Intel TXT for Jailhouse
13 views
Skip to first unread message
Benjamin Block
Mar 12, 2015, 6:15:51 PM3/12/15
to jailho...@googlegroups.com
Hello jh-dev :)
been a bit quite from me the last 2/3 months. I had to finish up writing my
master's thesis and in that the actual "writing", which turned out quite a bit
more work than anticipated.
During the last 6 months I implemented an integration of Intel TXT for
Jailhouse, that is, with it it is now possible to make a measured launch from
within the kernel module for Jailhouse, measure the image and configuration and
restore the system like previously done (run Linux in the root cell and so forth):
+-------+ Load Jailhouse, +-----+ +-----+ +----+
| | Load Config, | | | | Measure JH, | |
| Linux |------------------>| SMX |-->| ACM |-------------------->| JH |
| | Load Intel ACM | | | | Compare with LCP, | |
+-------+ Load LCP Data +-----+ +-----+ Jump into JH +----+
Start TXT
The most tricky bit about it is: during the step from Linux to SMX, the
processor resets the whole architectural state of every CPU - and disables all
cores but one - on the system and forces us to run JH in 32 Bit unpaged
protected mode upon entry. From there we have to get back into the state JH
wants (64 bit with specific page mappings), and all with only information that
were measured during the measured launch (all the other stuff could be forged).
So that was quit tricky alone, but the whole process of getting TXT to run is
quite the marathon.. you need the program and configure a whole bunch of
processor and IOMMU features in the right way. And the best bit, make a mistake
and SMX/TXT will reset the whole system hard, with only a 32 bit error code that
could maybe tell you what went wrong.
The current patchset can be found here:
http://zlug.org/gitweb/?p=bebl/jailhouse;a=shortlog;h=refs/heads/txt_next
I did my best to make it look as good as possible, but afaik, it will need more
work/optimization. This is also not based on master anymore, because I had to
stop programming in order to get my thesis finished. My problem now is, I don't
have hardware to actually do this (you need a board with TXT support, a CPU with
it and a build-in TPM, and ofc IOMMU and VT). I talked about this with Jan, but
currently it doesn't look like I can afford buying the required hw to continue
this in my freetime.
The only thing I can do without that is refactor the commits better, if that is
desired (basically all the "mangletarget" commits need to be refactored and
better split up and organized). Everything else would required testing and that
I can not do atm :/
Anyway, despite the amount of work it was, I learned quite a bit with this
project and found it very very interesting over all. Its an interesting
technology, and maybe the best we can currently do on x86 in order to prove a
correct system setup (safe the equal on AMD in SVM), but whether it is necessary
for the purpose in JH is not quite clear, maybe there are other, more simple
methods to do something close and which are still good enough for the safety
considerations of JH.
If anybody is interested in the written thesis, write me a short mail (it is in
English, although maybe a bit rough around the edges, I am not natively talking
English). I don't want to spam you with that much binary pdf blob if you don't
want it :)
best regards,
- Benjamin
been a bit quite from me the last 2/3 months. I had to finish up writing my
master's thesis and in that the actual "writing", which turned out quite a bit
more work than anticipated.
During the last 6 months I implemented an integration of Intel TXT for
Jailhouse, that is, with it it is now possible to make a measured launch from
within the kernel module for Jailhouse, measure the image and configuration and
restore the system like previously done (run Linux in the root cell and so forth):
+-------+ Load Jailhouse, +-----+ +-----+ +----+
| | Load Config, | | | | Measure JH, | |
| Linux |------------------>| SMX |-->| ACM |-------------------->| JH |
| | Load Intel ACM | | | | Compare with LCP, | |
+-------+ Load LCP Data +-----+ +-----+ Jump into JH +----+
Start TXT
The most tricky bit about it is: during the step from Linux to SMX, the
processor resets the whole architectural state of every CPU - and disables all
cores but one - on the system and forces us to run JH in 32 Bit unpaged
protected mode upon entry. From there we have to get back into the state JH
wants (64 bit with specific page mappings), and all with only information that
were measured during the measured launch (all the other stuff could be forged).
So that was quit tricky alone, but the whole process of getting TXT to run is
quite the marathon.. you need the program and configure a whole bunch of
processor and IOMMU features in the right way. And the best bit, make a mistake
and SMX/TXT will reset the whole system hard, with only a 32 bit error code that
could maybe tell you what went wrong.
The current patchset can be found here:
http://zlug.org/gitweb/?p=bebl/jailhouse;a=shortlog;h=refs/heads/txt_next
I did my best to make it look as good as possible, but afaik, it will need more
work/optimization. This is also not based on master anymore, because I had to
stop programming in order to get my thesis finished. My problem now is, I don't
have hardware to actually do this (you need a board with TXT support, a CPU with
it and a build-in TPM, and ofc IOMMU and VT). I talked about this with Jan, but
currently it doesn't look like I can afford buying the required hw to continue
this in my freetime.
The only thing I can do without that is refactor the commits better, if that is
desired (basically all the "mangletarget" commits need to be refactored and
better split up and organized). Everything else would required testing and that
I can not do atm :/
Anyway, despite the amount of work it was, I learned quite a bit with this
project and found it very very interesting over all. Its an interesting
technology, and maybe the best we can currently do on x86 in order to prove a
correct system setup (safe the equal on AMD in SVM), but whether it is necessary
for the purpose in JH is not quite clear, maybe there are other, more simple
methods to do something close and which are still good enough for the safety
considerations of JH.
If anybody is interested in the written thesis, write me a short mail (it is in
English, although maybe a bit rough around the edges, I am not natively talking
English). I don't want to spam you with that much binary pdf blob if you don't
want it :)
best regards,
- Benjamin
Valentine Sinitsyn
Mar 13, 2015, 1:26:42 AM3/13/15
to be...@mageta.org, jailho...@googlegroups.com
Hi Benjamin,
On 13.03.2015 03:15, Benjamin Block wrote:
> If anybody is interested in the written thesis, write me a short mail (it is in
> English, although maybe a bit rough around the edges, I am not natively talking
> English). I don't want to spam you with that much binary pdf blob if you don't
> want it :)
Yes, please, written thesis would be great :)
Thanks,
Valentine
On 13.03.2015 03:15, Benjamin Block wrote:
> If anybody is interested in the written thesis, write me a short mail (it is in
> English, although maybe a bit rough around the edges, I am not natively talking
> English). I don't want to spam you with that much binary pdf blob if you don't
> want it :)
Thanks,
Valentine
Jan Kiszka
Mar 13, 2015, 3:11:21 AM3/13/15
to be...@mageta.org, jailho...@googlegroups.com
Hi Benjamin,
Thank you for sharing this - and thank you a lot for your hard work on
this topic! The result is really impressive, even more if one considers
the short time you had to work into all this and the complexity of the
involved components and technologies.
>
> I did my best to make it look as good as possible, but afaik, it will need more
> work/optimization. This is also not based on master anymore, because I had to
> stop programming in order to get my thesis finished. My problem now is, I don't
> have hardware to actually do this (you need a board with TXT support, a CPU with
> it and a build-in TPM, and ofc IOMMU and VT). I talked about this with Jan, but
> currently it doesn't look like I can afford buying the required hw to continue
> this in my freetime.
>
> The only thing I can do without that is refactor the commits better, if that is
> desired (basically all the "mangletarget" commits need to be refactored and
> better split up and organized). Everything else would required testing and that
> I can not do atm :/
>
> Anyway, despite the amount of work it was, I learned quite a bit with this
> project and found it very very interesting over all. Its an interesting
> technology, and maybe the best we can currently do on x86 in order to prove a
> correct system setup (safe the equal on AMD in SVM), but whether it is necessary
> for the purpose in JH is not quite clear, maybe there are other, more simple
> methods to do something close and which are still good enough for the safety
> considerations of JH.
The complexity of TXT and also its lacking transparency may make it hard
to use this as sole argument why the software state we can reach in the
MLE is consistent and correct from a safety point of view. At least that
is my impression of today.
Nevertheless, the approach could play an important role for security use
cases of Jailhouse. For that reason alone, we should try to eventually
integrate your work into upstream as an optional feature. The
refactoring of the driver I started recently could help a bit to keep
code modular and more easily configurable.
Jan
--
Siemens AG, Corporate Technology, CT RTC ITP SES-DE
Corporate Competence Center Embedded Linux
this topic! The result is really impressive, even more if one considers
the short time you had to work into all this and the complexity of the
involved components and technologies.
>
> I did my best to make it look as good as possible, but afaik, it will need more
> work/optimization. This is also not based on master anymore, because I had to
> stop programming in order to get my thesis finished. My problem now is, I don't
> have hardware to actually do this (you need a board with TXT support, a CPU with
> it and a build-in TPM, and ofc IOMMU and VT). I talked about this with Jan, but
> currently it doesn't look like I can afford buying the required hw to continue
> this in my freetime.
>
> The only thing I can do without that is refactor the commits better, if that is
> desired (basically all the "mangletarget" commits need to be refactored and
> better split up and organized). Everything else would required testing and that
> I can not do atm :/
>
> Anyway, despite the amount of work it was, I learned quite a bit with this
> project and found it very very interesting over all. Its an interesting
> technology, and maybe the best we can currently do on x86 in order to prove a
> correct system setup (safe the equal on AMD in SVM), but whether it is necessary
> for the purpose in JH is not quite clear, maybe there are other, more simple
> methods to do something close and which are still good enough for the safety
> considerations of JH.
to use this as sole argument why the software state we can reach in the
MLE is consistent and correct from a safety point of view. At least that
is my impression of today.
Nevertheless, the approach could play an important role for security use
cases of Jailhouse. For that reason alone, we should try to eventually
integrate your work into upstream as an optional feature. The
refactoring of the driver I started recently could help a bit to keep
code modular and more easily configurable.
Jan
--
Siemens AG, Corporate Technology, CT RTC ITP SES-DE
Corporate Competence Center Embedded Linux
Henning Schild
Mar 19, 2015, 7:55:53 AM3/19/15
to Benjamin Block, jailho...@googlegroups.com
On Thu, 12 Mar 2015 23:15:40 +0100
Benjamin Block <be...@mageta.org> wrote:
> The current patchset can be found here:
> http://zlug.org/gitweb/?p=bebl/jailhouse;a=shortlog;h=refs/heads/txt_next
Thanks for sharing this. As far as i know you have been in touch
Benjamin Block <be...@mageta.org> wrote:
> The current patchset can be found here:
> http://zlug.org/gitweb/?p=bebl/jailhouse;a=shortlog;h=refs/heads/txt_next
with other projects that work on Intel TXT. If you have not done that
already, i suggest you share your code with them as well.
Henning
Reply all
Reply to author
Forward
0 new messages