

# Intel<sup>®</sup> Trusted Execution Technology

Software Development Guide Measured Launched Environment Developer's Guide

June 2008

Document Number: 315168-005

Intel® Trusted Execution Technology



INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.

Hyper-Threading Technology requires a computer system with an Intel<sup>®</sup> Pentium<sup>®</sup> 4 processor supporting Hyper-Threading Technology and an HT Technology enabled chipset, BIOS and operating system. Performance will vary depending on the specific hardware and software you use.

No computer system can provide absolute security under all conditions. Intel<sup>®</sup> Trusted Execution Technology (TXT) is a security technology under development by Intel and requires for operation a computer system with Intel<sup>®</sup> Virtualization Technology, a Intel<sup>®</sup> Trusted Execution Technology compatible measured virtual machine monitor. In addition, Intel<sup>®</sup> Trusted Execution Technology compatible measured virtual machine monitor. In addition, Intel<sup>®</sup> Trusted Execution Technology requires the system to contain a TPMv1.2 as defined by the Trusted Computing Group and specific software for some uses. See http://www.intel.com/ for more information.

Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain computer system software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor

Intel, Pentium, Intel Xeon, Intel NetBurst, Intel Core Solo, Intel Core Duo, Intel Pentium D, Itanium, MMX, and VTune are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.

Copyright © 2006-2008 Intel Corporation

Intel® Trusted Execution Technology



# **Contents**

1

2

| 1.1    | Measurement and Intel <sup>®</sup> Trusted Execution Technology       |  |  |  |
|--------|-----------------------------------------------------------------------|--|--|--|
| 1.2    | Dynamic Root of Trust                                                 |  |  |  |
|        | 1.2.1 Launch Sequence                                                 |  |  |  |
| 1.3    | Storing the Measurement                                               |  |  |  |
| 1.4    | Controlled Take-down                                                  |  |  |  |
| 1.5    | SMX and VMX Interaction                                               |  |  |  |
| 1.6    | Authenticated Code Module                                             |  |  |  |
| 1.7    | Chipset Support                                                       |  |  |  |
| 1.8    | TPM Usage                                                             |  |  |  |
| 1.9    | PCR Usage                                                             |  |  |  |
| 1.7    | 1.9.1 PCR 17                                                          |  |  |  |
|        | 1.9.2 PCR 18                                                          |  |  |  |
| 1.10   | DMA Protection                                                        |  |  |  |
| 1.10   | 1.10.1 DMA Protected Range (DPR)                                      |  |  |  |
|        | 1.10.2 Intel® Virtualization Technology (Intel® VT) for Dire          |  |  |  |
|        | VT-d) Protected Memory Regions (PMRs)                                 |  |  |  |
| 1.11   | Intel <sup>®</sup> TXT Shutdown                                       |  |  |  |
|        | 1.11.1 Reset Conditions                                               |  |  |  |
| Measu  | red Launched Environment                                              |  |  |  |
| 2.1    | MLE Architecture Overview                                             |  |  |  |
| 2.2    | MLE Launch                                                            |  |  |  |
| 2.2    | 2.2.1 Intel <sup>®</sup> TXT Detection and Processor Preparation      |  |  |  |
|        | 2.2.2 Detection of Previous Errors                                    |  |  |  |
|        | 2.2.3 Loading the SINIT AC Module                                     |  |  |  |
|        | 2.2.4 Loading the MLE and Processor Rendezvous                        |  |  |  |
|        | 2.2.5 Performing a Measured Launch                                    |  |  |  |
| 2.3    | MLE Initialization                                                    |  |  |  |
| 2.4    | MLE Operation                                                         |  |  |  |
|        | 2.4.1 Address Space Correctness                                       |  |  |  |
|        | 2.4.2 Address Space Integrity                                         |  |  |  |
|        | 2.4.3 Physical RAM Regions                                            |  |  |  |
|        | 2.4.4 Intel <sup>®</sup> Trusted Execution Technology Chipset Regions |  |  |  |
|        | 2.4.5 Protecting Secrets                                              |  |  |  |
|        | 2.4.6 Machine Specific Register Handling                              |  |  |  |
|        | 2.4.7 Interrupts and Exceptions                                       |  |  |  |
|        | 2.4.8 ACPI Power Management Support                                   |  |  |  |
| 2.5    | MLE Teardown                                                          |  |  |  |
| 2.6    | Other Considerations                                                  |  |  |  |
|        | 2.6.1 Saving MSR State across a Measured Launch                       |  |  |  |
| Verify | ing Measured Launched Environments                                    |  |  |  |
| 3.1    | Overview                                                              |  |  |  |
| 5.1    | 3.1.1 LCP Components                                                  |  |  |  |



|            |        | 3.1.2<br>3.1.3       | Policy List Types<br>Supported Cryptographic Algorithms                            |      |
|------------|--------|----------------------|------------------------------------------------------------------------------------|------|
|            | 3.2    |                      | ngine Logic                                                                        |      |
|            | 0.2    | 3.2.1                | Combining Policies                                                                 |      |
|            | 3.3    | Measuri              | ng the Enforced Policy                                                             |      |
|            |        | 3.3.1                | No Policy Data                                                                     |      |
|            |        | 3.3.2                | LCP Policy Allow Any                                                               |      |
|            |        | 3.3.3                | LCP Policy Hash Only                                                               |      |
|            |        | 3.3.4                | Unsigned LCP_POLICY_DATA                                                           |      |
|            | 3.4    | 3.3.5<br>Rovocat     | Force Platform Owner Policyion                                                     |      |
|            | 3.4    | 3.4.1                | SINIT Revocation                                                                   |      |
| 4          | Develo | opment ar            | nd Deployment Considerations                                                       | . 50 |
|            | 4.1    | Launch               | Control Policy Creation                                                            | . 50 |
|            | 4.2    |                      | Errors and Remediation                                                             |      |
|            | 4.3    | Deployn              | nent                                                                               | . 51 |
|            |        | 4.3.1                | LCP Provisioning                                                                   | .51  |
|            |        | 4.3.2                | SINIT Selection                                                                    | . 51 |
| Appendix A | Intel® |                      | ution Technology Authenticated Code Modules                                        |      |
|            | A.1    | Authent              | icated Code Module Format                                                          |      |
|            |        | A.1.1<br>A.1.2       | Memory type cacheability restrictions<br>Authentication and execution of AC module |      |
| Appendix B | SMX I  | nteractior           | with Platform                                                                      | . 62 |
|            | B.1    | Intel <sup>®</sup> T | rusted Execution Technology Configuration Registers                                | . 62 |
|            | B.2    | TPM Pla              | tform Configuration Registers                                                      | . 70 |
|            | B.3    | Intel <sup>®</sup> T | rusted Execution Technology Device Space                                           | . 70 |
| Appendix C | Intel® | TXT Heap             | Memory                                                                             | .72  |
|            | C.1    | BIOS Da              | ata Format                                                                         | 73   |
|            | C.2    | OS to M              | LE Data Format                                                                     | .74  |
|            | C.3    | OS to S              | INIT Data Format                                                                   | .74  |
|            | C.4    | SINIT to             | MLE Data Format                                                                    | .75  |
| Appendix D | LCP D  | ata Struct           | ures                                                                               | .78  |
|            | D.1    | LCP_PO               | LICY                                                                               | . 78 |
|            | D.2    | LCP_PO               | LICY_DATA                                                                          | . 79 |
|            | D.3    | LCP_UN               | SIGNED_POLICY_DATA                                                                 | . 79 |
|            |        | D.3.1<br>D.3.2       | LCP_POLICY_LIST                                                                    |      |
|            | D.4    | Structur             | e Endianness                                                                       | . 81 |
|            | D.5    | Errorcoc             | le Values                                                                          | . 81 |



# **Figures**

| Figure 1. Launch Control Policy Components | 43 |
|--------------------------------------------|----|
| Figure 2. SINIT LCP Internal Flow          |    |
| Figure 3. LCP_POLICY Structure             | 45 |
| Figure 4. *_POLICY_DATA Structures         | 46 |

# **Tables**

| Table 1. MLE Header structure                                               | 15 |
|-----------------------------------------------------------------------------|----|
| Table 2. MLE/SINIT Capabilities Field Bit Definitions                       | 16 |
| Table 3. Authenticated Code Module Format                                   | 54 |
| Table 4. AC module Flags Description                                        | 56 |
| Table 5. AC module CodeControl Description                                  |    |
| Table 6. Chipset AC Module Information Table                                | 58 |
| Table 7. Chipset ID List                                                    | 59 |
| Table 8. TXT_ACM_CHIPSET_ID Format                                          | 59 |
| Table 9. Configuration Registers Relevant to MLE                            | 62 |
| Table 10. TXT.STS Bit Definitions                                           | 66 |
| Table 11. TXT.ESTS Bit Definitions                                          | 67 |
| Table 12. TXT.VER.FSBIF Bit Definitions                                     | 67 |
| Table 13. TXT.DIDVID Bit Definitions                                        |    |
| Table 14. TXT.ERRORCODE Register Bit Format                                 | 68 |
| Table 15. Type Field Encodings for Processor-Initiated Intel® TXT Shutdowns | 68 |
| Table 16. TXT.E2STS Register Bit Format                                     | 69 |
| Table 17. TPM Locality Address Mapping                                      | 70 |
| Table 18. Intel <sup>®</sup> Trusted Execution Technology Heap              |    |
| Table 19. BIOS Data Table                                                   | 73 |
| Table 20. OS to SINIT Data Table                                            |    |
| Table 21. SINIT to MLE Data Table                                           | 75 |
| Table 22. SINIT Memory Descriptor Record                                    | 77 |
| Table 23. LCP Error Values                                                  | 81 |

§



# **Revision History**

| Revision<br>Number | Description                                                                                                                                                                                                             | Revision Date |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
| -001               | Initial release.                                                                                                                                                                                                        | May 2006      |
| -002               | <ul><li>Established public document number</li><li>Edited throughout for clarity.</li></ul>                                                                                                                             | August 2006   |
| -003               | Added launched environment consideration     Renamed LT to Intel <sup>®</sup> TXT                                                                                                                                       | October 2006  |
| -004               | Updated for production platforms     Use MLE terminology                                                                                                                                                                | August 2007   |
| -005               | <ul> <li>Updated for latest structure versions and new RLP wakeup mechanism</li> <li>Added Launch Control Policy information</li> <li>Removed TEP Appendix</li> <li>Many miscellaneous changes and additions</li> </ul> | June 2008     |

§



# 1 Overview

Intel's technology for safer computing, Intel<sup>®</sup> Trusted Execution Technology (Intel<sup>®</sup> TXT), defines platform-level enhancements that provide the building blocks for creating trusted platforms.

Whenever the word trust is used, there must be a definition of who is doing the trusting and what is being trusted. This enhanced platform helps to provide the authenticity of the controlling environment such that those wishing to rely on the platform can make an appropriate trust decision. The enhanced platform determines the identity of the controlling environment by accurately measuring the controlling software (see Section 1.1).

Another aspect of the trust decision is the ability of the platform to resist attempts to change the controlling environment. The enhanced platform will resist attempts by software processes to change the controlling environment or bypass the bounds set by the controlling environment.

What is the controlling environment for this enhanced platform? The platform is a set of extensions designed to provide a measured and controlled launch of system software that will then establish a protected environment for itself and any additional software that it may execute.

These extensions enhance two areas:

- The launching of the Measured Launched Environment (MLE)
- The protection of the MLE from potential corruption

The enhanced platform provides these launch and control interfaces using Safer Mode Extensions (SMX).



The SMX interface includes the following functions:

- Measured launch of the MLE
- Mechanisms to ensure the above measurement is protected and stored in a secure location
- Protection mechanisms that allow the MLE to control attempts to modify itself

# 1.1 Measurement and Intel<sup>®</sup> Trusted Execution Technology

Intel TXT uses the term *measurement* frequently. Measuring software involves processing the executable such that the result (a) is unique and (b) indicates changes in the executable. A cryptographic hash algorithm meets these needs.

A cryptographic hash algorithm is sensitive to even one-bit changes to the measured entity. A cryptographic hash algorithm also produces outputs that are sufficiently large so the potential for collisions (where two hash values are the same) is extremely small. When the term measurement is used in this specification, the meaning is that the measuring process takes a cryptographic hash of the measured entity.

The controlling environment is provided by system software such as an OS kernel or VMM. The software launched using the SMX instructions is known as the Measured Launched Environment (MLE). MLEs provide different launch mechanisms and increased protection (offering protection from possible software corruption).

# 1.2 Dynamic Root of Trust

A central objective of the Intel TXT platform is to provide a measurement of the launched execution environment.

One measurement is made when the platform boots, using techniques defined by the Trusted Computing Group (TCG). The TCG defines a Root of Trust for Measurement (RTM) that executes on each platform reset; it creates a chain of trust from reset to the measured environment. As the measurement always executes at platform reset, the TCG defines this type of RTM as a Static RTM (SRTM).

Maintaining a chain of trust for a length of time may be challenging for an MLE meant for use in Intel TXT; this is because an MLE may operate in an environment that is constantly exposed to unknown software entities. To address this issue, the enhanced platform provides another RTM with Intel TXT instructions. The TCG terminology for this option is Dynamic Root of Trust for Measurement (DRTM). The advantage of a DRTM (also called the 'late launch' option) is that the launch of the measured environment can occur at any time without resorting to a platform reset. It is possible to launch a MLE, execute for a time, terminate the MLE, execute without virtualization, and then launch the MLE again. One possible sequence is:



- 1. During the BIOS load: (a) launch an MLE for use by the BIOS, (b) terminate the MLE when its work is done, (c) continue with BIOS processing and hand off to an OS.
- 2. Then, the OS loads and launches a different MLE.

In both instances, the platform measures each MLE and ensures the proper storage of the MLE measurement value.

### 1.2.1 Launch Sequence

When launching a MLE, the environment must load two code modules into memory. One module is the MLE. The other is known as an authenticated code (AC) module. The AC module is only in use during the measurement and verification process and is chipset-specific. It is digitally signed by the chipset vendor; the launch process must successfully validate the digital signature before continuing.

With the AC module and MLE in memory, the launching environment can invoke the GETSEC[SENTER] instruction provided by SMX.

GETSEC[SENTER] broadcasts messages to the chipset and other physical or logical processors in the platform. In response, other logical processors perform basic cleanup, signal readiness to proceed, and wait for messages to join the environment created by the MLE. As this sequence requires synchronization, there is an initiating logical processor (ILP) and responding logical processor(s) (RLP(s)).

After all logical processors signal their readiness to join and are in the wait state, the initiating logical processor loads, authenticates, and executes the AC module. The AC module tests for various chipset and processor configurations and ensures the platform has an acceptable configuration. It then measures and launches the MLE.

The MLE initialization routine completes system configuration changes (including redirecting INITs, SMIs, interrupts, etc.); it then issues a new SMX instruction that wakes up the responding logical processors (RLPs) and brings them into the measured environment. At this point, all logical processors and the chipset are correctly configured.

At some later point, it is possible for the MLE to exit and then be launched again, without issuing a system reset.

# 1.3 Storing the Measurement

SMX operation during the launch provides an accurate measurement of the MLE. After creating the measurement, the initiating logical processor stores that measurement in the Trusted Platform Module (TPM), defined by the TCG. An enhanced platform includes mechanisms that ensure that the measurement of the MLE (completed during the launch process) is properly reported to the TPM.

With the MLE measurement in the TPM, the MLE can use the measurement value to protect sensitive information and detect potential unauthorized changes to the MLE itself.



# 1.4 Controlled Take-down

Because the MLE controls the platform, exiting the MLE is a controlled process. The process includes: (a) shutting down any guest VMs if they were created; (b) and ensuring that memory previously used does not leak sensitive information.

The MLE cleans up after itself and terminates the MLE control of the environment. If a VMM was running, the MLE may choose to turn control of the platform over to the software that was running in one of the VMs.

# 1.5 SMX and VMX Interaction

A VM abort may occur while in SMX operation. This behavior is described in the *Intel* 64 and IA-32 Software Developer Manual, Volume 3B. Note that entering authenticated code execution mode or launching of a measured environment affects the behavior and response of the logical processors to certain external pin events.

# 1.6 Authenticated Code Module

To support the establishment of a measured environment, SMX enables the capability of an authenticated code execution mode. This provides the ability for a special code module, referred to as an authenticated code module (AC module), to be loaded into internal RAM (referred to as authenticated code execution area) within the processor. The AC module is first authenticated and then executed using a tamper resistant mechanism.

Authentication is achieved through the use of a digital signature in the header of the AC module. The processor calculates a hash of the AC module and uses the result to validate the signature. Using SMX, a processor will only initialize processor state or execute the AC module if it passes authentication. Since the authenticated code module is held within the internal RAM of the processor, execution of the module can occur in isolation with respect to the contents of external memory or activities on the external processor bus.

# 1.7 Chipset Support

One important feature the chipset provides is DMA protection via Intel® Virtualization Technology (Intel® VT) for Directed I/O (Intel® VT-d). Intel® VT-d, under control of the MLE, allows the MLE to protect itself and any other software such as guest VMs from unauthorized device access to memory. Intel VT-d blocks access to specific physical memory pages and the enforcement of the block occurs for all DMA access to the protected pages. See Chapter 1.10 for more information on DMA protection mechanisms.

The Intel TXT architecture also provides extensions that access certain chipset registers and TPM address space.

Chipset registers that interact with SMX are accessed from two regions of memory by system software using memory read/write protocols. These two memory regions,



Intel TXT Public space and Intel TXT Private space, are mappings to the same set of chipset registers but with different read/write permissions depending on which space the memory access came through. The Intel TXT Private space is not accessible to system software until it is unlocked by SMX instructions.

The storage spaces accessible within a TPM device are grouped by a locality attribute and are a separate set of address ranges from the Intel TXT Public and Private spaces. The following localities are defined:

- Locality 0 : Non-trusted and legacy TPM operation
- Locality 1 : An environment for use by the Trusted Operating System
- Locality 2 : Trusted OS
- Locality 3 : Authenticated Code Module
- Locality 4 : Intel TXT hardware use only

# 1.8 TPM Usage

Intel TXT makes extensive use of the Trusted Platform Module (TPM) defined by the Trusted Computing Group (TCG) in the *TCG TPM Specification, Version 1.2.* The TPM provides a repository for measurements and the mechanisms to make use of the measurements. The system makes use of the measurements to both report the current platform configuration and to provide long-term protection of sensitive information.

The TPM stores measurements in Platform Configuration Registers (PCRs). PCRs provide a storage area that allows an unlimited number of measurements in a fixed amount of space. They provide this feature by an inherent property of cryptographic hashes. Outside entities never write directly to a PCR register, they "extend" PCR contents. The extend operation takes the current value of the PCR, appends the new value, performs a cryptographic hash on the combined value, and the hash result is the new PCR value. One of the properties of cryptographic hashes is that they are order dependent. This means hashing A then B produces a different result from hashing B then A. This ordering property allows the PCR contents to indicate the order of measurements.

Sending measurement values from the measuring agent to the TPM is a critical platform task. The Dynamic Root of Trust for Measurement (DRTM) requires specific messages to flow from the DRTM to the TPM. The Intel TXT DRTM is the GETSEC[SENTER] instruction and the system ensures GETSEC[SENTER] has special messages to communicate to the TPM. These special messages take advantage of TPM localities 3 and 4 to protect the messages and inform the TPM that GETSEC[SENTER] is sending the messages.

# 1.9 PCR Usage

As part of the measured launch, Intel TXT will extend measurements of the elements and configuration values of the dynamic root of trust into certain TPM PCRs. The constituent values of these measurements (indicated below) are provided in the SinitMleData structure described in Appendix C.4.



While the MLE may choose to extend additional values into these PCRs, the values described below are those present immediately after the MLE receives control following the GETSEC[SENTER] instruction.

## 1.9.1 PCR 17

PCR 17 is initialized using the TPM\_HASH\_START/TPM\_HASH\_END sequence. The HASH\_DATA provided in this sequence is the concatenation of the SHA-1 hash of the SINIT ACM that was used in the launch process and the 4 byte value of the SENTER parameters (in EDX and also in SinitMleData.EdxSenterFlags). As part of this sequence, PCRs 17-23 are reset to 0. The hash of SINIT is also stored in the SinitMleData.SinitHash field.

PCR 17 is then extended with the SHA-1 hash of the following items concatenated in this order:

SHA-1 hash of BIOS ACM – SinitMleData.BiosAcmID (20 bytes)

STM opt-in indicator - SinitMleData.MsegValid (8 bytes)

SHA-1 hash of the STM (or all 0s if opt-out) – SinitMleData.StmHash (20 bytes)

LCP Control Field of used policy (PD or PO) – SinitMleData.PolicyControl (4 bytes)

SHA-1 hash of used policy (or all 0s if chosen not to be extended) – SinitMleData.LcpPolicyHash (20 bytes)

MLE-chosen Capabilities (or all 0s if chosen not to be extended) – OsSinitData.Capabilities (4 bytes)

Thus, PCR 17's final value will be:

Extend ( SHA-1( SinitMleData.SinitHash | SinitMleData.EdxSenterFlags ) )

Extend (SHA-1 (SinitMleData.BiosAcm.ID | SinitMleData.MsegValid | SinitMleData.StmHash | SinitMleData.PolicyControl | SinitMleData.LcpPolicyHash | (OsSinitData.Capabilities, 0) ))

Where the Extend() operation is a SHA-1 hash of the previous value in the PCR concatenated with the value being extended (the previous value is 20 bytes of 0s in the case of the first extend to a PCR).

#### 1.9.2 PCR 18

PCR 18 will be extended with the SHA-1 hash of the MLE, as reported in the SinitMleData.MleHash field.

Thus, PCR 18's final value will be:

Extend (SinitMleData.MleHash)



# 1.10 DMA Protection

This chapter briefly describes the two chipset mechanisms that can be used to protect regions of memory from DMA access by busmaster devices. More details on these mechanisms can be found in the External Design Specification (EDS) of the targeted chipset family and Intel<sup>®</sup> *Virtualization Technology for Directed I/O Architecture Specification*.

### 1.10.1 DMA Protected Range (DPR)

The DMA Protected Range (DPR) is a region of contiguous physical memory whose last byte is the byte before the start of TSEG, and which is protected from all DMA access. The DPR size is set and locked by BIOS. This protection is applied to the final physical address after any other translations (e.g. Intel VT-d, GART, etc.).

The DPR covers the Intel TXT heap and SINIT AC Module reserved memory (as specified in the TXT.SINIT.BASE/TXT.SINIT.SIZE registers). On current systems it is 3MB in size, and though this may change in the future it will always be large enough to cover the heap and SINIT regions.

The MLE itself may reside in the DPR as long as it does not conflict with either the SINIT or heap areas. If it does reside in the DPR then it need not be covered by the Intel VT-d Protected Memory Regions.

## 1.10.2 Intel® Virtualization Technology (Intel® VT) for Directed I/O (Intel® VT-d) Protected Memory Regions (PMRs)

The Intel® VT-d Protected Memory Regions (PMRs) are two ranges of physical addresses that are protected from DMA access. One region must be in the lower 4GB of memory and the other must be in the upper 4GB. Either or both may be unused.

The use of the PMRs is not mutually exclusive of DMA remapping. If the MLE enables DMA remapping, it should place the Intel VT-d page tables within the PMR region(s) in order to protect them from DMA activity prior to turning on remapping. While it is not required that PMRs be disabled once DMA remapping is enabled, if the MLE wants to manage all DMA protection through remapping tables then it must explicitly disable the PMR(s).

The MLE may reside within one of the PMR regions. If the MLE is not within the DPR region then it must be within one of the PMR regions, else SINIT will not permit the environment to be launched.

For more details of the PMRs, see the Intel<sup>®</sup> Virtualization Technology for Directed I/O Architecture Specification.



# 1.11 Intel<sup>®</sup> TXT Shutdown

## 1.11.1 Reset Conditions

When an Intel TXT shutdown condition occurs, the processor or software writes an error code indicating the reason for the failure to the TXT.ERRORCODE register. It then writes to the TXT.CMD.RESET command register, initiating a platform reset. After the write to TXT.CMD.RESET, the processor enters a shutdown sleep state with all external pin events, bus or error events, machine check signaling, and MONITOR/MWAIT event signaling masked. Only the assertion of reset back to the processor takes it out of this sleep state. The Intel TXT error code register is not cleared by the platform reset; this makes the error code accessible for post-reset diagnostics.

An Intel TXT shutdown can be generated by the processor during execution of certain GETSEC leaf functions (for example: ENTERACCS, EXITAC, SENTER, SEXIT), where recovery from an error condition is not considered reliable. This situation should be interpreted as an abort of authenticated execution or measured environment launch.

A legacy IA-32 triple-fault shutdown condition is also converted to an Intel TXT shutdown sequence if the triple-fault shutdown occurs during authenticated code execution mode or while the measured environment is active. The same is true for other legacy non-SMX specific fault shutdown error conditions. Legacy shutdown to Intel TXT shutdown conversions are defined as the mode of operation between:

- Execution of the GETSEC functions ENTERACCS and EXITAC
- Recognition of the message signaling the beginning of the processor rendezvous after GETSEC[SENTER] and the message signaling the completion of the processor rendezvous

Additionally, there is a special case. If the processor is in VMX operation while the measured environment is active, a triple-fault shutdown condition that causes a guest exiting event back to the Virtual Machine Monitor (VMM) supersedes conversion to the Intel TXT shutdown sequence. In this situation, the VMM remains in control after the error condition that occurred at the guest level and there is no need to abort processor execution.

Given the above situation, if the triple-fault shutdown occurs at the root level of the MLE or a VMX abort is detected, then an Intel TXT shutdown sequence is signaled. For more details on a VMX abort, see Chapter 23, "VM Exits," in the *Intel 64 and IA-32 Software Developer Manuals, Volume 3B.* 

§



# 2 Measured Launched Environment

Intel TXT can be used to launch any type of code. However, this section describes the launch, operation and teardown of a Virtual Machine Monitor (VMM) using Intel TXT; any other code would have a similar sequence.

# 2.1 MLE Architecture Overview

Any Measured Launched Environment (MLE) will generally consist of three main sections of code: the initialization, the dispatch routine, and the shutdown. The initialization code is run each time the Intel TXT environment is launched. This code includes code to setup the MLE on the ILP and join code to initialize the RLPs.

After initialization, the MLE behaves like the unmeasured version would have; in the case of a VMM, this is trapping various guest operations and virtualizing certain processor states.

Finally the MLE prepares for shutdown by again synchronizing the processors, clearing any state and executing the GETSEC[SEXIT] instruction.

Table 1 shows the format of the MLE Header structure which is stored within the MLE image. The MLE Header structure is used by the SINIT AC module to set up the correct initial MLE state and to find the MLE entry point. The header is part of the MLE hash.

| Field          | Offset | Size<br>(bytes) | Description                                                                         |
|----------------|--------|-----------------|-------------------------------------------------------------------------------------|
| UUID           | 0      | 16              | Identifies this structure                                                           |
| HeaderLen      | 16     | 4               | Length of header in bytes                                                           |
| Version        | 20     | 4               | Version number of this structure                                                    |
| EntryPoint     | 24     | 4               | Linear entry point of MLE                                                           |
| FirstValidPage | 28     | 4               | Starting linear address of (first valid page of) MLE                                |
| MleStart       | 32     | 4               | Offset within MLE binary file of first<br>byte of MLE as specified in page<br>table |
| MleEnd         | 36     | 4               | Offset within MLE binary file of last<br>byte of MLE as specified in page<br>table  |

#### Table 1. MLE Header structure



| Capabilities | 40 | 4 | Bit vector of MLE-supported<br>capabilities |
|--------------|----|---|---------------------------------------------|
|--------------|----|---|---------------------------------------------|

**UUID:** This field contains a UUID which uniquely identifies this MLE Header Structure. The UUID is defined as follows:

| ULONG | UUID0; | // 9082AC5A |
|-------|--------|-------------|
| ULONG | UUID1; | // 74A7476F |
| ULONG | UUID2; | // A2555C0F |
| ULONG | UUID3; | // 42B651CB |

HeaderLen: this field contains the length in bytes of the MLE Header Structure.

**Version:** this field contains the version of the MLE header, where the upper two bytes are the major version and the lower two bytes are the minor version. Changes in the major version indicate that an incompatible change in behavior is required of the MLE or that the format of this structure is not backwards compatible. Version 2.0 (20000H) is the currently supported version.

**EntryPoint:** this field is the linear address, within the MLE's linear address space, at which the ILP will begin execution upon completion of the GETSEC[SENTER] instruction.

**FirstValidPage:** this field is the starting linear address of the MLE. This will be verified by SINIT to match the first valid entry in the MLE page tables.

**MieStart / MieEnd:** these fields are intended for use by system software that needs to know which portion of an MLE binary file is the MLE, as defined by its page table. This might be useful for calculating the MLE hash when the entire binary file is not being used as the MLE.

**Capabilities:** this bit vector represents TXT-related capabilities that the MLE supports. It will be used by the SINIT AC module to determine whether the MLE is compatible with it and as needed for any optional capabilities. The currently defined bits for this are:

| Bit position | Description                                                                      |  |
|--------------|----------------------------------------------------------------------------------|--|
| 0            | Support for GETSEC[WAKEUP] for RLP wakeup (1)                                    |  |
|              | All MLEs should support this.                                                    |  |
| 1            | Support for RLP wakeup using MONITOR address<br>(SinitMleData.RlpWakeupAddr) (1) |  |
|              | All MLEs should support this.                                                    |  |
| 31:2         | Reserved (must be 0)                                                             |  |

#### Table 2. MLE/SINIT Capabilities Field Bit Definitions



# 2.2 MLE Launch

At some point system software will start an Intel TXT environment. This may be done at operating system loader time or could be done after the operating system boots. From this point on we will assume that the operating system is starting the Intel TXT environment and refer to this code as the system software.

After the measured environment startup, the application processors (RLPs) will not respond to SIPIs as they did before SENTER. Once the measured environment is launched, the RLPs cannot run the real-mode MP startup code. An alternative MP startup algorithm will need to be developed. The new MP startup algorithm would not require the RLPs to leave protected mode with paging on. The OS may also be required to detect whether a measured environment has been established and use this information to decide which MP startup algorithm is appropriate (the standard MP startup algorithm or the modified algorithm).

This section shows the pseudocode for preparing the system for the SMX measured launch. The following describes the process in a number of sub-sections:

- Intel TXT detection and processor preparation
- Detection of previous errors
- Loading the SINIT AC module
- Loading the MLE and processor rendezvous
- Performing a measured launch

# 2.2.1 Intel<sup>®</sup> TXT Detection and Processor Preparation

This action is only performed by the ILP.

Lines 1 - 4: Before attempting to launch the measured environment, the system software should check that the processor supports VMX and SMX (the check for VMX support is not necessary if the environment to be launched will not use VMX). For details on detecting and enabling VMX see chapter 19, "Introduction to Virtual-Machine Extensions", in the *Intel 64 and IA-32 Software Developer Manuals, Volume 3B.* For details on detecting and enabling SMX support see chapter 6, "Safer Mode Extensions Reference", in the *Intel 64 and IA-32 Software Developer Manuals, Volume 2B*.

Lines 5 - 9: System software should check that the chipset supports Intel TXT prior to launching the measured environment. The presence of the Intel TXT chipset can be detected by executing GETSEC[CAPABILITIES] with EAX=0 & EBX=0. This instruction will return the 'Intel TXT Chipset' bit set in EAX if an Intel TXT chipset is present. The processor must enable SMX before executing the GETSEC instruction.

Lines 10 – 12: System software should also verify that the processor supports all of the GETSEC instruction leaf indices that will be needed. The minimal set of instructions required will depend on the system software and MLE, but is most likely SENTER, SEXIT, WAKEUP, SMCTRL, and PARAMETERS. The supported leaves are indicated in the EAX register after executing the GETSEC[CAPABILITIES] instruction as indicated above.

#### Listing 1. Intel<sup>®</sup> TXT Detection Pseudocode

//



```
// Intel TXT detection
11
1. CPUID(EAX=1);
2. IF (SMX not supported) OR (VMX not supported) {
3.
      Fail measured environment startup;
4.}
11
// Enable SMX on ILP & check for Intel TXT chipset
11
5. CR4.SMXE = 1;
6.GETSEC[CAPABILITIES];
7. IF (Intel TXT chipset NOT present) {
8.
      Fail measured environment startup;
9.}
10.IF (All needed SMX GETSEC leaves are NOT supported) {
      Fail measured environment startup;
11.
12.
```

## 2.2.2 Detection of Previous Errors

In order to prevent a cycle of failures or system resets, it is necessary for the system software to check for errors from a previous launch. Errors that are detected by system software prior to executing the GETSEC[SENTER] instruction will be specific to that software and, if persisted, will be in a manner specific to the software. Errors generated during execution of the GETSEC[SENTER] instruction result in a system reset and the error code being stored in the TXT.ERRORCODE register. Possible remediation steps are described in section 4.2.

Lines 1 - 3: The error code from an error generated during the GETSEC[SENTER] instruction is stored in the TXT.ERRORCODE register, which is persistent across soft resets. A non-zero value indicates an error. Error codes are specific to an SINIT AC module and can be found in a text file that is distributed with the module.

Lines 4 - 6: If there was a TXT reset event, either as the result of an error during the GETSEC[SENTER] instruction or specifically generated by an MLE, the TXT\_RESET.STS bit of the TXT.ESTS register will be set. In order to maintain TXT integrity, the GETSEC[SENTER] instruction will fail if this bit is set. System software should detect this condition as early as possible and, after taking the appropriate remediative action, power cycle the system to clear this bit and permit a launch.

#### Listing 2. Error Detection Pseudocode

```
//
// Detect previous GETSEC[SENTER] failures
//
1. IF (TXT.ERRORCODE != 0) {
2. Take remediative action;
3. }
//
// Detect previous TXT Reset
```



```
//
4.IF (TXT.ESTS[TXT_RESET.STS] != 0) {
5. Power-cycle system;
6.}
```



## 2.2.3 Loading the SINIT AC Module

This action is only performed by the ILP.

BIOS may already have the correct SINIT AC module loaded into memory or system software may need to load the SINIT code from disk into memory. The system software may determine if a SINIT AC module is already loaded by examining the preferred SINIT load location (see below) for a valid SINIT AC module header.

System software should always use the most recent version of the SINIT AC module available to it. It can determine this by comparing the Date fields in the AC module headers.

System software should also match a prospective SINIT AC module to the chipset before loading and attempting to launch the module. This is described in the next two sections of this document.

System software owns the policy for deciding which SINIT module to load. It must load the previously loaded SINIT AC module in order to unseal data sealed to a previously launched environment. If an SINIT AC module is to be changed (e.g. upgraded to the latest version), the system software must allow the user to migrate secrets prior to loading the new SINIT AC module.

The BIOS reserves a region of physically contiguous memory for the SINIT AC module, which it specifies through the TXT.SINIT.BASE and TXT.SINIT.SIZE Intel TXT configuration registers. By convention, 128 KBytes of physically contiguous memory is allocated for the purpose of loading the SINIT AC module. System software must use this region for any SINIT AC module that it loads.

The SINIT AC module must be located on a 4 KByte aligned memory location. The SINIT AC module must be mapped WB using the MTRRs and all other memory must be mapped to one of the supportable memory types returned by GETSEC[PARAMETERS]. The MTRRs which map the SINIT AC module must not overlap more than 4 KBytes of memory beyond the end of the SINIT AC image. See the GETSEC[ENTERACCS] instruction and the Authenticated Code Module Format, Appendix A.1, for more details on these restrictions.

The pages containing the SINIT AC module image must be present in memory before attempting to launch the measured environment. The SINIT AC module image must be loaded below 4 GBytes. System software should check that the SINIT AC module will fit within the AC execution region as specified by the GETSEC[PARAMETERS] leaf. System software should not utilize the memory immediately after the SINIT AC module up to the next 4 KByte boundary. On certain Intel TXT implementations, execution of the SINIT AC module will corrupt this region of memory.



#### 2.2.3.1 Matching an AC Module to the Chipset

As part of system software loading an SINIT AC module, the system software should first verify that the file to be loaded is really an SINIT AC module. This may be done at installation time or runtime. Lines 1 - 10 in Listing 3 below show how to do this.

Each AC module is designed for a specific chipset or set of chipsets. Software can examine the Chipset ID List embedded in the AC module binary to determine which chipsets an AC module supports. Software should read the chipset's TXT.DIDVID register and parse the Chipset ID List to find a matching entry. Attempting to execute an AC module that does not match the chipset's TXT.DIDVID register will result in a failure of the AC module to complete normal execution and an Intel TXT Shutdown.

Lines 11 - 26 in the following pseudocode show how to check for a valid match between a chipset and an AC module image.

#### Listing 3. AC Module Matching Pseudocode

```
// see Table 3
TXT_ACM_HEADER
                              *AcmHdr;
TXT CHIPSET ACM INFO TABLE
                              *InfoTable;
                                             // see Table 6
11
// Find the Chipset AC Module Information Table
11
1. AcmHdr = (TXT_ACM_HEADER *)AcmImageBase;
2.UserAreaOffset = (AcmHdr->HeaderLen + AcmHdr->ScratchSize)*4;
3. InfoTable = (TXT CHIPSET ACM INFO TABLE *)(AcmBase +
                                             UserAreaOffset);
11
// Verify image is really an AC module
11
1. IF (InfoTable->UUID0 != 0x7FC03AAA) OR
2. (InfoTable->UUID1 != 0x18DB46A7) OR
3.
    (InfoTable->UUID2 != 0x8F69AC2E) OR
4. (InfoTable->UUID3 != 0x5A7F418D) {
5.
       Fail: not an AC module;
6. }
11
// Verify it is an SINIT AC module
11
7. IF (AcmHdr->ModuleType != 2) OR
8.
     (InfoTable->ChipsetACMType != 1) {
9.
     Fail: not an SINIT AC module;
10.}
11
// Match AC module to system chipset
11
                    LIST *ChipsetIdList; // see Table 7
*ChipsetId; // see Table 8
TXT_ACM_CHIPSET_ID_LIST
TXT_ACM_CHIPSET_ID
```



```
11.ChipsetIdList = (TXT_ACM_CHIPSET_ID_LIST *)
                   (AcmImageBase + InfoTable->ChipsetIdList);
11
// Search through all ChipsetId entries and check for a match.
11
12.FOR (i = 0; i < ChipsetIdList->Count; i++) {
13.
      11
      // Check for a match with this ChipsetId entry.
14.
15.
       11
16.
      ChipsetId = ChipsetIdList->ChipsetId[i];
       IF ((TXT.DIDVID[VID] == ChipsetId->VendorId) &&
17.
18.
           (TXT.DIDVID[DID] == ChipsetId->DeviceId) &&
19.
           ((((ChipsetId->Flags & 0x1) == 0) &&
20.
             (TXT.DIDVID[RID] == ChipsetId->RevisionId)) ||
21.
          (((ChipsetId->Flags & 0x1) == 0x1) &&
22.
            (TXT.DIDVID[RID] & ChipsetId->RevisionId != 0)))) {
23.
           AC module matches system chipset;
24.
       }
25.}
26.AC module does not match system chipset;
```



#### 2.2.3.2 Verifying Compatibility of SINIT with the MLE

Over time, new features and capabilities may be added to the SINIT AC module that can be utilized by an MLE that is aware of those features. Likewise, features or capabilities may be added that *require* an MLE to be aware of them in order to interoperate properly. In order to expose these features and capabilities and permit the MLE and SINIT to determine whether they support a compatible set, the MLE header contains a Capabilities field (see Table 1) that corresponds to the Capabilities field in the SINIT AC module Information Table (see Table 6).

In addition, the MinMleHeaderVer field in the AC module Information Table allows SINIT to indicate that it requires a certain minimal version of an MLE. This allows for new behaviors or features that require support from the MLE, but which older MLEs would not be aware of.

Listing 4 shows the pseudocode for the MLE to determine if it is compatible with the provided SINIT AC module.

Whiles lines 4 – 6 may be redundant with current SINIT AC modules if the MLE supports both RLP wakeup mechanisms, this permits graceful handling of future changes.

#### Listing 4. SINIT/MLE Compatibility Pseudocode

```
//
// Check that SINIT supports this version of the MLE
//
1. IF (InfoTable->MinMleHeaderVer > MleHeader.Version) {
2. Fail: SINIT requires a newer MLE
3. }
//
// Check that the known RLP wakeup mechanisms are supported
//
4. IF (MLE does NOT support at least one RLP wakeup mechanism
   specified in InfoTable->Capabilities) {
5. Fail: RLP wakeup mechanisms are incompatible
6. }
```

#### 2.2.4 Loading the MLE and Processor Rendezvous

#### 2.2.4.1 Loading the MLE

System software allocates memory for the MLE and MLE page table. The MLE is not required to be loaded into physically contiguous memory. The pages containing the MLE image must be pinned in memory and all these pages must be located in physical memory below 4 GBytes.

System software creates an MLE page table structure to map the entire MLE image. The pages containing the MLE page tables must be pinned in memory prior to



launching the measured environment. The MLE page table structure must be in the format of the IA-32 Physical Address Extension (PAE) page table structure.

The MLE page table has several special requirements:

- The MLE page tables may contain only 4 KByte pages.
- A breadth-first search of page tables must produce increasing physical addresses.
- Neither the MLE nor the page tables may overlap certain regions of memory:
  - device memory (PCI, PCIe\*, etc.)
  - addresses between [640k, 1M) or above Top of Memory (TOM)
  - ISA hole (if enabled)
  - the Intel TXT heap or SINIT memory regions
  - Intel VT-d DMAR tables
- There may not be any invalid (not-present) page table entries after the first valid entry (i.e. there may not be any gaps in the MLE's linear address space).
- The Page Directories must be in a lower physical address than the Page Tables.
- The Page-Directory-Pointer-Table must be in a lower physical address than the Page-Directories.
- The page table pages must be in lower physical addresses than the MLE.

Later, the SINIT AC module will check that the MLE page table matches these requirements before calculating the MLE digest. The second rule above implies that the MLE must be loaded into physical memory in an ordered fashion: a scan of MLE virtual addresses must find increasing physical addresses. The system software can order its list of physical pages before loading the MLE image into memory.

The MLE is not required to begin at linear address 0. There may be any number of invalid/not-present entries in the page table prior to the beginning of the MLE pages (i.e. first valid page). The starting linear address should be placed in the FirstValidPage field of the MLE header structure (see Section 2.1).

If the MLE will use this page table after launch then it needs to ensure that the entry point page is identity-mapped so that when it enables paging post-launch, the physical address of the instruction after paging is enabled will correspond to its linear address in the paged environment.

System software writes the physical base address of the MLE page table's page directory to the Intel TXT Heap. The size in bytes of the MLE image is also written to the Intel TXT Heap; see Appendix C.

# 2.2.4.2 Intel<sup>®</sup> Trusted Execution Technology Heap Initialization

Information can be passed from system software to the SINIT AC module and from system software to the MLE using the Intel TXT Heap. The SINIT AC module will also use this region to pass data to the MLE.



The system software launching the measured environment is responsible for initializing the following in the Intel TXT Heap memory (this initialization must be completed before executing GETSEC[SENTER]):

- Initialize contents of the Intel TXT Heap Memory (see Appendix C)
- Initialize contents of the OsMleData (see Appendix C) and OsMleDataSize (with the size of the OsMleData field + 8H) fields.
- Initialize contents of the OsSinitData (see Appendix C.3) and OsSinitDataSize (with the size of the OsSinitData field + 8H) fields.

The OsMleData structure has fields for specifying regions of memory to protect from DMA (PMR Low/High Base/Size) using Intel VT-d. As described in Chapter 1.10, the MLE must be protected from DMA by being contained within either the DMA Protected Range (DPR) or one of the Intel VT-d Protected Memory Regions (PMRs). If the MLE resides within the DPR then the PMR fields of the OsMleData structure may be set to 0. Otherwise, these fields must specify a region that contains the MLE and the page tables. However, the PMR fields can specify a larger region (and separate region, since there are two ranges) than just the MLE if there is additional data that should be protected.

If the system software is using Intel VT-d DMA remapping to protect areas of memory from DMA then it must disable this before it executes GETSEC[SENTER]. In order to do this securely, system software should determine what PMR range(s) are necessary to cover all of the address range being DMA protected using the remapping tables. It should then initialize the PMR(s) appropriately and enable them before disabling remapping. The PMR values it provides in the OsSinitData PMR fields must correspond to the values that it has programmed. Once the MLE has control, it can re-enable remapping using the previous tables (after validating them).

If the MLE or subsequent code will be enabling Intel VT-d DMA remapping then the DMAR information that will be needed should be protected from malicious DMA activity until the remapping tables can be established to protect it. The SINIT AC module makes a copy of the DMAR tables in the SinitMleData region (located at an offset specified by the SinitVtdDmarTable field). Because this region is within the TXT heap, it is protected from DMA by the DPR. If the MLE or subsequent code does not use this copy of the DMAR tables, then it should protect the original tables (within the ACPI area) with the PMR range specified to SINIT. Likewise, the memory range used for the remapping tables should also be protected with the PMRs until remapping is enabled.

#### 2.2.4.3 Rendezvousing Processors and Saving State

Line 1: If launching the measured environment after operating system boot, then all processors should be brought to a rendezvous point before executing GETSEC[SENTER]. At the rendezvous point each processor will set up for GETSEC[SENTER] and save any state needed to resume after the measured launch. If processors are not rendezvoused before executing SENTER, then the processors that did not rendezvous will lose their current operating state including possibly the fact that an in-service interrupt has not been acknowledged.

Lines 2 – 6: All processors check that they support SMX and enable SMX in CR4.SMXE.

Line 7: Log and clear any pending Machine Checks.



Line 8: Check that certain CRO bits are in the required state for a successful measured environment launch.

Line 9: System software allocates memory to save its state for restoration post measured launch. The OsMleData portion of the Intel TXT Heap has been reserved for this purpose (see Appendix C.1), though the size must be set appropriately for the memory to be available.

Line 10: The BSP (the ILP) saves enough state in memory to allow a return to OS execution after the measured launch and then continues launch execution. The BSP is the processor with IA32\_APIC\_BASE MSR.BSP = 1. The remaining Intel TXT processors (RLPs) save enough state in memory to allow return to OS execution after measured launch then execute HLT or spin waiting for transition to the measured environment.

Certain MSRs are modified by executing the GETSEC[SENTER] instruction. For example, bits within the IA32\_MISC\_ENABLE and IA32\_DEBUGCTL MSRs are set to predetermined values. It may be desirable to restore certain bits within these MSRs to their pre-launch state after the MLE launch. If this is desired, then before executing GETSEC[SENTER], software should save the contents of these MSRs in the OsMleData area. The launched software can restore the original values into these MSRs after the GETSEC[SENTER] returns or, alternatively, the MLE can restore these MSRs with their original values during MLE initialization.

It is expected that most MLEs will want to restore the MTRR and IA32\_MISC\_ENABLE MSR states after the MLE launch, to provide optimal performance of the system.

#### Listing 5. Pseudocode for Rendezvousing Processors and Saving State

```
1. Rendezvous all processors;
11
// The following code is run on all processors
11
// Enable SMX
11
2. CPUID(EAX=1);
3. IF (SMX not supported) OR (VMX not supported) {
4.
     Fail measured environment startup;
5. } ELSE {
6.
     CR4.SMXE = 1;
7.}
8. Clear Machine Check Status Registers;
9. Ensure CR0.CD=0, CR0.NW=0, and CR0.NE=1;
11
// Save current system software state in Intel TXT Heap
11
10.Allocate memory for OsMleData;
11.Fill in OsMleData with system software state (including MTRR
   and IA32_MISC_ENABLE MSR states);
```



### 2.2.5 Performing a Measured Launch

#### 2.2.5.1 MTRR Setup Prior to GETSEC[SENTER] Execution

System software must set up the variable range MTRRs to map all of memory (except the region containing the SINIT AC module) to one of the supported memory types as returned by GETSEC[PARAMETERS], before executing GETSEC[SENTER]. System software first saves the current MTRR settings in the OsMleData area and verifies that the default memory type is one of the types returned by GETSEC[PARAMETERS] (default memory type is specified in the IA32\_MTRR\_DEF\_TYPE MSR). Next the variable range MTRRs are set to map the SINIT AC module as WB. The SINIT AC module must be covered by the MTRRs such that no more than (4K-1) bytes after the module are mapped WB. For example, if an SINIT AC module is 11K bytes in size, an 8K and a 4K or three 4K MTRRs should be used to map it, not a single 32K MTRR. Any unused variable range MTRRs should have their valid bit cleared.

Listing 6 shows the pseudocode for correctly setting the ILP and RLP MTRRs. This code follows the recommendation in the IA-32 Software Developer's Manual.

After MTRR setup is complete, the RLPs mask interrupts (by executing CLI), signal the ILP that they have interrupts masked, and execute halt. Before executing GETSEC[SENTER], the ILP waits for all RLPs to indicate that they have disabled their interrupts. If the ILP executed a GETSEC[SENTER] while an RLP was servicing an interrupt, the interrupt servicing would not complete, possibly leaving the interrupting device unable to generate further interrupts.

#### Listing 6. MTRR Setup Pseudocode

```
11
// Pre-MTRR change
11
1. Disable interrupts (via CLI);
2. Wait for all processors to reach this point;
3. Disable and flush caches (i.e. CRO.CD=1, CRO.NW=0, WBINVD);
4. Save CR4
5. IF (CR4.PGE == 1) {
6.
      Clear CR4.PGE
7.}
8. Flush TLBs
9. Disable all MTRRs (i.e. IA32_MTRR_DEF_TYPE.e=0)
11
// Use MTRRs to map SINIT memory region as WB, all other regions
// are mapped to a value reported supportable by
// GETSEC[PARAMETERS]
11
10.Set default memory type (IA32_MTRR_DEF_TYPE.type) to one
  reported by GETSEC[PARAMETERS];
11.Disable all fixed MTRRs (IA32_MTRR_DEF_TYPE.fe=0);
12.Disable all variable MTRRs (clear valid bit);
13.Read SINIT size from the SINIT AC header;
```



```
14. Program variable MTRRs to cover the AC execution region,
  memtype=WB (re-enable each one used);
11
// Post-MTRR changes
11
15.Flush caches (WBINVD);
16.Flush TLBs;
17.Enable MTRRs (i.e. MTRRdefType.e=1);
18.Enable caches (i.e. CRO.CD=0, CRO.NW=0);
19.Restore CR4;
20.Wait for all processors to reach this point;
21.Enable interrupts;
11
// RLPs stop here
11
22.IF (IA32_APIC_BASE.BSP != 1) {
23.
      CLI;
      set bit indicating we have interrupts disabled;
24.
25.
      HLT;
26.}
27.Wait for all RLPs to signal that they have their interrupts
  disabled
```

#### 2.2.5.2 Selection of Launch Capabilities

System software must select the capabilities that it wishes to use for the launch. It must choose a subset of the capabilities supported by the SINIT AC module. For mandatory capabilities, such as the RLP wakeup mechanism, one of the supported options must be chosen.

28.OsSinitData.Capabilities = selected capabilities;

#### 2.2.5.3 TPM Preparation

System software must ensure that the TPM is ready to accept commands and that there is no currently active locality (TPM.ACCESS\_x.activeLocality bit is clear for all localities) before executing the GETSEC[SENTER] instruction.

29.Read TPM Status Register until it is ready to accept a command 32.For all localities x, ensure that ACCESS\_x.activeLocality is 0

Intel® Trusted Execution Technology



#### 2.2.5.4 Intel<sup>®</sup> Trusted Execution Technology Launch

The ILP is now ready to launch the measuring process. System software executes the GETSEC[SENTER] instruction. See chapter 6, "Safer Mode Extensions Reference", in the *Intel 64 and IA-32 Software Developer Manuals, Volume 2B* for the details of GETSEC[SENTER] operation.

30.EBX = Physical Base Address of SINIT AC Module
31.ECX = size of the SINIT AC Module in bytes
32.EDX = 0
33.GETSEC[SENTER]

# 2.3 MLE Initialization

This section describes the initialization of the MLE. Listing 7 shows the pseudocode for MLE initialization.

The MLE initialization code is executed on the ILP when the SINIT AC module executes the GETSEC[EXITAC] instruction—the MLE initialization code is the first MLE code to run after GETSEC[SENTER] and within the measured environment. The SINIT AC module obtains the MLE initialization code entry point for the MLE EntryPoint field in the MLE Header data structure whose address is specified in the OsSinitData entry in the Intel TXT Heap. The MLE initialization code is responsible for setting up the protections necessary to safely launch any additional environments or software. The initialization includes Intel TXT hardware initialization, waking and initializing the RLPs, MLE software initialization and initialization of the STM (if one is being used). Section 2.3 describes the details of MLE initialization.

During MLE initialization, the ILP executes the GETSEC[WAKEUP] instruction, bringing all the RLPs into the MLE initialization code. Each RLP gets its initial state from the MLE JOIN data structure. The ILP sets up the MLE JOIN data structure and loads its physical address in the TXT.MLE.JOIN register prior to executing GETSEC[WAKEUP]. Generally the RLP initialization code will be very similar to the ILP initialization code.

If the MLE restores any state from the environment of the launching system software then it must first validate this state before committing it. This is because state from the environment prior to the GETSEC[SENTER] instruction is not considered trustworthy and could lead to loss of MLE integrity.

Lines 1 – 8: The MLE loads CR3 with the MLE page directory physical address and enables paging. The SINIT AC module has just transferred control to the MLE with paging off, now the MLE must setup its own environment. The MLE's GDT is loaded at line 3 and the MLE does a far jump to load the correct MLE CS and cause a fetch of the MLE descriptor from the GDT. At line 5 a stack is setup for the MLE initialization routine and, at line 6, the MLE segment registers are loaded. Next the MLE loads its IDT and initializes the exception handlers.

All of the instructions and data that are used before paging is enabled must reside on the same physical page as the MLE entry point and must access data with relative addressing. This is because the page tables may have been subverted by untrusted



code prior to launch and so the MLE entry point's page may have been copied to a different physical address than the original. The MLE must also verify that this page is identity mapped prior to enabling paging (to ensure that the linear address of the instruction following enabling of paging is the same as its physical address).

If the MLE does not enable paging then it must also validate that the physical addresses specified in the page table used for the launch are the expected ones. And as above, it must do this in code that resides on the same physical page as the MLE entry point and uses only relative addressing. The reason for this validation is that the page table could have been altered to place the MLE pages at different physical addresses than expected, without having altered the MLE measurement.

Because the MLE page table that was used for measurement does not contain pages other than those belonging to the MLE, if it wishes to continue to run in a paged environment it will need to either extend the page tables to map the additional address space needed (e.g. TXT configuration space, etc.) or to create new page tables. This should be done after it has finished establishing a safe environment. The cacheability requirements for the address space of any MLE-established page tables must follow the guidelines below.

Line 9: The MLE checks the MTRRs which were saved in the OsMleData area of the Intel TXT Heap (see Appendix C). It looks for overlapping regions with invalid memory type combinations and variable MTRRs describing non-contiguous memory regions. If either of these checks fails the MLE should fail the measured launch or correct the failure.

Before the original MTRRs are restored, the MLE must ensure that all its own pages will be mapped with defined memory types once the variable MTRRs are enabled. The MLE must ensure that the combined memory type as specified by the page table entry and variable MTRRs results in a defined memory type.

If using the STM opt-in option, the MLE must check that the MSEG region of memory is covered by a variable MTRR with memory type UC. The MLE must ensure that this MTRR contains memory type UC during the entire operation of the Intel TXT environment.

The MLE must also ensure that the TXT Device Space (0xFED20000 – 0xFED4FFFF) is mapped as UC so that accesses to these addresses will be properly handled by the chipset.

Line 10: The MLE should check that the system memory map that it will use is consistent with the memory regions and types as specified in the Memory Descriptor Records (MDRs) returned in the SinitMleData structure. Alternately, the MLE may use this table as its map of system memory. This check is necessary as the system memory map is most likely generated by untrusted software and so could contain regions that, if used for trusted code or secrets, might lead to compromise of that data. If the MLE will be using PCI Express\* devices, it should verify that it is accessing their configuration space through the address range specified by the PCIE MDR type (3).

Line 11: The MLE should also verify that the Intel VT-d PMR settings that were used by SINIT to program the Intel VT-d engines, as specified in the OsSinitData structure, contain the expected values. While the MLE can only be launched if the settings cover itself and its page tables (or the pages fall within the DPR), settings beyond these regions could have been subverted by untrusted code prior to the launch.



Line 12: The MLE should restore the IA32\_MISC\_ENABLE MSR to the value saved in the OsMleData structure. This MSR was set to predefined values as part of SENTER in order to provide a more consistent environment to the authenticated code module. Most MLEs should be able to safely restore the previous value without any need to verify it.

Lines 13 – 17: If this is the ILP then the MLE does the one-time initialization, builds the MLE JOIN data structure and wakes the RLPs. This structure contains the physical addresses of the MLE entry point and the MLE GDT, along with the MLE GDT size. The ILP writes the physical address of this structure to the TXT.MLE.JOIN register. An RLP will read the startup information from the MLE JOIN data structure when it is awakened. The MLE writer should ensure that the MLE JOIN data structure does not cross a page boundary between two non-contiguous pages. The MLE image must be built or loaded such that its GDT is located on a single page. Enough of the RLP entry point code must be on a single page to allow the RLPs to enable paging.

Lines 18 – 27: The MLE must look at the OsSinitData.Capabilities field to see which RLP wakeup mechanism was chosen by the pre-SENTER code and thus used by SINIT. If the MLE wants to enforce that certain capabilities or wakeup mechanism was used then it can choose to error if it finds that not to be the case. For future compatibility, MLEs should support both RLP wakeup mechanisms.

Line 30: The MLE checks several items to ensure they are consistent across all processors:

- All processors must have consistent SMM Monitor Control MSR settings. The processors must all be opt-in and have the same MSEG region or the processors must be all opt-out. The MLE must also check that the MSEG region in the SMM Monitor Control MSR matches what is contained in the TXT.MSEG.BASE register.
- Ensure all processors have compatible VMX features. The compatible VMX features will depend on the specific MLE implementation. For example, some implementation may require all processors support Virtual Interrupt Pending.
- Ensure all processors have compatible feature sets. Some MLE implementations may depend on certain feature being available on all processors. For example, some MLE implementation may depend on all processors supporting SSE2.
- Ensure all processors have a valid microcode patch loaded or all processors have the same microcode patch loaded. This check will depend on the specific MLE implementation. Some MLE implementations may require the same patch be loaded on all processors, other MLE implementations may contain a microcode patch revocation list and require all processors have a microcode patch loaded which is not on the revocation list.

Line 31: The MLE must wakeup the RLPs while the memory type for the SINIT AC module region is writeback. This is a requirement of the MONITOR mechanism for RLP wakeup. Since this is not guaranteed to be true of the original MTRRs, it is safest to wait until after the RLPs have been awakened before restoring the MTRRs to their pre-SENTER values. Alternatively, the MLE could ensure that this is the case and adjust the MTRRs if it is not. It could then restore the MTRRs before waking the RLPs. In either case, when restoring the MTRRs they should be made the same for each processor.

Line 32: The MLE enables VMX in the CR4 register. This is required before any VMX instruction can be executed.



Line 33: The MLE allocates and sets up the root controlling VMCS then executes VMXON, enabling VMX root operation.

Lines 34 – 38: The MLE sets up the guest VM. At line 34 the MLE allocates memory for the guest VMCS. This memory must be 4K byte aligned. The MLE executes VMCLEAR with a pointer to this VMCS in order to mark this VMCS clear and allow a VMLAUNCH of the guest VM. At line 36 the MLE executes VMPTRLD so that it can initialize the VMCS at line 37. Now at line 38 the guest VM is launched for the first time.

Note: On the last extend of the TPM by the SINIT AC module, it may not wait to see if the command is complete – so the MLE needs to make sure that the TPM is ready before using it.

#### Listing 7: MLE Initialization Pseudocode

```
11
// MLE entry point - ILP and RLP(s) enter here
11
1. Load CR3 with MLE page table pointer (OsSinitData.MLE
  PageTableBaseLow/High);
2. Enable paging;
3. Load the GDTR with the linear address of MLE GDT;
4. Long jump to force reload the new CS;
5. Load MLE SS, ESP;
6. Load MLE DS, ES, FS, GS;
7. Load the IDTR with the linear address of MLE IDT;
8. Initialize exception handlers;
11
// Validate state
11
9. Check MTRR settings from OsMleData area;
10.Validate system memory map against MDRs
11.Validate VT-d PMR settings against expected values
12.Restore IA32_MISC_ENABLE MSR from OsMleData
11
// Wake RLPs
11
13.IF (ILP) {
     Initialize memory protection and other data structures;
14.
15.
      Build JOIN structure;
       TXT.MLE.JOIN = physical address of JOIN structure;
16.
17.
      IF (RLP exist) {
18.
          IF (OsSinitData.Capabilities is set to MONITOR
  wakeup mechanism) {
19.
               SinitMleData.RlpWakeupAddr = 1;
20.
           }
          ELSE IF (OsSinitData.Capabilities is set to GETSEC
21.
 wakeup mechanism) {
22.
              GETSEC[WAKEUP];
23.
           }
```



```
24
           ELSE {
25.
               Fail: Unknown RLP wakeup mechanism;
26.
           }
       }
27.
28.}
29.Wait for all processors to reach this point;
30.Do consistency checks across processors;
31.Restore MTRR settings on all processors;
11
// Enable VMX
11
32.CR4.VMXE = 1;
11
// Start VMX operation
11
33.Allocate and setup the root controlling VMCS, execute
  VMXON(root controlling VMCS);
11
// Set up the guest container
11
34.Allocate memory for and setup guest VMCS;
35.VMCLEAR guest VMCS;
36.VMPTRLD quest VMCS;
37. Initialize guest VMCS from OsMleData area;
11
// All processors launch back into guest
11
38.VMLAUNCH quest;
```

# 2.4 MLE Operation

The dispatch routine is responsible for handling all VMExits from the guest. The guest VMExits are caused by various situations, operations or events occurring in the guest. The dispatch routine must handle each VMExit appropriately to maintain the measured environment. In addition, the dispatch routine may need to save and restore some of processor state not automatically saved or restored during VM transitions. The MLE must also ensure that it has an accurate view of the address space and that it restricts access to certain of the memory regions that the GETSEC[SENTER] process will have enabled. The following subsections describe various key components of the MLE dispatch routine.

## 2.4.1 Address Space Correctness

It is likely that most MLEs will rely on the e820 memory map to determine which regions of the address space are physical RAM and which of those are usable (e.g. not reserved by BIOS). However, as this table is created by BIOS it is not protected from



tampering prior to a measured launch. An MLE, therefore, cannot rely on it to contain an accurate view of physical memory.

After a measured launch, SINIT will provide the MLE with an accurate list of the actual RAM regions as part of the SinitMleData structure of the Intel TXT Heap (see Appendix C.4). The SinitMDR field of this data structure specifies the regions of physical memory that are valid for use by the MLE. This data structure can also be used to accurately determine SMRAM and PCIe extended configuration space, if the MLE handles these specifically.

## 2.4.2 Address Space Integrity

There are several regions of the address space (both physical RAM and Intel TXT chipset regions) that have special uses for Intel TXT. Some of these should be reserved for the MLE and some can be exposed to one or more guests/VMs.

## 2.4.3 Physical RAM Regions

There are two regions of physical RAM that are used by Intel TXT and are reserved by BIOS prior to the MLE launch. These are the SINIT AC module region and the Intel TXT Heap. Each region's base address and size are specified by Intel TXT configuration registers (e.g. TXT.SINIT.BASE and TXT.SINIT.SIZE).

The SINIT and Intel TXT Heap regions are only required for measured launch and may be used for other purposes afterwards. However, if the measured environment must be re-launched (e.g. after resuming from the S3 state), the MLE may wish to reserve and protect these regions.

# 2.4.4 Intel<sup>®</sup> Trusted Execution Technology Chipset Regions

There are two Intel TXT chipset regions: Intel TXT configuration register space and Intel TXT Device Space. These regions are described in Appendix B.

#### 2.4.4.1 Intel<sup>®</sup> Trusted Execution Technology Configuration Space

The configuration register space is divided into public and private regions. The public region generally provides read only access to configuration registers and the MLE may choose to allow access to this region by guests. The private region allows write access, including to the various command registers. This region should be reserved to the MLE to ensure proper operation of the measured environment.

## 2.4.4.2 Intel<sup>®</sup> Trusted Execution Technology Device Space

The Intel TXT Device Space supports access to TPM localities. Localities three and four are not usable by the MLE even after the measured environment has been established, and so do not need any special treatment. Locality two is unlocked when the Intel TXT private configuration space is opened during the launch process. Locality one is not usable unless it has been explicitly unlocked (via the TXT.CMD.OPEN.LOCALITY1 command). If the MLE wants to reserve access to locality two for itself then it needs to ensure that guest/VM access to these regions behaves as an LPC abort, as defined by



TCG for non-accessible localities. This behavior is that memory reads return FFh and writes are discarded. The MLE can provide this behavior by trapping guest/VM accesses to the regions and emulating the defined behavior. Instead, it could map these regions onto one of the hardware-reserved localities (three or four) and let the hardware provide the defined behavior. If the MLE does not need access to locality 2 then it can simply close this locality (TXT.CMD.CLOSE.LOCALITY2) so that neither itself nor guests will have access to it.

## 2.4.5 **Protecting Secrets**

If there will be data in memory whose confidentiality must be maintained, then the MLE should set the Intel TXT secrets flag so that the Intel TXT hardware will maintain protections even if the measured environment is lost before performing a shutdown (e.g. hardware reset). This can be done by writing to the TXT.CMD.SECRETS configuration register. The teardown process will clear this flag once it has scrubbed memory and removed any confidential data.

## 2.4.6 Machine Specific Register Handling

Model Specific Registers (MSRs) pose challenges for a measured environment. Certain MSRs may directly leak information from one guest to another. For example, the Extended Machine Check State registers may contain secrets at the time a machine check is taken. Other MSRs might be used to indirectly probe trusted code. The Performance Counter MSRs, for example, could be used by the non-trusted guest to determine secrets (e.g. keys) used by the trusted code. Other MSRs can modify the MLE's operation and destroy the integrity of the measured environment.

The VMX architecture allows the MLE to trap all guest MSR accesses. Certain VMX implementations will also allow the MLE to use a bitmap to selectively trap MSR accesses. The MLE must use these VMX features to check certain guest MSR accesses, ensuring that no secrets are leaked and that MLE operation is not compromised.

An MLE might virtualize some of the MSRs. The VMX architecture provides a mechanism to automatically save selected guest MSRs and load selected MLE MSRs on VMEXIT. Selected guest MSRs may be automatically loaded on VMENTER. These features allow the MLE to virtualize MSRs, keeping a separate MSR copy for the guest and MLE. Note that using this feature will slow VMEXIT and VMENTER times. The VMX architecture provides a separate set of VMCS registers for the automatic saving and restoring of the fast system call MSRs.

There is a limit to the number of MSRs which can be swapped during a VMX transition. Bits 27:25 of the VMX\_BASE\_MSR+5 indicate the recommended maximum number of MSRs that can be saved or loaded in VMX transition MSR-load or MSR-store lists. Specifically, if the value of these bits is N, then 512 \* (N + 1) is the recommended maximum number of MSRs referenced in each list. If the limit is exceeded, undefined processor behavior may result (including a machine check during the VMX transition).

There are certain MSRs which cannot be included in the MSR-load or MSR-store lists. In the initial VMX implementations, IA32\_BIOS\_UPDT\_TRIG and IA32\_BIOS-SIGN\_ID may not be loaded as part of a VM-Entry or VM-Exit. The list of MSRs that cannot be loaded in VMX transitions is implementation specific.



The MLE must contain a built-in policy for handling guest MSR accesses. This MSR handling policy must deal with all architectural MSRs that might be accessed by guest code. The built-in MSR policy must deny access to all non-architectural MSRs.

## 2.4.7 Interrupts and Exceptions

To preserve the integrity of the measured environment, the MLE must be careful in how it handles exceptions and interrupts. It needs to ensure that its IDT has a handler for all exceptions and interrupts. The MLE should also ensure that if it uses interrupts for internal signaling that it does so securely. Likewise, it is best if exception handlers do not try and recover from the exception but instead properly terminate the environment.

### 2.4.8 ACPI Power Management Support

Certain ACPI power state transitions may remove or cause failure to the Intel TXT protections. The MLE must control such ACPI power state transitions. The following sections describe the various ACPI power state transitions and how the MLE must deal with these state transitions.

#### 2.4.8.1 T-state Transitions

T-states allow reduced processor core temperature through software-controlled clock modulation. T-state transitions do not affect the Intel TXT protections, so the MLE does not need to control T-state transitions. The MLE may wish to control T-state transitions for other purposes, e.g. to enforce its own power management or performance policies.

#### 2.4.8.2 P-State Transitions

P-state transitions allow software to change processor operating voltage and frequency to improve processor utilization and reduce processor power consumption. These P-state transitions require special MLE treatment to ensure software does not write an invalid combination into the GV3 MSRs.

#### 2.4.8.3 C-State Transitions

C-states allow the processor to enter lower power state. The CO state is the only Cstate where the processor is actually executing code – in the remaining C-states the processor enters a lower power state and does not execute code. In these lower power C-states the Intel TXT protections remain intact; therefore the MLE does not need to monitor or control the C-state transitions. The MLE may wish to control C-state transitions for other purposes, e.g. to enforce its own power management or scheduling policy.



### 2.4.8.4 S-State Transitions

The S0 state is the system working state – the remaining S-states are low-power, system-wide sleep states. Software transitions from the S0 working state to the other S-states by writing to the PM1 control register (PM1\_CNT) in the chipset. Since the Intel TXT protections are removed when the system enters the S3, S4 or S5 states, and the BIOS will gain control of the system on resume from these states, the MLE must remove secrets from memory before allowing the system to enter one of these sleeps states. Note that entering S1 does not remove Intel TXT protections and Intel chipsets do not support the S2 sleep state.

The Intel TXT chipset provides hardware to detect when the software attempts to enter a sleep state while the secrets flag is set (the TXT.SECRETS.STS bit of the TXT.E2STS register). The Intel TXT chipset will reset the system if it detects a write to the PM1\_CNT register that will force the system into S3, S4 or S5 while the secrets flag is set. If the Intel TXT chipset does detect this situation and resets the system, then the BIOS AC module will scrub the memory before passing control to the BIOS. To avoid this reset and scrubbing process the MLE should remove secrets from memory and teardown the Intel TXT environment before allowing a transition to S3, S4 or S5.

Before tearing down the Intel TXT environment, the MLE may remove secrets from memory (clearing pages with secrets) or encrypt secrets for later use (e.g. for a later measured environment launch). Once this operation is complete the MLE must issue the TXT.CMD.NO-SECRETS command to clear the secrets flag. After this command is issued, the MLE may allow a transition to a S3, S4 or S5 sleep state. The MLE teardown procedure is described in more detail in section 2.5

Because the boot process on resuming from an S3 state does not re-measure the elements of the SRTM, software prior to entering the S3 state must execute the TPM\_SaveState command to inform the TPM to preserve the state of its PCRs. Upon resume from S3, the BIOS must provide a flag to TPM\_Startup to indicate that the TPM is to restore the saved state. If the TPM's state is not saved prior to entering S3, then the TPM will be non-functional after resuming. Normally an OS TPM driver would perform the TPM\_SaveState command when the OS indicated that it was entering S3. However, if the MLE cannot be sure that the environment it establishes will perform this command, it may wish to so do itself prior to entering S3. There is no harm if this command is executed multiple times prior to S3.

## 2.5 MLE Teardown

This section describes an orderly measured environment teardown. This occurs when the guest OS or the MLE decides to teardown the measured environment (for example prior to entering an ACPI sleep state such as S3). The listing below shows the pseudocode for teardown of the measured environment.

Line 1: Rendezvous all processors at "exiting Intel TXT environment" point in guest. No need for the guests to save their state as their state will be stored in a VMCS on VMEXIT to the monitor.

Lines 2 and 3: After all processors in the guest rendezvous, all processors execute a VMCALL to the teardown routine in the MLE. Once in the MLE, each processor increments a counter in trusted memory. All processors except the BSP/ILP (the processor with IA32\_APIC\_BASE MSR.BSP=1) wait on a memory barrier. The ILP



waits for all other processors to enter MLE teardown routine then signals the other processors to resume with teardown.

If not all processors reach the rendezvous in the guest, the ILP may timeout and VMCALL to the MLE teardown routine. If not all processors arrive in the MLE teardown routine, the ILP forces all other processors into the MLE with an NMI IPI. Both these conditions are treated as errors – the ILP should proceed with the measured environment teardown but log an error.

At line 4, each processor reads all guest state from its VMCS and stores this data in memory, since after VMXOFF the processors will no longer be able to access data in their VMCS. This state will be needed to restore the guest execution after teardown.

The MLE automatically saves certain guest state (general purpose registers which are not part of the VMCS guest area) on VM Exit. The MLE may need to restore this state when it reenters the guest after the GETSEC[SEXIT].

Line 5: Once all processors are in the MLE and have saved guest state from the VMCS, all processors clear their appropriate registers to remove secrets from these registers.

Lines 6: All processors flush VMCS contents to memory using VMCLEAR. The MLE must flush any VMCS which might contain secrets – this would include all guest VMCSes in a multi-VM environment.

Line 7: The processors wait until all processors have reached this point before resuming execution. This allows all the VMCS flushes to complete before the ILP encrypts or scrubs secrets. Processors should execute an SFENCE to ensure all writes are completed before continuing.

Line 9: The ILP encrypts and stores exposed secrets from all trusted VMs. Note that encrypted secrets will have to be stored in memory until the OS can put them to disk. This will require extra memory above and beyond the memory holding secrets. This step assumes that the RLPs do not have secrets that are not visible to the ILP. Therefore when the ILP scrubs/encrypts all secrets, this will deal with secrets in the RLP caches also.

Line 10: The ILP again clears appropriate registers to remove any secrets from those registers.

Line 11: The ILP scrubs all trusted memory (except the teardown routine itself and encrypted memory). Note that the scrub itself clears secrets still held in the cache.

Line 12: The ILP executes WBINVD to invalidate its caches (to ensure last few pages of zeros actually get to memory).

Line 13: The ILP caps, or extends, the dynamic PCRs with some value. This prevents an attacker from unsealing the secrets after the teardown using the same PCRs, since the dynamic PCRs are not reset after GETSEC[SEXIT].

Line 14: The ILP writes the NoSecrets in memory command. (TXT.CMD.NO-SECRETS)

Line 15: The ILP should unlock the system memory configuration (TXT.CMD.UNLOCK-MEM-CONFIG) (that was locked by SINIT) once secrets have been removed from memory. This will facilitate re-launching the MLE and is necessary for a graceful shutdown of the system.



Line 16: The ILP closes Intel TXT private configuration space.

Line 19: The RLPs wait while the ILP encrypts and scrubs secrets from memory.

Line 21: Each processor then disables processor virtualization.

Lines 22 - 27: The RLPs wait on a memory barrier while the ILP executes the GETSEC[SEXIT] instruction to initiate the teardown of SMX operation.

At end of GETSEC[SEXIT], the ILP simply continues to the next instruction (still running in monitor's context – paging on). The ILP signals the RLPs to continue.

Lines 28 and 29: The former monitor code now restores guest state left behind when the guest executed the VMCALL to enter the MLE teardown routine. All processors perform the transition to guest OS, now operating as normal environment rather than guest.

The guest MSRs must be restored when restarting the guest OS. The MLE can restore the MSRs with information in the VMCS (VM-exit MSR store count) and the VM-exit MSR store area, or the guest OS could save important MSR settings before calling the teardown routine and restore its own MSR settings after resuming after teardown.

If the MLE is going to return control to a designated guest after tearing down then the MLE must ensure that no interrupts are left pending or unserviced before returning control to the designated guest. Any interrupts left pending or unserviced may prevent further interrupt servicing once the designated guest is restarted.

#### Listing 8. Measured Environment Teardown Pseudocode

| 1. | Rendezvous | processors | in | guest | OS; |  |
|----|------------|------------|----|-------|-----|--|
|    |            |            |    |       |     |  |

- 2. All processors VMCALL teardown in MLE;
- 3. Rendezvous all processors in MLE teardown routine;
- All processors read guest state from VMCS, store values in memory;

11 // Remove and encrypt all secrets from registers and memory 11 5. All processors clear their appropriate registers; 6. All processors flush VMCS contents to memory using VMCLEAR; 7. Wait for all processors to reach this point; 8. IF (ILP) { 9. Encrypt and store secrets in memory; 10. Again clear appropriate registers to remove secrets; 11. Scrub all trusted memory; WBINVD caches; 12. "cap" dynamic TPM PCRs; 13. 14. Write to TXT.CMD.NO-SECRETS; 15. Unlock memory configuration Close private Intel TXT configuration space; 16. 17. Signal RLPs that scrub is complete; 18.} ELSE { // RLP 19. Wait for ILP to signal completion of memory scrub; 20.} 11



```
// Stop VMX operation
11
21.VMXOFF;
11
// RLPs wait while ILP executes SEXIT
11
22.IF (ILP) {
23. GETSEC[SEXIT];
24.
     signal completion of SEXIT;
25.} ELSE {
26.
      wait for ILP to signal completion of SEXIT;
27.}
11
// Transition back to the guest OS
11
28.Restore guest OS state from device memory;
29. Transition back to guest OS context;
```

# 2.6 Other Considerations

### 2.6.1 Saving MSR State across a Measured Launch

Execution of the GETSEC[SENTER] instruction loads certain MSRs with pre-defined values. For example, GETSEC[SENTER] will load IA32\_DEBUGCTL MSR with OH and will load the GV3 MSR with a predetermined value. The software can deal with this in several different ways. The launching software may save the state of these MSRs before measured launch and restore the state after the launch returns. In this case the MLE will need to check the values that are restored. Another approach is to have the launch software save the desired state and have the MLE restore the values before resuming the guest. The software could also leave these MSRs in the state established by GETSEC[SENTER].

The IA32\_MISC\_ENABLE MSR should be saved and restored around measured launch and teardown.

§

Intel® Trusted Execution Technology





# *3 Verifying Measured Launched Environments*

Launch Control Policy (LCP) is the verification mechanism for the Intel TXT verified launch process. LCP is used determine whether the current platform configuration or the environment to be launched meets a specified criteria. Policies may be defined by the Platform Owner, and/or, as a default set by the Platform Supplier.

## 3.1 Overview

The Launch Control Policy architecture consists of the following components:

- LCP Policy Engine part of the SINIT ACM and enforces the policies stored on the platform
- LCP Policies stored in the TPM, they specify the policies SINIT ACM will enforce.
- LCP PolicyData objects referenced by the Policy structures in the TPM; each contains a list of valid Measured Launched Environments or a list of possible platform configurations.

Figure 1 shows how these components relate to each other. The figure also shows that there are two possible policies available on the platform: the Platform Default policy, as established by the Platform Supplier, and the Platform Owner's policy.

When the platform boots, its state is measured and recorded by the Static Root of Trust for Measurement (SRTM) and the other components which make up the static chain of trust; these events occur from when the platform is powered on until the Intel TXT measured launch (or until some component breaks the static chain). At this point GETSEC[SENTER] is invoked, and control is passed through the authenticated code execution area to the SINIT authenticated code module. The LCP engine in SINIT reads the LCP Policy Indices in the TPM NV, decides which policy to use, and checks the Platform Configuration and the Measured Launched Environment as require by the chosen policy. The measured environment is then launched.







Figure 2 shows the policy decision flow within the LCP engine within the SINIT authenticated code module. If no policy on the platform is configured then SINIT behaves as the policy allows ANY Measured Launched Environment and ANY platform configuration. When both the Platform Default and the Platform Owner Policies have been established on the platform the policies are combined (see section 3.2.1), the Platform Owner policy taking precedence when there is a conflict between the two policies.



#### Figure 2. SINIT LCP Internal Flow



## 3.1.1 LCP Components

The description of the policy that the SINIT AC module implements, consists of two policies: one policy is set by the Platform Supplier, known as the Platform Default, and the other belongs to the Platform Owner. Both policies are stored in the Non-Volatile Store of the Trusted Platform Module (TPM NV). By storing the policy in the TPM NV, access controls can be applied to it; it also enables the policy to persist across platform power cycles.

#### 3.1.1.1 LCP Policy

The *LCP\_POLICY* structure (for a full listing see Appendix D.1) is used for both the Platform Default and the Platform Owner policies. The size of the structure currently needs to be kept to a minimum in order to preserve the scarce resources of the TPM NV storage, which is why additional structures for both Default and Owner policies (*LCP\_POLICY\_DATA*) that can be persisted elsewhere are provided to handle additional information.



#### Figure 3. LCP\_POLICY Structure



Figure 3 diagrammatically illustrates the LCP\_POLICY structure (fields not to scale): *HashAlg* identifies the hashing algorithm used through this policy. *PolicyType* indicates whether an additional LCP\_POLICY\_DATA structure is required and if this data is to be treated as unsigned.

- If the *PolicyType* field is *POLTYPE\_ANY* then the value in the *PolicyHash* field is ignored and the environment to be launched is simply measured before execution control is passed to it. No corresponding *LCP\_POLICY\_DATA* is expected.
- If the *PolicyType* field is *POLTYPE\_HASHONLY* then the value in the *PolicyHash* field is the only value against which the Measured Launched Environment is to be compared. No additional *LCP\_POLICY\_DATA* is required. No corresponding *LCP\_POLICY\_DATA* is expected. This policy type is not currently supported for the default policy.
- If the *PolicyType* field is *POLTYPE\_UNSIGNED* then the value of *PolicyHash* is the result of computing a hash over the LCP\_POLICY\_DATA. The corresponding *LCP\_POLICY\_DATA* structure will contain data of type *LCP\_UNSIGNED\_POLICY\_DATA*. This policy type is not currently supported for the default policy.
- If the *PolicyType* field is *POLTYPE\_FORCEOWNERPOLICY* the value of *PolicyHash* is ignored and the LCP engine will process the Platform Owner's LCP Policy and fail if it is not present. No corresponding *LCP\_POLICY\_DATA* is expected. This value can only be used in the Platform Default LCP policy.

*SINITRevocationCounter* specifies the minimum version of SINIT that can be used. This value corresponds to the AcmVersion field in the AC module Information Table (see Table 6).

The *PolicyControlField* provides a number of control bits which are defined as:

- Bits31:2 Reserved and should set to zero
- Bit 1 Identifies whether the platform will allow AC Modules which have been marked as pre-production to be used to launch the MLE.
   Note: Setting the bit to 1 will require a pre-production SINIT AC module and will result in PCRs 17 and 18 being capped with a random value.
- Bit 0 Identifies whether a hash of an unsigned policy is extended into PCR 17

## 3.1.1.2 LCP Policy Data

The purpose of the *LCP\_POLICY\_DATA* structure is to provide the additional data needed to enforce the policy but in a separate entity that doesn't have to consume



TPM NV space. The *LCP\_POLICY\_DATA* structure contains an unsigned policy data (indicated by *LCP\_POLICY::PolicyType*); the structures for which are shown in Figure 4 and a full description of *LCP\_POLICY\_DATA* can be found in Appendix D.2.





The *LCP\_UNSIGNED\_POLICY\_DATA::PolicyTable* structure allows the object to contain a number of lists which identify either:

- the types of measured environment that can be launched, or
- the states the platform may be in as recorded in the TPM by the Static chain of Trust.

## 3.1.2 Policy List Types

#### 3.1.2.1 MLE List

When processing a measured environment list the LCP engine computes the hash (using the *HashAlg* identified in *LCP\_POLICY*) over the environment to be launched and compares it to the hash values in the MLE list. If a match can be found, then the LCP engine proceeds.

The following rules apply to the Measured Launched Environment List:

- There can only be one MLE list within the LCP\_POLICY\_DATA structure
- Each measured environment must be enumerated using the same cryptographic hashing algorithm specified by *HashAlg* in *LCP\_POLICY*. This algorithm must be supported by SINIT.
- All measurements are of the environment to be launched, as measured by SINIT, not the value of the PCR after it's been extended.



### 3.1.2.2 Platform Configuration List

When processing the platform configuration list the LCP engine reads the appropriate PCR's as defined by the first TPM\_PCR\_INFO\_SHORT value in the list and concatenates them and cryptographically hashes them together. The result is compared to the hash value in the *TPM\_PCR\_INFO\_SHORT*. If there is no match this process is repeated for each and every member of the list. As soon as a match is found, the LCP engine proceeds.

The follow rules apply to the Platform configuration List:

- There can only be one platform configuration list within the *LCP\_POLICY\_DATA* structure
- Each platform configuration in the list must be enumerated as a *TPM\_PCR\_INFO\_SHORT* structure.

Additionally, it is recommended, although not necessary, that all *TPM\_PCR\_INFO\_SHORT* structures in the platform configuration list test the same set of PCR values.

## 3.1.3 Supported Cryptographic Algorithms

The following algorithms are defined for the current version of the Launch Control Policy:

Hashing – SHA-1

It is the responsibility of the policy author to ensure that their policy uses an algorithm supported by the version of the SINIT AC module being used. If the policy specifies an unsupported algorithm, the policy will fail and the environment will not be permitted to launch.

## 3.2 Policy Engine Logic

The logic above means that all the records (i.e., an *LCP\_POLICY\_LIST* structure) in the *PolicyTable* must evaluate to true. However, a record may represent a list which contains multiple possible hash values only one of which must match in order for the record to evaluate true..

In a very simple case where the *LCP\_POLICY\_LIST* is a simple MLE list, the logic would be as follows:

MLEList: MLE1 or MLE2 or MLE3

The measured environment can be launched if, and only if, the hash of the measured environment matched any one of the listed MLE1, MLE2 or MLE3.

While a more complex set of policies could contain both an MLE list and a platform configuration list. In this case the logic would be as follows:

MLEList: MLE1 or MLE2 or MLE3 AND PltConfList: PCONF1 or PCONF2 or PCONF3



Here, the measured environment can be launched if, and only if, the hash of the measured environment matches one the values MLE1, MLE2 or MLE3 and the values of the TPM PCRs at the time SINIT is executed matches one of the values PCONF1, PCONF2, or PCONF3.

If either the MLE or the PCONF fails to match any of its respective hash values, an error code is written to the TXT.ERRORCODE register and a TXT Shutdown is triggered.

## 3.2.1 Combining Policies

When both the Platform Supplier and the Platform Owner have established policies on the platform, the two policies are combined to give a resultant policy which the LCP Policy Engine will enforce.

## 3.3 Measuring the Enforced Policy

The LCP engine will extend to PCR 17 a hash value which represents the policy against which the environment was launched. This hash value is determined by the rules in the following sections and in some cases the settings in the relevant *LCP\_POLICY::PolicyControlField*, these relate to the possible combinations:

- *No Policy* The platform has no configured policy.
- Allow Any Policy The selected policy allows any MLE to launch.
- LCP Policy Hash Only The selected policy only uses a single hash stored in the LCP\_POLICY
- Unsigned LCP\_POLICY\_DATA The selected policy uses an unsigned LCP\_POLICY\_DATA structure
- *Force Owner Policy* The Platform Default policy requires that a Platform Owner's Policy is present on the platform.

As a matter of integrity the *LCP\_POLICY::PolicyControlField* field will always be extended into PCR 17.

### 3.3.1 No Policy Data

When no LCP Policy is executed, 20 bytes of 0s will be extended to PCR 17 to prevent any Measured Launched Environment from later extending a value of any other policy into the PCR 17. As PCR 17 will be open to Locality 2 extends, the Measured Launched Environment would gain access to sealed secrets which were sealed against some known policy by another Measured Launched Environment.

## 3.3.2 LCP Policy Allow Any

When the LCP\_POLICY indicates that the Policy Type is ALLOW ANY, 20 bytes of 0s will extended to PCR 17 to prevent any Measured Launched Environment from later extending a value of any other policy into the PCR 17.



## 3.3.3 LCP Policy Hash Only

When the LCP\_POLICY indicates that the *HashValue* is to be used as the only measurement to be compared against, and that comparison is successful then this value is extended to PCR 17.

## 3.3.4 Unsigned LCP\_POLICY\_DATA

When the *LCP\_POLICY* indicates that the *LCP\_POLICYDATA* object associated with the policy is unsigned, the *LCP\_POLICY\_DATA* may contain unsigned MLE & Platform Configuration lists. The value extended into PCR 17 will not simply be the hash of the list. The LCP engine will generate a hash value for each list present within *LCP\_POLICY\_DATA* and hash them together and extend this value. The hash for a list is calculated by hashing the entire list. When Bit 0 of the LCP\_POLICY::PolicyControlField is set, then the hash value for unsigned LCP\_POLICY\_DATA is extended into PCR 17; when it is clear then it is not.

## 3.3.5 Force Platform Owner Policy

When the Platform Default policy indicates that the Platform Owner policy must be present then the value of the Platform Owner policy will be extended in PCR 17.

## 3.4 Revocation

## 3.4.1 SINIT Revocation

LCP Structures also enable a limited self-revocation mechanism for SINIT. This is supported in the LCP\_POLICY structure in the *SINITRevocationCounter* field. This field is a UINT8 and corresponds to a similar field within the SINIT image. When the value of the *LCP\_POLICY::SINITRevocationCounter* field is less than or equal to the value of AcmVersion in the SINIT image then SINIT may proceed, otherwise SINIT shall cause a TXT Shutdown condition with the value LCP\_SINIT\_REVOKED in the TXT.ERRORCODE register.

§



# 4 Development and Deployment Considerations

# 4.1 Launch Control Policy Creation

Depending on the usage model, it may be desirable to create a Launch Control Policy at the time the MLE is built. This would apply in the cases where only one MLE is expected to run on the system. In such cases, the policy can be pre-created and provisioned during the installation of the MLE.

If multiple MLEs are expected to run on the system, or if there is to be a platform configuration policy, then it is likely that the policy will need to be created at the time of deployment.

In either case, it is advisable that the policy should contain an SINITRevocationCounter value that corresponds to the lowest versioned SINIT that is required. In the case of a system that supports multiple MLEs, that would be the lowest AcmVersion of all of the SINITs installed. For a single MLE system, it is simply the AcmVersion of the single SINIT installed. Setting the SINITRevocationCounter value in the policy prevents an attacker from substituting an older version of SINIT (if there is one for a given platform) that may have security issues.

## 4.2 Launch Errors and Remediation

If there is an error during a measured launch, the platform will be reset and an error code left in the TXT.ERRORCODE register. It is important for MLE vendors to consider how their software will handle such errors and allow users or administrators to remediate them.

If an MLE is launched automatically either as part of the boot process or as part of an operating system's launch process, it needs to be able to detect a previous failure in order to prevent a continuous cycle of boot failures. Such failures may occur as part of the loading and preparation for the GETSEC[SENTER] instruction or they may occur during the processing of that instruction before the MLE is given control.

In the former case, it is the MLE launching software that is detecting the error condition (e.g. a mismatched SINIT ACM, TXT not being enabled, etc.) and that software can use whatever mechanism it chooses to persist the error or to handle it at that time. In the latter case, the system will be reset before the MLE launching software can handle the error and so that software should be able to detect the error in the TXT.ERRORCODE register and take appropriate action.

The particular remediation action needed will depend on the error itself. If the MLE launch happens early in the boot process, the launching software may need a way of booting into a remediation operating system. If the launch happens within an



operating system environment, the software may be able to remediate in that environment.

## 4.3 Deployment

## 4.3.1 LCP Provisioning

#### 4.3.1.1 TPM Ownership

Because creation and writing to the Platform Owner policy TPM NV index requires the TPM owner authorization credential, the installation program should accommodate differing IT policies for how and when TPM ownership is established. In some enterprises, IT may take ownership before a system is deployed to an end user. In others, the TPM may be un-owned until the first application that requires ownership establishes it.

Since the TPM owner authorization credential will be required to modify the Platform Owner policy, if the installation program creates the credential it should provide a mechanism for securely saving that credential either locally or remotely.

#### 4.3.1.2 Policy Provisioning

The Platform Owner policy TPM NV index will need to be created by the MLE installation program (or other TPM management software) if does not already exist. This can be done with the TPM\_NV\_DefineSpace command or corresponding higher-level TPM interface (e.g. via a TCG Software Stack or TSS).

Once the index has been created, the installation program can write the policy into the index using the TPM\_NV\_WriteValue command or corresponding higher-level TPM interface (e.g. via a TCG Software Stack or TSS).

Because creating and writing to the Platform Owner policy index requires the TPM owner authorization credential, care should be taken to protect the credential when it is being used and to erase or delete it from memory as soon as it is no longer needed.

Ideally, policy provisioning would occur in a secure environment or be performed by an agent that can be verified as trustworthy. An example of the former would be on an isolated network immediately after receiving the system. Another would be booting from a CD containing provisioning software. An example of the latter would be to use Intel TXT to launch a provisioning MLE or agent that was then attested to by a remote entity which could provide the owner authorization credential upon successful attestation.

## 4.3.2 SINIT Selection

Because the SINIT AC module is specific to a chipset, different platforms may have different SINIT ACMs. If an MLE is intended to run on multiple platforms with different chipsets, the MLE installation program will need to determine which SINIT ACM to install.



This can be done by comparing the chipset compatibility information in the SINIT ACM's Chipset ID List with the corresponding information for the platform. This would be identical to the process for verifying SINIT ACM compatibility at launch time, as described in section 2.2.3.1.

§

Intel® Trusted Execution Technology





# Appendix A Intel<sup>®</sup> TXT Execution Technology Authenticated Code Modules

# A.1 Authenticated Code Module Format

An authenticated code module (AC module) is required to conform to a specific format. At the top level the module is composed of three sections: module header, internal working scratch space, and user code and data. The module header contains critical information necessary for the processor to properly authenticate the entire module, including the encrypted signature and RSA based public key. The processor also uses other fields of the AC module for initializing the remaining processor state after authentication.

The format of the authenticated-code module is in Table 3. This definition represents Revision 0.0 of the AC module header version (defined in the HeaderVersion field).

| Field           | Offset | Size (bytes) | Description                                                         |
|-----------------|--------|--------------|---------------------------------------------------------------------|
| ModuleType      | 0      | 4            | Module type                                                         |
| HeaderLen       | 4      | 4            | Header length (in multiples of four bytes)<br>(161 for version 0.0) |
| HeaderVersion   | 8      | 4            | Module format version                                               |
| ChipsetID       | 12     | 2            | Module release identifier                                           |
| Flags           | 14     | 2            | Module-specific flags                                               |
| ModuleVendor    | 16     | 4            | Module vendor identifier                                            |
| Date            | 20     | 4            | Creation date (BCD format:<br>year.month.day)                       |
| Size            | 24     | 4            | Module size (in multiples of four bytes)                            |
| Reserved1       | 28     | 4            | Reserved for future extensions                                      |
| CodeControl     | 32     | 4            | Authenticated code control flags                                    |
| ErrorEntryPoint | 36     | 4            | Error response entry point offset (bytes)                           |
| GDTLimit        | 40     | 4            | GDT limit (defines last byte of GDT)                                |

#### Table 3. Authenticated Code Module Format



| Field       | Offset                     | Size (bytes)    | Description                                                                                      |  |  |  |
|-------------|----------------------------|-----------------|--------------------------------------------------------------------------------------------------|--|--|--|
| GDTBasePtr  | 44                         | 4               | GDT base pointer offset (bytes)                                                                  |  |  |  |
| SegSel      | 48                         | 4               | Segment selector initializer                                                                     |  |  |  |
| EntryPoint  | 52                         | 4               | Authenticated code entry point offset (bytes)                                                    |  |  |  |
| Reserved2   | 56                         | 64              | Reserved for future extensions                                                                   |  |  |  |
| KeySize     | 120                        | 4               | Module public key size less the exponent<br>(in multiples of four bytes)<br>(64 for version 0.0) |  |  |  |
| ScratchSize | 124                        | 4               | Scratch field size (in multiples of four<br>bytes)<br>(2 * KeySize + 15 for version 0.0)         |  |  |  |
| RSAPubKey   | 128                        | KeySize * 4     | Module public key                                                                                |  |  |  |
| RSAPubExp   | 384                        | 4               | Module public key exponent                                                                       |  |  |  |
| RSASig      | 388                        | 256             | PKCS #1.5 RSA Signature                                                                          |  |  |  |
|             | End of AC module header    |                 |                                                                                                  |  |  |  |
| Scratch     | 644                        | ScratchSize * 4 | Internal scratch area used during initialization (needs to be all 0s)                            |  |  |  |
| User Area   | 644 +<br>Scratch<br>Size*4 | N * 64          | User code/data (modulo-64 byte increments)                                                       |  |  |  |

#### ModuleType

Indicates the module type. The following module types are defined:

2 = Chipset authenticated code module.

Only ModuleType 2 is supported by GETSEC functions SENTER and ENTERACCS.

#### HeaderLen

Length of the authenticated module header specified in 32-bit quantities. The header spans the beginning of the module to the end of the signature field. This is fixed to 161 for AC module version 0.0.

#### **HeaderVersion**

Specifies the AC module header version. Major and minor vendor field are specified, with bits 15:0 holding the minor value and bits 31:16 holding the major value. This should be initialized to zero for header version 0.0. Unsupported header versions will be rejected by the processor and result in an abort during authentication.

#### ChipsetID

Module-specific chipset identifier.

#### Flags



Module-specific flags. The following bits are currently defined:

#### Table 4. AC module Flags Description

| Bit position | Description                               |
|--------------|-------------------------------------------|
| 13:0         | Reserved (must be 0)                      |
| 14           | Production (0) or pre-production flag (1) |
| 15           | Production (0) or debug (1) signed        |

#### ModuleVendor

Module creator vendor ID. Use the PCI SIG\* assignment for vendor IDs to define this field. The following vendor ID is currently recognized:

00008086H = Intel

#### Date

Creation date of the module. Encode this entry in the BCD format as follows: year.month.day with two bytes for the year, one byte for the day, and one byte for the month. For example, a value of 20040328H indicates module creation on March 28, 2004.

#### Size

Total size of module specified in 32-bit quantities. This includes the header, scratch area, user code and data.

#### Reserved1

Reserved. This should be initialized to zeros.

#### CodeControl

Authenticated code control word. Defines specific actions or properties for the authenticated code module. The following bits are currently defined:

 Table 5. AC module CodeControl Description

| Bit position | Description                                                                                                                                                                                                                                    |  |  |  |  |
|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|
| 0            | Valid error entry point defined                                                                                                                                                                                                                |  |  |  |  |
| 1            | Enable error reporting on detection of a snoop hit to a modified line during the load of an authenticated code module                                                                                                                          |  |  |  |  |
| 2            | Load memory type error in Authenticated Code Execution Area                                                                                                                                                                                    |  |  |  |  |
| 3            | Enable error reporting on detection of a snoop hit to a modified line during authenticated code execution. If this bit is set, the occurrence of a HITM event results in an Intel <sup>®</sup> Trusted Execution Technology shutdown condition |  |  |  |  |
| 31:4         | Reserved                                                                                                                                                                                                                                       |  |  |  |  |

#### ErrorEntryPoint



If bit 0 of the CodeControl word is 1, the processor will vector to this location if a snoop hit to a modified line was detected during the load of an authenticated code module. If bit 0 is 0, then enabled error reporting via bit 1 of a HITM during ACEA load will result in an abort of the authentication process and signaling of an Intel<sup>®</sup> Trusted Execution Technology shutdown condition.

#### GDTLimit

Limit of the GDT in bytes, pointed to by GDTBasePtr. This is loaded into the limit field of the GDTR upon successful authentication of the code module.

#### GDTBasePtr

Pointer to the GDT base. This is an offset from the authenticated code module base address.

#### SegSel

Segment selector for initializing CS, DS, SS, and ES of the processor after successful authentication. CS is initialized to SegSel while DS, SS, and ES are initialized to SegSel + 8.

#### EntryPoint

Entry point into the authenticated code module. This is an offset from the module base address. The processor begins execution from this point after successful authentication.

#### Reserved2

Reserved. Should contain zeros.

#### KeySize

Defines the width the RSA public key in dwords applied for authentication, less the size of the exponent. For version 0.0 of the AC module header, KeySize is fixed to 64 (a 2048 bit key). The information in this field is intended to support external software parsing of an AC module independent of the module version. It is the responsibility of the developer to reflect an accurate KeySize. This field is not checked for consistency by the processor.

#### ScratchSize

Defines the width of the scratch field size specified in 32-bit quantities. For version 0.0 of the AC module header, ScratchSize is defined by KeySize \* 2 + 15. The information in this field is intended to support external software parsing of an AC module independent of the module version. It is the responsibility of software to reflect an accurate ScratchSize. This field is not checked by the processor.

#### **RSAPubKey**

Contains a public key plus a fixed 32-bit exponent to be used for decrypting the signature of the module. The size of this field is defined by the previously defined AC module field, KeySize + 1.

#### RSASig



The PKCS #1.5 RSA Signature of the module. The RSA Signature signs an area that includes the some of the module header and the USER AREA data field (which represents the body of the module). Parts of the module header not included are: the RSA Signature, public key, and scratch field.

#### Scratch

Used for temporary scratch storage by the processor during authentication. This area can be used by the user code during execution for data storage needs.

After successful authentication of an AC module, the first 20 bytes of the scratch area (offset bytes 644 - 663) contains the computed hash of the module as represented by the encrypted version held in RSASig field. The contents for other locations of the scratch field after authentication are undefined and should not be relied upon by AC module.

#### User Area

User code and data represented in modulo-64 byte increments. In addition, the boundary between data and code should be on at least modulo-1024 byte intervals. The user code and data region is allocated from the first byte after the end of the Scratch field to the end of the AC module.

The chipset AC module information table is located at the start of the User Area and contains supplementary information that is specific to chipset AC modules. The chipset ID list is described in more detail in section 2.2.3.1.

| Field                   | Offset<br>(Bytes) | Width<br>(Bytes) | Description                                                                                                                                                                                                                                                                  |
|-------------------------|-------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| UUID                    | 0x00              | 0x10             | UUID of the Chipset AC module information table<br>defined as:<br>ULONG UUIDO; // 0x7FC03AAA<br>ULONG UUID1; // 0x18DB46A7<br>ULONG UUID2; // 0x8F69AC2E<br>ULONG UUID3; // 0x5A7F418D<br>This UUID is used to identify a file/memory<br>image as being a chipset AC module. |
| ChipsetACMType 0x10 0x0 |                   | 0x01             | Module type (00h = BIOS; 01h = SINIT)                                                                                                                                                                                                                                        |
| Version                 | 0x11              | 0x01             | Version of this table. Table versions are always backwards compatible. The highest version defined is currently 3.                                                                                                                                                           |
| Length                  | 0x12              | 0x02             | Length of this table in bytes.                                                                                                                                                                                                                                               |
| ChipsetIDList           | 0x14              | 0x04             | Location of the Intel TXT Chipset ID list used to<br>identify Intel TXT chipsets supported by this AC<br>Module. This field is an offset in bytes from the<br>start of the AC Module. See Table 7 for details.                                                               |
| OsSinitTableVer         | 0x18              | 0x04             | Indicates the maximum version number of the OS to SINIT data structure that this module supports. It is assumed that the module is backward                                                                                                                                  |



|                 |      |      | compatible with previous versions.                                                                                                                                                                                                                                  |
|-----------------|------|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MinMleHeaderVer | Ox1c | 0x04 | Indicates the minimum version number of the MLE<br>Header data structure that this module<br>supports/requires. MLEs with more recent header<br>versions are responsible for determining whether<br>they can support this version of the ACM.                       |
| Capabilities    | 0x20 | 0x04 | Bit vector of supported capabilities. The values<br>match those of the Capabilities field in the MLE<br>header. This can be used by an MLE to determine<br>whether the ACM is compatible with it and to<br>determine any optional capabilities it might<br>support. |
| AcmVersion      | 0x24 | 0x01 | Version of this AC Module. It is compared against<br>the SINITRevocationCounter field in LCP to<br>determine if the module is revoked.                                                                                                                              |
| Reserved        | 0x25 | 0x03 | Reserved                                                                                                                                                                                                                                                            |

### Table 7. Chipset ID List

| Field     | Offset | Width (Bytes)                             | Description                                                                     |
|-----------|--------|-------------------------------------------|---------------------------------------------------------------------------------|
| Count     | 0      | 4                                         | Number of entries in the array ChipsetID                                        |
| ChipsetID | 4      | Count *<br>sizeof(TXT_ACM<br>_CHIPSET_ID) | An array of count entries of the structure TXT_ACM_CHIPSET_ID (see next table). |

#### Table 8. TXT\_ACM\_CHIPSET\_ID Format

| Field      | Offset | Width<br>(Bytes) | Description                                                                                                                                                                                                                                                                                                                                                |
|------------|--------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Flags 0 4  |        | 4                | Set of flags to further describe functions of the chipset ID structure.                                                                                                                                                                                                                                                                                    |
|            |        |                  | Bit Description:                                                                                                                                                                                                                                                                                                                                           |
|            |        |                  | <ul> <li>[0]: RevisionIdMask – if 0, the RevisionId field<br/>must exactly match the TXT.DIDVID.RID field. If 1,<br/>the RevisionId field is a bitwise mask that can be<br/>used to test for any bits set in the TXT.DIDVID.RID<br/>field. If any bits are set, the RevisionId is a match.</li> <li>[31:1]: Reserved for future use. Must be 0.</li> </ul> |
| VendorID   | 4      | 2                | Indicates the chipset vendor this AC Module is designed to support. This field is compared against the TXT.DIDVID.VID field.                                                                                                                                                                                                                               |
| DeviceID   | 6      | 2                | Indicates the chipset vendor's device that this AC<br>Module is designed to support. This field is<br>compared against the TXT.DIDVID.DID field.                                                                                                                                                                                                           |
| RevisionID | 8      | 2                | Indicates the revision of the chipset vendor's                                                                                                                                                                                                                                                                                                             |



| Field    | Offset | Width<br>(Bytes) | Description                                                                                                                         |
|----------|--------|------------------|-------------------------------------------------------------------------------------------------------------------------------------|
|          |        |                  | device that this AC module is designed to support.<br>This field is used according to the RevisionIdMask<br>bit in the Flags field. |
| Reserved | 10     | 6                | Reserved for future use.                                                                                                            |

# A.1.1 Memory type cacheability restrictions

Prior to launching the authenticated execution environment using the GETSEC leaf functions ENTERACCS or SENTER, processor MTRRs (Memory Type Range Registers) must first be initialized to map out the authenticated RAM addresses as WB (write-back). Failure to do so may affect the ability for the processor to maintain isolation of the loaded authenticated code module. The processor will signal an Intel TXT shutdown condition with error code #BadACMMType during the loading of the authenticated code module if non-WB memory is detected.

While physical addresses within the load module must be mapped as WB, the memory type for locations outside of the module boundaries must be mapped to one of the supported memory types as returned by GETSEC[PARAMETERS] (or UC as default). This is required to support inter-operability across SMX capable processor implementations.

# A.1.2 Authentication and execution of AC module

Authentication is performed after loading of the code module into the authenticated code execution area. Information from the authenticated code module header is used to support the authentication process. The RSAPubKey header field contains a public key plus a 32 bit exponent used for decrypting the signature of the authenticated code module. The signature is held in encrypted form in the RSASig header field and it represents the PKCS #1.5 RSA Signature of the module. The RSA Signature signs an area that includes the sum of the module header and the entire USER AREA data field, which represents the body of the module. Those parts of the module header not included are: the RSA Signature, the public key, and the scratch field. An inconsistent authenticated code module format, inconsistent comparison of the public key hash, or mismatch of the decrypted signature against the computed hash of the authenticated module or a corrupted signature padding value results in an abort of the authenticated module in the first 20 bytes of the 'Scratch' field of the AC module header.

After authentication has completed successfully, the private configuration space of the Intel TXT-capable chipset is unlocked. At this point, only the authenticated code module or system software executing in authenticated code execution mode is allowed to gain access to the restricted chipset state for the purpose of securing the platform.



The architectural state of the processor is partially initialized from contents held in the header of the authenticated code module. The processor GDTR, CS, and DS selectors are initialized from fields within the authenticated code module. Since the authenticated code module must be relocatable, all address references must be relative to the authenticated code module base address in EBX. The processor GDTR base value is initialized to the AC module header field GDT BasePtr + module base address held in EBX and the GDTR limit is set to the value in the GDT Limit field. The CS selector is initialized to the AC module header SegSel field, while the DS selector is initialized to CS + 8. The segment descriptor fields are implicitly initialized to BASE=0, LIMIT=FFFFFh, G=1, D=1, P=1, S=1, read/write access for DS, and execute/read access for CS. The processor begins the authenticated code module execution with the EIP set to the AC module header EntryPoint field + module base address (EBX). The AC module based fields used for initializing the processor state are checked for consistency and any failure results in a shutdown condition.

§



# Appendix B SMX Interaction with Platform

# B.1 Intel<sup>®</sup> Trusted Execution Technology Configuration Registers

Intel TXT configuration registers are a subset of chipset registers. These registers are mapped into two regions of memory, representing the public and private configuration spaces. Registers in the private space can only be accessed after a measured environment has been established and before the TXT.CMD.CLOSE-PRIVATE command has been issued. The private space registers are mapped to the address range starting at FED20000H. The public space registers are mapped to the address range starting at FED30000H and are available before, during and after a measured environment launch. All registers are defined as 64 bits and return 0's for the unimplemented bits. The offsets in the table are from the start of either the public or private spaces (all registers are available within both spaces, though with different permissions). See Table 9.

| Offset | Name          | Description                                                                                                                                                                                                          |
|--------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 000H   | TXT.STS       | This is the general status register. This<br>read-only register is used by AC modules<br>and the MLE to get the status of various<br>Intel TXT features.                                                             |
|        |               | Public: RO                                                                                                                                                                                                           |
|        |               | Private: RO                                                                                                                                                                                                          |
| 008H   | TXT.ESTS      | This is the error status register which<br>contains status information associated<br>with various error conditions. The contents<br>of this register are preserved across soft<br>resets.                            |
|        |               | Public: RO                                                                                                                                                                                                           |
|        |               | Private: RW                                                                                                                                                                                                          |
| 030Н   | TXT.ERRORCODE | Holds the Intel TXT shutdown error code.<br>The encoding for this is documented in<br>Table 14. A system reset does not clear<br>the contents of this register. This was<br>formerly labeled the TXT.CRASH register. |
|        |               | Public: RO                                                                                                                                                                                                           |
|        |               | Private: RW                                                                                                                                                                                                          |

#### Table 9. Configuration Registers Relevant to MLE



| Offset | Name                      | Description                                                                                                                                                                                                                                                                                               |
|--------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 038H   | TXT.CMD.RESET             | A write to this register causes a system<br>reset. This is performed by the processor<br>as part of an Intel TXT shutdown, after<br>writing to the TXT.ERRORCODE register.                                                                                                                                |
|        |                           | Public: -                                                                                                                                                                                                                                                                                                 |
|        |                           | Private: WO                                                                                                                                                                                                                                                                                               |
| 048H   | TXT.CMD.CLOSE-PRIVATE     | A write to this register causes the Intel<br>TXT-capable chipset private configuration<br>space to be locked. Once locked,<br>conventional memory read/write<br>operations can no longer be used to<br>access these registers.                                                                            |
|        |                           | Public: -                                                                                                                                                                                                                                                                                                 |
|        |                           | Private: WO <sup>1</sup>                                                                                                                                                                                                                                                                                  |
| 100H   | TXT.VER.FSBIF             | This register identifies whether the chipset<br>is debug or release fused. See Table 12<br>below for the format.                                                                                                                                                                                          |
|        |                           | Public: RO                                                                                                                                                                                                                                                                                                |
|        |                           | Private: RO                                                                                                                                                                                                                                                                                               |
| 110H   | TXT.DIDVID                | This register contains the vendor, device,<br>and revision IDs for the chipset. See<br>Table 13 below for the format.                                                                                                                                                                                     |
|        |                           | Public: RO <sup>2</sup>                                                                                                                                                                                                                                                                                   |
|        |                           | Private: WO                                                                                                                                                                                                                                                                                               |
| 218H   | TXT.CMD.UNLOCK-MEM-CONFIG | When this command is invoked, the chipset unlocks all memory configuration registers.                                                                                                                                                                                                                     |
|        |                           | Public: -                                                                                                                                                                                                                                                                                                 |
|        |                           | Private: WO <sup>1</sup>                                                                                                                                                                                                                                                                                  |
| 270H   | TXT.SINIT.BASE            | This register contains the physical base<br>address of the memory region set aside by<br>the BIOS for loading an SINIT AC module.<br>The system software reads this register to<br>locate the SINIT module (which may have<br>been loaded by the BIOS) or to find a<br>location to load the SINIT module. |
|        |                           | Public: RW                                                                                                                                                                                                                                                                                                |
|        |                           | Private: RW                                                                                                                                                                                                                                                                                               |

<sup>&</sup>lt;sup>1</sup> A serializing operation, such as a read of the register, is required after the write to ensure that any future chipset <sup>o</sup>perations see the write. <sup>2</sup> This register is writable from the indicated configuration space until the configuration is locked,



| Offset | Name                    | Description                                                                                                                                                                                                                                           |
|--------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 278H   | TXT.SINIT.SIZE          | This register contains the size in bytes of<br>the memory region set aside by the BIOS<br>for loading an SINIT AC module. This<br>register is initialized by the BIOS. The<br>system software may read this register<br>when loading an SINIT module. |
|        |                         | Public: RW                                                                                                                                                                                                                                            |
|        |                         | Private: RW                                                                                                                                                                                                                                           |
| 290H   | TXT.MLE.JOIN            | Holds a physical address pointer to the<br>base of the join data structure referenced<br>by RLPs in response to a<br>GETSEC[WAKEUP] while operating<br>between SENTER and SEXIT.                                                                      |
|        |                         | Public: RW                                                                                                                                                                                                                                            |
|        |                         | Private: RW                                                                                                                                                                                                                                           |
| 300H   | TXT.HEAP.BASE           | This register contains the physical base<br>address of the Intel TXT Heap memory<br>region. The BIOS initializes this register.<br>The system software and MLE read this<br>register to locate the Intel TXT Heap.                                    |
|        |                         | Public: RW                                                                                                                                                                                                                                            |
|        |                         | Private: RW                                                                                                                                                                                                                                           |
| 308H   | TXT.HEAP.SIZE           | This register contains the size in bytes of<br>the Intel TXT Heap memory region. The<br>BIOS initializes this register. The system<br>software and the MLE read this register to<br>determine the Intel TXT Heap size.                                |
|        |                         | Public: RW                                                                                                                                                                                                                                            |
|        |                         | Private: RW                                                                                                                                                                                                                                           |
| 380H   | TXT.CMD.OPEN.LOCALITY1  | Writing to this register "opens" the TPM<br>locality 1 address range, enabling<br>decoding by the chipset and thus access<br>to the TPM. Note: opening private space<br>does not open this locality and it must be<br>opened explicitly.              |
|        |                         | Public: -                                                                                                                                                                                                                                             |
|        |                         | Private: WO <sup>2</sup>                                                                                                                                                                                                                              |
| 388H   | TXT.CMD.CLOSE.LOCALITY1 | Writing to this register "closes" the TPM locality 1 address range, disabling decoding by the chipset and thus access to the TPM. Note: closing the private space will not close this locality.                                                       |
|        |                         | Public: -                                                                                                                                                                                                                                             |
|        |                         | Private: WO <sup>2</sup>                                                                                                                                                                                                                              |



| 390H | TXT.CMD.OPEN.LOCALITY2  | Writing to this register "opens" the TPM<br>locality 2 address range, enabling<br>decoding by the chipset and thus access<br>to the TPM. Note: locality 2 is opened<br>automatically when private space is<br>opened.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|------|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|      |                         | Public: -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|      |                         | Private: WO <sup>2</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 398H | TXT.CMD.CLOSE.LOCALITY2 | Writing to this register "closes" the TPM<br>locality 2 address range, disabling<br>decoding by the chipset and thus access<br>to the TPM. Note: when private space is<br>closed it will automatically close this<br>locality.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|      |                         | Public: -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|      |                         | Private: WO <sup>2</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 8EOH | TXT.CMD.SECRETS         | Writing to this register indicates to the<br>chipset that there are secrets in memory.<br>The chipset tracks this fact with a sticky<br>bit. If the platform reboots with this sticky<br>bit set the SCLEAN AC module will scrub<br>memory. The chipset also uses this bit to<br>detect invalid sleep state transitions. If<br>software tries to transition to S3, S4, or<br>S5 while secrets are in memory then the<br>chipset will reset the system. The MLE<br>issues the TXT.CMD.SECRETS command<br>prior to placing secrets in memory for the<br>first time. After issuing this command,<br>software should read the TXT.E2STS<br>register and wait for the SECRETS.STS bit<br>to be cleared before proceeding.                                                                                                                                                                                                                                                                                                                                                                                          |
|      |                         | Public: -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|      |                         | Private: WO                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 8E8H | TXT.CMD.NO-SECRETS      | Writing to this register indicates there are<br>no secrets in memory. The MLE will write<br>to this register after removing all secrets<br>from memory as part of the Intel TXT<br>teardown process. After issuing this<br>command, software should read the<br>TXT.E2STS register and wait for the<br>SECRETS.STS bit to be cleared before<br>proceeding.<br>Public: -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|      |                         | i dono:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|      |                         | Writing to this register indicates to the<br>chipset that there are secrets in memory.<br>The chipset tracks this fact with a sticky<br>bit. If the platform reboots with this stick<br>bit set the SCLEAN AC module will scrub<br>memory. The chipset also uses this bit to<br>detect invalid sleep state transitions. If<br>software tries to transition to S3, S4, or<br>S5 while secrets are in memory then the<br>chipset will reset the system. The MLE<br>issues the TXT.CMD.SECRETS command<br>prior to placing secrets in memory for the<br>first time. After issuing this command,<br>software should read the TXT.E2STS<br>register and wait for the SECRETS.STS bit<br>to be cleared before proceeding.<br>Public: -<br>Private: WO<br>Writing to this register indicates there are<br>no secrets in memory. The MLE will write<br>to this register after removing all secrets<br>from memory as part of the Intel TXT<br>teardown process. After issuing this<br>command, software should read the<br>TXT.E2STS register and wait for the<br>SECRETS.STS bit to be cleared before<br>proceeding. |



| Offset | Name      | Description                                                                                                                                                              |
|--------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8FOH   | TXT.E2STS | This register is used to read the status<br>associated with various errors that might<br>be detected. The contents of this register<br>are preserved across soft resets. |
|        |           | Public: RO                                                                                                                                                               |
|        |           | Private: RW                                                                                                                                                              |

#### Table 10. TXT.STS Bit Definitions

| Bit<br>position | Name                    | Comment                                                                                                                                                                                                                                                              |
|-----------------|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0               | SENTER.DONE.<br>STS     | The chipset sets this bit when it sees all of the threads have done an TXT.CYC.SENTER-ACK.                                                                                                                                                                           |
|                 |                         | When any of the threads does the TXT.CYC.SEXIT-<br>ACK the TXT.THREADS.JOIN and<br>TXT.THREADS.EXISTS registers will not be equal, so<br>the chipset will clear this bit.                                                                                            |
| 1               | SEXIT.DONE.<br>STS      | This bit is set when all of the bits in the<br>TXT.THREADS.JOIN register are clear. Thus, this bit<br>will be set immediately after reset (since the bits are<br>all 0).                                                                                             |
|                 |                         | Once all threads have done an TXT.CYC.SEXIT-ACK, the TXT.THREAD.JOIN register will be 0, so the chipset will set this bit.                                                                                                                                           |
| 3:2             | Reserved                | Reserved                                                                                                                                                                                                                                                             |
| 4               | MEM.<br>UNLOCK.STS      | This bit will be set to 1 when the memory has been<br>unlocked using the TXT.CMD.UNLOCK-MEMORY<br>command or after a normal reset when no measured<br>environment was in place prior to the reset. When<br>this bit is '1', memory may be accessed by CPU<br>cycles. |
|                 |                         | This bit will be cleared after a reset when there might have been secrets in memory before the reset.                                                                                                                                                                |
|                 |                         | This bit must be set if a read to 0xFED4_0000 returns a '1' in bit 0.                                                                                                                                                                                                |
| 5               | BASE.LOCKED.S<br>TS     | This bit will be set to 1 when the TXT.CMD.LOCK.BASE command is issued.                                                                                                                                                                                              |
|                 |                         | This bit is cleared by TXT.CMD.UNLOCK.BASE or by a system reset.                                                                                                                                                                                                     |
| 6               | MEM-CONFIG-<br>LOCK.STS | This bit will be set to 1 when the memory configuration has been locked.                                                                                                                                                                                             |
|                 |                         | Cleared by TXT.CMD.UNLOCK.MEMCONFIG or by a system reset.                                                                                                                                                                                                            |



| Bit<br>position | Name                  | Comment                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |
|-----------------|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 7               | PRIVATE-<br>OPEN.STS  | This bit will be set to 1 when TXT.CMD.OPEN-<br>PRIVATE is performed.                                                                                                                                                                                                                                                                                                                                                                           |  |
|                 |                       | Cleared by TXT.CMD.CLOSE-PRIVATE or by a system reset.                                                                                                                                                                                                                                                                                                                                                                                          |  |
| 10:8            | Reserved              | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                        |  |
| 11              | MEM-CONFIG-<br>OK.STS | PC       This bit indicates whether the chipset has received and accepted the TXT.CMD.MEM-CONFIG-CHECKED command. This bit is cleared by reset or by the TXT.CMD.UNLOCK-MEM-CONFIG command.         0: Indicates that memory configuration checking has not been performed.         1: Indicates that memory configuration checking has been performed. This bit is set to one when the chipset accepts the TXT.CMD.MEM-CONFIG-CHECKED command. |  |

#### Table 11. TXT.ESTS Bit Definitions

| Bit<br>position | Name               | Comment                                                                                                                                                                                                                                                                                                                                                                                 |
|-----------------|--------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0               | TXT_RESET.<br>STS  | The chipset sets this bit to '1' to indicate that the<br>platform experienced a TXT reset. To maintain TXT<br>integrity, while this bit is set, a TXT measured<br>environment cannot be established; consequently<br>Safer Mode Extension (SMX) instructions<br>GETSEC[ENTERACCS] and GETSEC [SENTER] will<br>fail.<br>This bit is sticky and will only be cleared on a power<br>cycle. |
| 5:1             | Reserved           | Reserved                                                                                                                                                                                                                                                                                                                                                                                |
| 6               | WAKE-<br>ERROR.STS | The chipset sets this bit when it detects that there might have been secrets in memory and a reset or power failure occurred.                                                                                                                                                                                                                                                           |
| 7               | Reserved           | Reserved                                                                                                                                                                                                                                                                                                                                                                                |

### Table 12. TXT.VER.FSBIF Bit Definitions

| Bit<br>position | Name     | Comment  |
|-----------------|----------|----------|
| 30:0            | Reserved | Reserved |



| Bit<br>position | Name       | Comment                         |
|-----------------|------------|---------------------------------|
| 31              | DEBUG.FUSE | 0 = Chipset is debug fused      |
|                 |            | 1 = Chipset is production fused |

#### Table 13. TXT.DIDVID Bit Definitions

| Bit<br>position | Name   | Comment                                           |
|-----------------|--------|---------------------------------------------------|
| 15:0            | VID    | Vendor ID: 8086 for Intel <sup>®</sup> components |
| 31:16           | DID    | Device ID: specific to the chipset/platform       |
| 47:32           | RID    | Revision ID: specific to the chipset/platform     |
| 63:48           | ID-EXT | Extended ID: specific to the chipset/platform     |

## Table 14. TXT.ERRORCODE Register Bit Format

| Bit<br>position | Name               | Description                                                                            |
|-----------------|--------------------|----------------------------------------------------------------------------------------|
| 29:0            | Туре               | This is implementation and source specific. Provides details on the failure condition. |
| 30              | Processor/External | 0 = Error condition reported by processor.                                             |
|                 |                    | 1 = Error condition reported by external software.                                     |
| 31              | Valid/Invalid      | 0 = Register content invalid.                                                          |
|                 |                    | 1 = Valid error.                                                                       |

## Table 15. Type Field Encodings for Processor-Initiated Intel<sup>®</sup> TXT Shutdowns

| Туре | Error condition                                                | Mnemonic          |
|------|----------------------------------------------------------------|-------------------|
| 0    | Legacy shutdown                                                | #LegacyShutdown   |
| 1-4  | Reserved                                                       | Reserved          |
| 5    | Load memory type error in<br>Authenticated Code Execution Area | #BadACMMType      |
| 6    | Unrecognized AC module format                                  | #UnsupportedACM   |
| 7    | Failure to authenticate                                        | #AuthenticateFail |
| 8    | Invalid AC module format                                       | #BadACMFormat     |
| 9    | Unexpected snoop hit detected                                  | #UnexpectedHITM   |
| 10   | Invalid event                                                  | #InvalidEvent     |



| Туре       | Error condition                              | Mnemonic          |
|------------|----------------------------------------------|-------------------|
| 11         | Invalid MLE JOIN format                      | #BadJOINFormat    |
| 12         | Unrecoverable machine check condition        | #UnrecovMCError   |
| 13         | VMX abort                                    | #VMXAbort         |
| 14         | Authenticated code execution area corruption | #ACMCorrupt       |
| 15         | Invalid voltage/bus ratio                    | #InvalidVIDBRatio |
| 16 – 65535 | Reserved                                     | Reserved          |

## Table 16. TXT.E2STS Register Bit Format

| Bit<br>Position | Name        | Description                                                                       |
|-----------------|-------------|-----------------------------------------------------------------------------------|
| 0               | Reserved    | Reserved                                                                          |
| 1               | SECRETS.STS | 0 = Chipset acknowledges that no secrets are in memory                            |
|                 |             | 1 = Chipset believes that secrets are in memory and will provide reset protection |
| 63:2            | Reserved    | Reserved                                                                          |



# **B.2 TPM Platform Configuration Registers**

The TPM contains Platform Configuration Registers (PCRs). The purpose of a PCR is to contain measurements. From a TPM standpoint, the TPM does not care what entity uses a PCR to store a measurement.

The TPM provides two types of PCRs: static and dynamic. Static PCRs only reset on system reset; dynamic PCRs reset upon request. Static PCRs are written by the static root of trust for measurement (SRTM). In the PC, the SRTM begins with the BIOS boot block. The dynamic PCRs are written by the dynamic root of trust for measurement (DRTM). In the PC, the DRTM is the process initiated by GETSEC[SENTER].

A PC TPM requires a minimum of 24 PCRs. The first 16 are designated the static Root of Trust and the next eight are designated the dynamic Root of Trust. Intel TXT uses PCRs 17 and 18 within the dynamic Root of Trust to measure the MLE.

All PCRs, static or dynamic, have the same size and same updating mechanism. The size is 160 bits. This size allows the PCRs to contain a SHA-1 hash digest value. Storing a measurement value in the PCRs involves a TPM\_Extend operation, which is itself a hash operation.

# B.3 Intel<sup>®</sup> Trusted Execution Technology Device Space

There are several memory ranges within Intel TXT address space provided to access Intel TXT related devices. The first range is 0xFED4\_xxxx which is divided up into 16 pages. Each page in the FED4 range has specific access attributes. A page in this region may be accessed by Intel TXT cycles only, by Intel TXT cycles and via private space, or by Intel TXT cycles, private and public space.

| Address Range | TPM Locality                                   |  |
|---------------|------------------------------------------------|--|
| FED4 0xxxH    | Locality 0 (fully public)                      |  |
| FED4 1xxxH    | Locality 1 (trusted OS)                        |  |
| FED4 2xxxH    | Locality 2 (MLE access only)                   |  |
| FED4 3xxxH    | Locality 3 (AC modules access only)            |  |
| FED4 4xxxH    | Locality 4 (Hardware or microcode access only) |  |
| All others    | Reserved                                       |  |

#### Table 17. TPM Locality Address Mapping

The first five pages of the 0xFED4\_xxxx region are used for TPM access. Each page represents a different locality to the TPM. Locality is an attribute used by the TPM to define how it treats certain transactions. Locality is defined by the address range used for commands sent to the TPM. All Intel TXT chipsets must support all localities. Localities 0 and 6 are considered public and accesses to these localities are accepted



by the chipset under all circumstances. Accesses to locality 0 and 6 are sent to the ICH even if Intel TXT is disabled, there has been no SENTER, or private space is closed. Localities 4 and 5 are never open, but may only be accessed with Intel TXT cycles. Localities 7 through 15 are always open from a locality perspective, but are in private space so that TXT.CMD.OPEN-PRIVATE must have been done for the cycles to be sent to ICH as Intel TXT cycles. There are Intel TXT commands that will open localities 1 through 3. Localities 2-3 and 7-F require that both LocalityX.OPEN (localities 7-F are always open) and TXT.CMD.OPEN-PRIVATE be done before allowing accesses in that range to be accepted. At reset, localities 1 through 3 are closed.

No status read check of the TPM is performed by the processor GETSEC[SENTER] instruction ahead of the TPM.HASH write sequence. If the TPM is not in acquiesced state at this time, then the PCRs 17-20 reset and hash registration to PCR 17 may not succeed. To insure reliable system software functionality for TPM support, it is recommended that the GETSEC[SENTER] instruction only be executed once the TPM has acquiesced and ownership has been established in the context of the SENTER initiating process.

§



# Appendix C Intel<sup>®</sup> TXT Heap Memory

Intel TXT Heap memory is a region of physically contiguous memory which is set aside by BIOS for the use of Intel TXT hardware and software. The system software that launches the measured environment passes data to both the SINIT AC module and the MLE using Intel TXT Heap memory. The system software is responsible for filling in the table contents prior to executing the SENTER instruction. An incorrect format or incorrect content of this table or tables described by this table will result in failure to launch the protected environment.

### Table 18. Intel<sup>®</sup> Trusted Execution Technology Heap

| Offset                          | Length<br>(bytes)     | Name            | Description                                                                                                                                                                                                                                                     |
|---------------------------------|-----------------------|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0                               | 8                     | BiosDataSize    | Size in bytes of the Intel TXT<br>specific data passed from the<br>BIOS to system software for<br>the purposes of launching the<br>MLE. This size includes the<br>number of bytes for this field,<br>so this field cannot be less<br>than a value of 8. Note 1. |
| 8                               | BiosDataSize<br>- 8   | BiosData        | BIOS specific data. The format<br>of this data is described below<br>in Table 19.                                                                                                                                                                               |
| BiosDataSize                    | 8                     | OsMleDataSize   | Size in bytes of the data<br>passed from the launching<br>system software to the MLE.<br>This size includes the number<br>of bytes for this field, so this<br>field cannot be less than a<br>value of 8. Note 1.                                                |
| BiosDataSize + 8                | OsMleDataSiz<br>e – 8 | OsMleData       | System software -specific<br>data. Format of data in this<br>field is considered specific to<br>the system software vendor.                                                                                                                                     |
| BiosDataSize +<br>OsMleDataSize | 8                     | OsSinitDataSize | Size in bytes of the data<br>passed from the launching<br>system software to the SINIT<br>AC module. This size includes<br>the number of bytes for this<br>field, so this field cannot be<br>less than a value of 8. Note 1.                                    |



| Offset                                                      | Length<br>(bytes)        | Name             | Description                                                                                                                                                                                                     |
|-------------------------------------------------------------|--------------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| BiosDataSize +<br>OsMLEDataSize +<br>8                      | OsSinitDataSi<br>ze - 8  | OsSinitData      | System software data passed<br>to the SINIT AC module. The<br>format of this data is<br>described below in Table 20.                                                                                            |
| BiosDataSize +<br>OsMleDataSize +<br>OsSinitDataSize        | 8                        | SinitMleDataSize | Size in bytes of the data<br>passed from the launched<br>SINIT AC module to the MLE.<br>This size includes the number<br>of bytes for this field, so this<br>field cannot be less than a<br>value of 8. Note 1. |
| BiosDataSize +<br>OsMleDataSize +<br>OsSinitDataSize +<br>8 | SinitMleDataS<br>ize - 8 | SinitMleData     | SINIT data passed to the MLE.<br>The format of this data is<br>described below in Table 21.                                                                                                                     |

#### NOTES:

1. For proper data alignment on 64bit processor architectures this field must be a multiple of 8 bytes. OsMleDataSize + OsSinitDataSize + SinitMleDataSize must be less than or equal to TXT.HEAP.SIZE.

# C.1 BIOS Data Format

The format of the data passed from the BIOS to the system software for the purposes of launching the measured environment is shown in Table 19.

| Table | 19. | BIOS | Data | Table |
|-------|-----|------|------|-------|
|-------|-----|------|------|-------|

| Offset | Length<br>(bytes) | Name          | Description                                                                                                                                                                                                                                                                                                                           |
|--------|-------------------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0      | 4                 | Version       | Version number of the BiosData. The BiosData is always backwards compatible with previous versions. The current value is 3.                                                                                                                                                                                                           |
| 4      | 4                 | BiosSinitSize | This field indicates the size of the SINIT AC<br>module provided by system BIOS. A value of 0<br>indicates the BIOS is not providing a SINIT AC<br>module for system software use. A non-0 value<br>indicates that the AC module will be at the<br>location specified by the TXT.SINIT.BASE register<br>and be of the specified size. |
| 8      | 8                 | LcpPdBase     | Physical base address of the Platform Default<br>Launch Control Policy, LCP_POLICY_DATA<br>structure. Ignored if Platform Default Policy does<br>not require additional data or does not exist.                                                                                                                                       |
| 16     | 8                 | LcpPdSize     | Size of the Launch Control Policy Platform<br>Default Policy Data. Ignored if Platform Default<br>Policy does not require additional data or does<br>not exist.                                                                                                                                                                       |



| 24 | 4 | NumLogProcs | This is the total number of logical processors in the system. The minimum value in this register must be at least 1.                 |
|----|---|-------------|--------------------------------------------------------------------------------------------------------------------------------------|
| 28 | 8 | Flags       | BIOS-provided information for SINIT AC module<br>consumption. Bit definition will be dependent on<br>the chipset.<br>Version 3 only. |

# C.2 OS to MLE Data Format

Each system software vendor may have a different format for this data, and any MLE being launched by system software must understand the format of that software's handoff data.

# C.3 OS to SINIT Data Format

Table 20 defines the format of the data passed from the launching system software to the SINIT AC module in the OsSinitData field.

Table 20. OS to SINIT Data Table

| Offset | Length<br>(bytes) | Name              | Description                                                                                                                                                                                                                         |
|--------|-------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0      | 4                 | Version           | Version number of the OS to SINIT data.<br>Current value is 0x03. This field is<br>incremented for any change to the definition<br>of the OsSinitData. The OsSinitData is<br>always backwards compatible with previous<br>versions. |
| 4      | 4                 | Reserved          | Reserved for future use                                                                                                                                                                                                             |
| 8      | 8                 | MLE PageTableBase | Physical address of MLE page table (the MLE page directory pointer table address)                                                                                                                                                   |
| 16     | 8                 | MLE Size          | Size in bytes of the MLE image                                                                                                                                                                                                      |
| 24     | 8                 | MLE HeaderBase    | Linear address of MLE header (linear address within the MLE page tables)                                                                                                                                                            |
| 32     | 8                 | PMR Low Base      | Physical base address of the PMR Low region<br>(must be 2MB aligned). Can be set to zero<br>if not desired to be enabled by SINIT. The<br>MVMM must be loaded in one of the DPR,<br>PRM low, or the PMR high regions.               |
| 40     | 8                 | PMR Low Size      | Size of the PMR Low Region (must be 2MB granular). Set to zero if not desired to be enabled by SINIT.                                                                                                                               |

Intel® Trusted Execution Technology



| 48 | 8 | PMR High Base | Physical base address of the PMR High region (must be 2MB aligned). Can be set to zero if not desired to be enabled by SINIT. |
|----|---|---------------|-------------------------------------------------------------------------------------------------------------------------------|
| 56 | 8 | PMR High Size | Size of the PMR HIGH Region (must be 2MB granular). Set to zero if not desired to be enabled by SINIT.                        |
| 64 | 8 | LCP PO Base   | Physical base address of the Platform<br>Owner's Launch Control Policy,<br>LCP_POLICY_DATA structure.                         |
| 72 | 8 | LCP PO Size   | Size of the Launch Control Policy Platform<br>Owner's Policy Data.                                                            |
| 80 | 4 | Capabilities  | Bit vector of capabilities that SINIT is requested to use. This must be a subset of the ones SINIT supports.                  |

# C.4 SINIT to MLE Data Format

Table 21 defines the format of the SINIT data presented to the MLE.

 Table 21. SINIT to MLE Data Table

| Offset | Length<br>(bytes) | Name           | Description                                                                                                                                  |
|--------|-------------------|----------------|----------------------------------------------------------------------------------------------------------------------------------------------|
| 0      | 4                 | Version        | Version number of the SINIT to MLE<br>data. Current value is 5. The<br>SinitMleData is always backwards<br>compatible with previous versions |
| 4      | 20                | BiosAcmID      | ID of the BIOS AC module in the system                                                                                                       |
| 24     | 4                 | EdxSenterFlags | Value of EDX SENTER control flags                                                                                                            |
| 28     | 8                 | MsegValid      | MSEG MSR (Valid bit only)                                                                                                                    |
| 36     | 20                | SinitHash      | SHA-1 hash of the SINIT AC module                                                                                                            |
| 56     | 20                | MleHash        | SHA-1 hash of the MLE                                                                                                                        |
| 76     | 20                | StmHash        | SHA-1 hash of STM. This is only valid if<br>MsegValid = 1, else will contain zero                                                            |
| 96     | 20                | LcpPolicyHash  | SHA-1 Hash of the LCP policy that was<br>enforced; if no hash is needed based on<br>the LCP policy control field this will<br>contain zero   |
| 116    | 4                 | PolicyControl  | Taken from the LCP policy used                                                                                                               |
| 120    | 4                 | RlpWakeupAddr  | MONITOR address used for waking up RLPs (write <b>32bit</b> non-0 value)                                                                     |
| 124    | 4                 | Reserved       | Reserved for future use                                                                                                                      |



| Offset | Length<br>(bytes) | Name                    | Description                                                                                                                                                                                                                                                                    |
|--------|-------------------|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 128    | 4                 | NumberOfSinitMdrs       | Number of SINIT Memory Descriptor<br>Records                                                                                                                                                                                                                                   |
| 132    | 4                 | SinitMdrTableOffset     | Pointer to the start of an array of SINIT<br>Memory Descriptor Records as defined<br>below. Each record describes a memory<br>region as defined by the SINIT AC<br>module (see Table 22). This field is an<br>offset in bytes from the start of the<br>SinitMleDataSize field. |
| 136    | 4                 | SinitVtdDmarTableSize   | Length of the Intel® Virtualization<br>Technology (Intel® VT) for Directed I/O<br>(Intel® VT-d) DMAR table pointed to by<br>the SinitVtdDmarTable field                                                                                                                        |
| 140    | 4                 | SinitVtdDmarTableOffset | Pointer to the start of the SINIT provided<br>DMAR table dump for the MLE. This field<br>is an offset in bytes from the start of the<br>SinitMleDataSize field.                                                                                                                |



| Table 22. | SINIT | Memory | Descriptor | Record |
|-----------|-------|--------|------------|--------|
|-----------|-------|--------|------------|--------|

| Offset | Length<br>(bytes) | Name     | Description                                                                                                                                                         |
|--------|-------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0      | 8                 | Address  | Physical address of the memory range described in this record.                                                                                                      |
| 8      | 8                 | Length   | Length of the memory range.                                                                                                                                         |
| 16     | 1                 | Туре     | Memory range type. Valid values:<br>0 Usable, good memory<br>1 SMRAM– Overlayed<br>2 SMRAM– Non-Overlayed<br>3 PCIe*- PCIe Extended Config Region<br>4–255 Reserved |
| 17     | 7                 | Reserved | Reserved for future use                                                                                                                                             |

The array of Memory Descriptor Records (MDRs) is not necessarily ordered and some MDRs may be of 0 length, in which case they should be ignored.

Memory of type 0 is usable for the MLE and any code or data that it may load. SINIT will verify that the MLE and its page table are located in memory of this type.

Memory types 1 and 2 indicate regions that contain System Management Mode (SMM) code.

Memory of type 3 is the PCI Express extended configuration region. The MLE may use this to verify that the PCIE configuration specified in the ACPI tables is using the appropriate address space.

§



# **Appendix DLCP Data Structures**

# D.1 LCP\_POLICY

Both the Platform Owner and Platform Default SINIT policy structures are of the same type, i.e. *LCP\_POLICY*. These objects are stored in the TPM. The required fields for *LCP\_POLICY* are as follows:

| #define POLHALG_SHA                                                                                   | A1                                                                                                                                    | 0                                          |
|-------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|
| #define POLTYPE_HAS<br>#define POLTYPE_UNS<br>#define POLTYPE_ANS<br>#define POLTYPE_FOF              | SIGNED<br>Z                                                                                                                           | 0<br>1<br>3                                |
| typedef struct {<br>UINT8<br>} LCP_HASH;                                                              | Sha1[20];                                                                                                                             |                                            |
| typedef struct {<br>UINT8<br>UINT8<br>UINT8<br>UINT8<br>UINT32<br>UINT16<br>LCP_HASH<br>} LCP_POLICY; | <pre>Version;<br/>HashAlg;<br/>PolicyType;<br/>SINITRevocationCounter;<br/>PolicyControlField;<br/>Reserved[3];<br/>PolicyHash;</pre> | // one of POLHALG_*<br>// one of POLTYPE_* |
|                                                                                                       | latformOwnerLCPPolicy;<br>latformDefaultLCPPolicy;                                                                                    |                                            |

HashAlg not only determines the algorithm and size of the hash used for *PolicyHash* but all other values used with the LCP structures. If the algorithm type is not supported by SINIT ACM then LCP shall cause an Intel TXT shutdown condition with the value LCP\_WRONG\_HASH\_ALG in the TXT.ERRORCODE register.

If the type specified in the *PolicyType* field is not supported by SINIT then LCP shall cause an Intel TXT shutdown condition with the value LCP\_UNKNOWN\_POLICY\_TYPE in the TXT.ERRORCODE register.

The *SINITRevocationCounter* field provides a mechanism for determining whether the loaded version of SINIT ACM should be used. This value must be less than or equal to a corresponding value, AcmVersion, in the SINIT Image to determine whether SINIT can be used.

The *PolicyControlField* provides a way for the policy authority to control some of the logic in the LCP Policy Engine. The field is defined as:

• Bits31:3 Reserved and should set to zero



- Bit 2 Identifies whether the OsSinitData.Capabilities field will be extended into PCR 17 (1).
- Bit 1 Identifies whether the platform will allow Authenticated Code Modules which have been marked as pre-production can be used to launch the MLE.
   Note: Setting the bit to 1 will require a pre-production SINIT ACM and will result in PCRs 17 and 18 being capped with a random
- Bit 0 Identifies whether a hash of an unsigned policy is extended into PCR 17

The *PolicyControlField* must always be reported into PCR 17.

The version of the LCP\_POLICY structure defined here is OH.

# D.2 LCP\_POLICY\_DATA

value.

For each policy on the platform there must exist a block of data which the SINIT policy engine will process. Where this data resides on the platform is platform dependent, but it must provisioned into the Intel TXT heap data structures (see Appendices C.1 and C.3) by the pre-GETSEC[SENTER] environment.

```
typedef struct {
                              Uuid;
   UUID
    LCP_UNSIGNED_POLICY_DATA UnsignedData;
} LCP_POLICY_DATA
Where:
   typedef struct {
       UINT32 data1;
       UINT16
                 data2;
       UINT16
                data3;
                data4;
      UINT16
                 data5[6];
       UINT8
   } UUID;
```

```
The UUID value for LCP will be:
    AB0D1925-EEE7-48eb-A9FC-0BAC5A262D0E or
    { 0xab0d1925, 0xeee7, 0x48eb, 0xa9fc { 0xb, 0xac, 0x5a,
    0x26, 0x2d, 0xe }
```

# D.3 LCP\_UNSIGNED\_POLICY\_DATA

Unsigned policy data is a table of elements which are lists of policy values (all of the same type), LCP\_POLICY\_LIST. The version of the LCP\_UNSIGNED\_POLICY\_DATA defined here is OH.



```
typedef struct {
    UINT8 Version;
    UINT8 PolicyTableSize;
    LCP_POLICY_LIST PolicyTable[PolicyTableSize];
} LCP_UNSIGNED_POLICY_DATA
```

# D.3.1 LCP\_POLICY\_LIST

The least significant 15 bits identifies the type of list.

#define POLDESC\_MLE\_UNSIGNED 0x0001
#define POLDESC\_PConf\_UNSIGNED 0x0002
typedef struct {
 UINT16 ListType; // One o
 LCP\_UNSIGNED\_LIST UnsignedList;
} LCP POLICY RECORD

// One of POLDESC\_\*

# D.3.2 LCP\_UNSIGNED\_LIST

Unsigned lists are either a list of the environments which may be launched or a list of the allowable platform configurations.

```
typedef struct {
    UINT8 Version;
    UINT8 ListSize;
    choice {
        LCP_HASH HashList[ListSize];
        TPM_PCR_INFO_SHORT PCRInfoList[ListSize]];
    };
} LCP_UNSIGNED_LIST;
```

*HashAlg* identifies the hashing algorithm and hence the size of each hash; *ListSize* identifies either the number of hashes, or the number of TPM\_PCR\_INFO\_SHORT structures (see the TPM Main Specification Version 1.2 for its full definition), in the list. *Version* is 0H for the structure defined here.

The various TPM\_\* structures have been copied below to facilitate understanding of the list structure.

| typedef struct tdTPM_PCR_INF(     | D_SHORT{                           |
|-----------------------------------|------------------------------------|
| TPM_PCR_SELECTION                 | pcrSelection;                      |
| TPM_LOCALITY_SELECTION            | localityAtRelease;                 |
| TPM_COMPOSITE_HASH                | digestAtRelease;                   |
| } TPM_PCR_INFO_SHORT;             |                                    |
| typedef struct tdTPM_PCR_SEL      | -                                  |
| UINT16<br>[size_is(sizeOfSelect)] | sizeOfSelect;<br>BYTE pcrSelect[]; |



} TPM\_PCR\_SELECTION; #define TPM LOCALITY SELECTION BYTE // each bit is the // corresponding locality typedef struct tdTPM\_PCR\_COMPOSITE { select; TPM\_PCR\_SELECTION valueSize; UINT32 [size is(valueSize)] TPM PCRVALUE pcrValue[]; } TPM PCR COMPOSITE; typedef struct tdTPM DIGEST{ BYTE digest[digestSize]; TPM\_DIGEST; typedef TPM\_DIGEST TPM\_COMPOSITE\_HASH; // hash of // TPM\_PCR\_COMPOSITE // object typedef TPM\_DIGEST TPM\_PCRVALUE;

# D.4 Structure Endianness

Endianness deals with the sequencing order of stored bytes. There are two common sequencing orders; Little Endian (format used by Intel) and Big Endian (in this case, TPM NVRAM). In order to successfully compare the values of these two formats, we need to convert TPM NVRAM data to Little Endian when comparing within Intel code as well as converting data into Big Endian format when writing to TPM NVRAM space.

Example 36 bit value: 0x12345678

Little Endian (from least significant byte to most significant byte):

0x78, 0x56, 0x34, 0x12

Big Endian (from least significant byte to most significant byte):

0x12, 0x34, 0x56, 0x78

# **D.5 Errorcode Values**

Table 23 outlines the possible error values, and their meanings that may be used by the SINIT Launch Control Policy Engine.

#### Table 23. LCP Error Values

| Mnemonic          | Description                                                           | TXT<br>Error<br>Value |
|-------------------|-----------------------------------------------------------------------|-----------------------|
| LCP_SINIT_REVOKED | The version of SINIT being used has been revoked by the policy owner. | 0x01                  |



| Mnemonic                     | Description                                                                                                                                                       | TXT<br>Error<br>Value |
|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
| LCP_INCOMPATIBLE_SINIT       | The authenticated code module<br>SINIT cannot be used on this<br>platform, or the version number of<br>the LCP_POLICY,<br>LCP_POLICY_DATA cannot be<br>processed. | 0x02                  |
| LCP_PD_INTEGRITY_FAIL        | The integrity link between the<br>Platform Default policy and its<br>corresponding LCP_POLICY_DATA<br>structure failed.                                           | 0x03                  |
| LCP_PO_INTEGRITY_FAIL        | The integrity link between the<br>Platform Owner's policy and its<br>corresponding LCP_POLICY_DATA<br>structure failed.                                           | 0x04                  |
| LCP_NO_PD_POLICY_DATA        | There exists a Platform Default<br>LCP Policy but no corresponding<br>LCP_POLICY_DATA was placed in<br>memory.                                                    | 0x05                  |
| LCP_NO_PO_POLICY_DATA        | There exists a Platform Owner's<br>LCP Policy but no corresponding<br>LCP_POLICY_DATA was placed in<br>memory.                                                    | 0x06                  |
| LCP_UNKNOWN_POLICY_TYPE      | LCP does not support the<br>PolicyType specified in the Launch<br>Control Policy.                                                                                 | 0x07                  |
| LCP_WRONG_HASH_ALG           | LCP does not support the hash<br>algorithm identified in the Launch<br>Control Policy                                                                             | 0x08                  |
| LCP_ MLE_MISMATCH            | LCP could not find the measured environment in the list given                                                                                                     | 0x09                  |
| LCP_PLATFORM_CONFIG_MISMATCH | The current platform configuration did not match any of those listed.                                                                                             | OxOA                  |
| LCP_POLICY_REVOKED           | The policy data being used is older than allowed by the platform                                                                                                  | 0x0B                  |