JavaScript must be enabled in order for you to see "WP Copy Data Protect" effect. However, it seems JavaScript is either disabled or not supported by your browser. To see full result of "WP Copy Data Protector", enable JavaScript by changing your browser options, then try again.

在RHEL、SLES與VMware下驗證Intel TXT的Function


話說最近剛好為了TXT(Intel Trusted Execution Technology)吵得沸沸揚揚的,所以來記錄一下到底如何在OS下面驗證這個Function,但貌似M$只能透過TPM作硬碟加密而已;主要功能用於硬體的安全機制,透過TPM與加密技術來達到此目的,基本上由Trusted Computing Group所提出的,至於細部的介紹可以參考維基百科說明實作的部分就往下看吧,如下:
1) Check the status about the func of txt(先Enable TPM、VT與VT-d後,再開啟TXT的功能)
TPM Clear under the BIOS.
ServerTXTINFO.efi -c:a -a -v:2 -> Check the value of nvLocked
nvLocked = 1
TPMFactProv_edk2_x64.efi -f DefaultServerTpmProv-AUX3.xml
reset
ServerTXTINFO.efi -c:a -a -v:2
ServerGetSec.efi -l senter
ServerGetSec.efi -l sexit

I.RHEL 6.x
2) 在選擇Packages的地方勾選tboot的套件(Base System->Base->Option)

3) Review the configuration file after OS installation(/boot/grub/grub.conf)
#cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/mapper/VolGroup-lv_root
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-431.el6.x86_64)
root (hd0,0)
kernel /tboot.gz logging=vga,serial,memory
module /vmlinuz-2.6.32-431.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root intel_iommu=on amd_iommu=on rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
module /initramfs-2.6.32-431.el6.x86_64.img

II.RHEL 7.x
4) Review the configuration file after OS installation(Need to add the string of tboot in the file of kickstart)
#cat /boot/grub2/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
set pager=1
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="${saved_entry}"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
terminal_output console
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Red Hat Enterprise Linux Server, with Linux 3.10.0-123.el7.x86_64' --class red --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-123.el7.x86_64-advanced-53fc412f-a2d0-4db3-b193-9e8e08abe7ad' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 384734b5-f4ef-45ba-a8bc-1145ea3cc666
else
search --no-floppy --fs-uuid --set=root 384734b5-f4ef-45ba-a8bc-1145ea3cc666
fi
linux16 /vmlinuz-3.10.0-123.el7.x86_64 root=UUID=53fc412f-a2d0-4db3-b193-9e8e08abe7ad ro rd.lvm.lv=vg_unsvr/lv_swap vconsole.font=latarcyrheb-sun16 vconsole.keymap=us crashkernel=auto rd.lvm.lv=vg_unsvr/lv_root rhgb quiet LANG=en_US.UTF-8
initrd16 /initramfs-3.10.0-123.el7.x86_64.img
}
menuentry 'Red Hat Enterprise Linux Server, with Linux 0-rescue-cdef1e3723954eee9fdd3dcb4dbc20c5' --class red --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-cdef1e3723954eee9fdd3dcb4dbc20c5-advanced-53fc412f-a2d0-4db3-b193-9e8e08abe7ad' {
load_video
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 384734b5-f4ef-45ba-a8bc-1145ea3cc666
else
search --no-floppy --fs-uuid --set=root 384734b5-f4ef-45ba-a8bc-1145ea3cc666
fi
linux16 /vmlinuz-0-rescue-cdef1e3723954eee9fdd3dcb4dbc20c5 root=UUID=53fc412f-a2d0-4db3-b193-9e8e08abe7ad ro rd.lvm.lv=vg_unsvr/lv_swap vconsole.font=latarcyrheb-sun16 vconsole.keymap=us crashkernel=auto rd.lvm.lv=vg_unsvr/lv_root rhgb quiet
initrd16 /initramfs-0-rescue-cdef1e3723954eee9fdd3dcb4dbc20c5.img
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_tboot ###
submenu "tboot 1.7.0" {
menuentry 'Red Hat Enterprise Linux Server GNU/Linux, with tboot 1.7.0 and Linux 3.10.0-123.el7.x86_64' --class red --class gnu-linux --class gnu --class os --class tboot {
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 384734b5-f4ef-45ba-a8bc-1145ea3cc666
else
search --no-floppy --fs-uuid --set=root 384734b5-f4ef-45ba-a8bc-1145ea3cc666
fi
echo 'Loading tboot 1.7.0 ...'
multiboot /tboot.gz /tboot.gz logging=serial,vga,memory
echo 'Loading Linux 3.10.0-123.el7.x86_64 ...'
module /vmlinuz-3.10.0-123.el7.x86_64 /vmlinuz-3.10.0-123.el7.x86_64 root=UUID=53fc412f-a2d0-4db3-b193-9e8e08abe7ad ro rd.lvm.lv=vg_unsvr/lv_swap vconsole.font=latarcyrheb-sun16 vconsole.keymap=us crashkernel=auto rd.lvm.lv=vg_unsvr/lv_root rhgb quiet intel_iommu=on
echo 'Loading initial ramdisk ...'
module /initramfs-3.10.0-123.el7.x86_64.img /initramfs-3.10.0-123.el7.x86_64.img
}
}
### END /etc/grub.d/20_linux_tboot ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/20_linux_xen_tboot ###
### END /etc/grub.d/20_linux_xen_tboot ###
### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

5) Through the command of txt-stat for checking func
#txt-stat
.....
***********************************************************
TXT measured launch: TRUE
secrets flag set: TRUE
***********************************************************
.....

III.SLES 11.x
6) 在選擇Software的地方搜尋tboot的套件(During OS installation)

7) 修改Grub.conf讓OS開機時會去Load tboot的Module(記得在安裝時額外加上tboot、trustedgrub和tpm-tools的套件)
#vi /boot/grub/menu.list
#Same as /boot/grub/grub.conf
default 0
timeout 8
##YaST - generic_mbr
##YaST - activate
###Don't change this comment - YaST2 identifier: Original name: linux###
title SLES11 SP3 with tboot
root (hd0,1)
kernel /boot/tboot.gz logging=vga,serial,memory
module /boot/vmlinuz-3.0.76-0.11-default root=/dev/disk/by-id/ata-ST9500620NS_9XF1WNKG-part2 resume=/dev/disk/by-id/ata-ST9500620NS_9XF1WNKG-part1 intel_iommu=on
module /boot/initrd-3.0.76-0.11-default
title SUSE Linux Enterprise Server 11 SP3 - 3.0.76-0.11
root (hd0,1)
kernel /boot/vmlinuz-3.0.76-0.11-default root=/dev/disk/by-id/ata-ST9500620NS_9XF1WNKG-part2 resume=/dev/disk/by-id/ata-ST9500620NS_9XF1WNKG-part1 splash=silent crashkernel=256M-:128M showopts vga=0x34a
initrd /boot/initrd-3.0.76-0.11-default

IV.SLES 12.x
8) 在選擇Software的地方搜尋tboot的套件(During OS installation)

9) Review the configuration file after OS installation
#cat /boot/grub2/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
set btrfs_relative_path="y"
export btrfs_relative_path
if [ -f ${config_directory}/grubenv ]; then
load_env -f ${config_directory}/grubenv
elif [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${env_block}" ] ; then
load_env -f "${env_block}"
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
if [ "${env_block}" ] ; then
save_env -f "${env_block}" next_entry
fi
set boot_once=true
else
set default="${saved_entry}"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_msdos
insmod btrfs
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2' 52a37f2b-9eac-4905-a8fb-98f18814eb3a
else
search --no-floppy --fs-uuid --set=root 52a37f2b-9eac-4905-a8fb-98f18814eb3a
fi
font="/usr/share/grub2/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_output gfxterm
insmod part_msdos
insmod btrfs
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2' 52a37f2b-9eac-4905-a8fb-98f18814eb3a
else
search --no-floppy --fs-uuid --set=root 52a37f2b-9eac-4905-a8fb-98f18814eb3a
fi
insmod gfxmenu
loadfont ($root)/boot/grub2/themes/SLE/ascii.pf2
loadfont ($root)/boot/grub2/themes/SLE/DejaVuSans10.pf2
loadfont ($root)/boot/grub2/themes/SLE/DejaVuSans12.pf2
loadfont ($root)/boot/grub2/themes/SLE/DejaVuSans-Bold14.pf2
insmod png
set theme=($root)/boot/grub2/themes/SLE/theme.txt
export theme
if [ x${boot_once} = xtrue ]; then
set timeout=0
elif [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=8
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=8
fi
if [ -n "$extra_cmdline" ]; then
submenu "Bootable snapshot #$snapshot_num" {
menuentry "If OK, run 'snapper rollback $snapshot_num' and reboot." { true; }
}
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'SUSE Linux Enterprise Server 12 (RC3)' --class suse --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-52a37f2b-9eac-4905-a8fb-98f18814eb3a' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod btrfs
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2' 52a37f2b-9eac-4905-a8fb-98f18814eb3a
else
search --no-floppy --fs-uuid --set=root 52a37f2b-9eac-4905-a8fb-98f18814eb3a
fi
echo 'Loading Linux 3.12.28-2-default ...'
linux /boot/vmlinuz-3.12.28-2-default root=UUID=52a37f2b-9eac-4905-a8fb-98f18814eb3a ${extra_cmdline} resume=/dev/sda1 splash=silent quiet showopts
echo 'Loading initial ramdisk ...'
initrd /boot/initrd-3.12.28-2-default
}
submenu 'Advanced options for SUSE Linux Enterprise Server 12 (RC3)' --hotkey=1 $menuentry_id_option 'gnulinux-advanced-52a37f2b-9eac-4905-a8fb-98f18814eb3a' {
menuentry 'SUSE Linux Enterprise Server 12 (RC3), with Linux 3.12.28-2-default' --hotkey=2 --class suse --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.12.28-2-default-advanced-52a37f2b-9eac-4905-a8fb-98f18814eb3a' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod btrfs
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2' 52a37f2b-9eac-4905-a8fb-98f18814eb3a
else
search --no-floppy --fs-uuid --set=root 52a37f2b-9eac-4905-a8fb-98f18814eb3a
fi
echo 'Loading Linux 3.12.28-2-default ...'
linux /boot/vmlinuz-3.12.28-2-default root=UUID=52a37f2b-9eac-4905-a8fb-98f18814eb3a ${extra_cmdline} resume=/dev/sda1 splash=silent quiet showopts
echo 'Loading initial ramdisk ...'
initrd /boot/initrd-3.12.28-2-default
}
menuentry 'SUSE Linux Enterprise Server 12 (RC3), with Linux 3.12.28-2-default (recovery mode)' --hotkey=3 --class suse --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.12.28-2-default-recovery-52a37f2b-9eac-4905-a8fb-98f18814eb3a' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod btrfs
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2' 52a37f2b-9eac-4905-a8fb-98f18814eb3a
else
search --no-floppy --fs-uuid --set=root 52a37f2b-9eac-4905-a8fb-98f18814eb3a
fi
echo 'Loading Linux 3.12.28-2-default ...'
linux /boot/vmlinuz-3.12.28-2-default root=UUID=52a37f2b-9eac-4905-a8fb-98f18814eb3a ${extra_cmdline} showopts apm=off noresume edd=off powersaved=off nohz=off highres=off processor.max_cstate=1 nomodeset x11failsafe
echo 'Loading initial ramdisk ...'
initrd /boot/initrd-3.12.28-2-default
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_tboot ###
submenu "tboot 1.8.1" {
menuentry 'SUSE Linux Enterprise Server 12 (RC3) GNU/Linux, with tboot 1.8.1 and Linux 3.12.28-2-default' --class suse --class gnu-linux --class gnu --class os --class tboot {
insmod part_msdos
insmod btrfs
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2' 52a37f2b-9eac-4905-a8fb-98f18814eb3a
else
search --no-floppy --fs-uuid --set=root 52a37f2b-9eac-4905-a8fb-98f18814eb3a
fi
echo 'Loading tboot 1.8.1 ...'
multiboot /boot/tboot.gz /boot/tboot.gz logging=serial,vga,memory
echo 'Loading Linux 3.12.28-2-default ...'
module /boot/vmlinuz-3.12.28-2-default /boot/vmlinuz-3.12.28-2-default root=UUID=52a37f2b-9eac-4905-a8fb-98f18814eb3a ro resume=/dev/sda1 splash=silent quiet showopts intel_iommu=on
echo 'Loading initial ramdisk ...'
module /boot/initrd-3.12.28-2-default /boot/initrd-3.12.28-2-default
}
menuentry 'SUSE Linux Enterprise Server 12 (RC3) GNU/Linux, with tboot 1.8.1 and Linux 3.12.28-2-default (recovery mode)' --class suse --class gnu-linux --class gnu --class os --class tboot {
insmod part_msdos
insmod btrfs
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2' 52a37f2b-9eac-4905-a8fb-98f18814eb3a
else
search --no-floppy --fs-uuid --set=root 52a37f2b-9eac-4905-a8fb-98f18814eb3a
fi
echo 'Loading tboot 1.8.1 ...'
multiboot /boot/tboot.gz /boot/tboot.gz logging=serial,vga,memory
echo 'Loading Linux 3.12.28-2-default ...'
module /boot/vmlinuz-3.12.28-2-default /boot/vmlinuz-3.12.28-2-default root=UUID=52a37f2b-9eac-4905-a8fb-98f18814eb3a ro single intel_iommu=on
echo 'Loading initial ramdisk ...'
module /boot/initrd-3.12.28-2-default /boot/initrd-3.12.28-2-default
}
}
### END /etc/grub.d/20_linux_tboot ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/20_linux_xen_tboot ###
### END /etc/grub.d/20_linux_xen_tboot ###
### BEGIN /etc/grub.d/20_memtest86+ ###
### END /etc/grub.d/20_memtest86+ ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
### BEGIN /etc/grub.d/80_suse_btrfs_snapshot ###
if [ -f "/.snapshots/grub-snapshot.cfg" ]; then
source "/.snapshots/grub-snapshot.cfg"
fi
### END /etc/grub.d/80_suse_btrfs_snapshot ###
### BEGIN /etc/grub.d/90_persistent ###
### END /etc/grub.d/90_persistent ###

V.VMware ESXi 5.x
10) Through following command to check the func(After OS installation and Enable the func of TXT)
#esxcli hardware trustedboot get
Drtm Enabled: True
Tpm Present: True
#bootOption -o -> vmbTbootEnabled=True

◎、如果在uEFI Mode下面安裝RHEL6.3時有勾選tboot套件,安裝OS完後重開會遇到該訊息
Invalid magic number: 0
Error 13: Invalid or unsupported executable format
Press any key to continue...

◎、以上就是在RHEL、SLES與VMware下驗證Intel TXT的簡介,至於UEFI的部分目前應該尚未SupportRedhat的官網有提到6.3的部分,先到這,收工囉!

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
This site is protected by WP-CopyRightPro