coreboot-kgpe-d16/Documentation/security/intel/txt_ibb.md
Patrick Rudolph fa0ef81d15 Documentation: Add Intel TXT
Change-Id: I9e9606d0e4294ad3552ec3b3b44629f9e732d82b
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33416
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Subrata Banik <subrata.banik@intel.com>
2019-07-19 12:19:19 +00:00

1.2 KiB

Intel TXT Initial Boot Block

The Initial Boot Block (IBB) consists out of one or more files in the CBFS.

Constraints

The IBB must follow the following constrains:

  • One IBB must contain the reset vector as well as the [FIT table].
  • The IBB should be as small as possible.
  • The IBBs must not overlap each other.
  • The IBB might overlap with microcode.
  • The IBB must not overlap the BIOS ACM.
  • The IBB size must be a multiple of 16.
  • Either one of the following:
    • The IBB must be able to train the main system memory and clear all secrets.
    • If the IBB cannot train the main system memory it must verify the code that can train the main system memory and is able to clear all secrets.

Identification

To add the IBBs to the FIT, all CBFS files are added using the cbfstool with the --ibb flag set. The flags sets the CBFS file attribute tag to LE ' IBB'.

The make system in turn adds all those files to the FIT as type 7.

Intel TXT measurements

Each IBB is measured and extended into PCR0 by Intel TXT, before the CPU reset vector is executed. The IBBs are measured in the order they are listed in the FIT.

FIT schematic