.2

# tb_polgen/tb_polgen --create --uuid dom0 --hash_type hash --file tcb.pol --cmdline "module /boot/vmlinuz-2.6.21.7-2.fc8xen ro root=LABEL=/1" /boot/vmlinuz-2.6.21.7-2.fc8xen /boot/initrd-2.6.21.7-2.fc8xen.img

# lcptools/tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p TPM-password

# lcptools/tpmnv_defindex -i owner -p TPM-password
# lcptools/tpmnv_defindex -i 0x20000001 -s 512 -pv 0x02 -p TPM-password


# lcptools/lcp_writepol -i owner -f lcp.pol -p TPM-password
Successfully write policy into index 0x40000001

# lcptools/lcp_writepol -i 0x20000001 -f tcb.pol -p TPM-password
Successfully write policy into index 0x20000001

# hexdump -C lcp.pol
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 df 7b |...............{|
00000010 ac e3 5f a2 3d 23 d4 fe 1a 4a 25 8b 4e 4e b0 c2 |.._.=#...J%.NN..|
00000020 64 a4 |d.|
00000022

# hexdump -C tcb.pol
00000000 01 00 00 00 00 00 02 fe 5b 6a 75 0b 5b 33 4d 67 |........[ju.[3Mg|
00000010 b8 d7 83 fb 46 36 bf 00 01 00 00 00 00 01 95 e4 |....F6..........|
00000020 e3 a5 a4 46 a2 ae e7 57 d3 22 dd 29 49 18 d2 ff |...F...W.".)I...|
00000030 b4 d7 00 00 00 00 00 00 00 00 00 00 00 00 9f 90 |................|
00000040 4c 89 14 d6 25 46 2d 8a 45 3b 80 10 ca 8c 00 01 |L...%F-.E;......|
00000050 00 00 00 00 01 be ec 39 36 79 a4 d7 2f ce 6b d6 |.......96y../.k.|
00000060 30 98 67 ee 4c d5 4c f6 95 00 00 00 00 00 00 00 |0.g.L.L.........|
00000070 00 00 00 00 00 |.....|

# sha1sum /boot/*
4411edbcf17de7ff727abfce928175fd3ded1d10 /boot/xen-3.3-unstable.gz
21963bddd0aff83a773c7db47c3a79b292a0085d /boot/vmlinuz-2.6.18.8-xen
0fbc4255062e7fda4bfa5cf3494d89b690a9c690 /boot/initrd-2.6.18.8-xen.img
524ed83445539f1071da91613064f445dfc09307 /boot/tboot.gz

Reboot the system,

serial out as follows

                                                                                                      • -


TBOOT: mle_start_off=0
TBOOT: mle_end_off=14000
TBOOT: MLE start=1003000, end=1017000, size=14000
TBOOT: ptab_size=3000, ptab_base=01000000
TBOOT: bios_os_data (@7d420008, 10):
TBOOT: version=0
TBOOT: bios_sinit_size=0
TBOOT: SINIT supports os_sinit_data version 3
TBOOT: max_ram=7d200000
TBOOT: no LCP manifest found
TBOOT: os_sinit_data (@7d420138, 58):
TBOOT: version=3
TBOOT: mle_ptab=1000000
TBOOT: mle_size=14000
TBOOT: mle_hdr_base=ec60
TBOOT: vtd_pmr_lo_base=1000000
TBOOT: vtd_pmr_lo_size=200000
TBOOT: vtd_pmr_hi_base=0
TBOOT: vtd_pmr_hi_size=0
TBOOT: lcp_po_base=0
TBOOT: lcp_po_size=0
TBOOT: setting MTRRs for acmod: base=7d400000, size=5f00, num_pages=6
TBOOT: executing GETSEC[SENTER]...

                                                                                                        • -

Then the system was HAL :-(