intel ® trusted execution technology (intel txt) sinit acm … · intel® ® trusted execution...
TRANSCRIPT
Intel® Trusted Execution Technology (Intel® TXT) SINIT ACM Revocation Tools Guide For Microsoft Windows*, WinPE*, DOS, Linux*, and EFI*
July 1, 2013
Rev 1.0
For Public Release *Other names and brands may be claimed as the property of others.
Legal Disclaimer
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL® PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS.
Intel may make changes to specifications and product descriptions at any time, without notice.
All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.
Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Intel, and Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2013 Intel Corporation.
3
Introduction 1. Problem Statement
• Intel® Trusted Execution Technology SINIT modules for 3rd Generation Intel® i5 and i7 vPro and Intel® Xeon® E3-1200 and E3-1200V2 Series Processors are susceptible to a privilege escalation issue. This issue also affects Intel 2nd Generation vPro Core i5 and i7 (SNB) based product family that are using the backwards compatible 3rd Generation vPro Core i5 and i7 (IVB) SINIT ACM. To mitigate this issue, Intel is providing new SINIT ACMs.
• This document (“Guide”) describes tools and steps needed to perform revocation of impacted SINIT ACM.
2. Revocation Overview
• Intel® TXT uses TPM NV AUX index for inter ACM communication. Specially allocated area of this index –
revocation structure consisting of two bytes at offset 0x60 is dedicated to performing of SINIT revocation.
Revocation structure is read-only for SINIT and other ACMs and can be written only by specially designed
Revocation ACM (RACM).
3. Revocation Procedure
• Platforms actively using Intel® TXT must install updated SINIT ACM 1.2 or newer version before
revocation. Not following this step, will result in Intel® TXT to fail at launch.
• For Intel® Xeon® E3 workstations carrying SINIT ACM in BIOS, SINIT ACM must be updated in the BIOS image.
• After updating SINIT ACM on platforms actively using Intel® TXT, user/VMM must perform secrets migration to
avoid secret access failure after applying revocation procedure.
– Platforms not actively using Intel® TXT don’t have to perform this step since the revocation procedure will not have any
impact on their functionality.
• Finally revocation procedure as described in the following pages has to be applied.
• To revoke SINIT, Revocation ACM (RACM) has to be run on impacted platform using one of the Wrapper Tools
described in further sections.
• Wrapper Tool launches RACM via GETSEC [ENTERACCS] CPU instruction.
4
Disable Intel® TXT & Verify TPM is Enabled/Activated
Mandatory before any tools can be used
5
Step # What?
How? Support
1 Disable Intel® TXT Enter BIOS and Disable Intel® TXT. First go to the “Advanced” tab. Then go to “CPU Configuration”. If Intel® TXT is already disabled move on to step 2.
Now select Intel® Trusted Execution Technology and Disable Intel® TXT. Save Settings and Reboot then enter BIOS for Step 2
2 TPM Enabled and Activated
Enter BIOS and verify that TPM is Enabled and Activated. Go to the “Advanced” tab and scroll down to “TPM”. Select “TPM” and make sure that it is “Enabled/Activated” (TPM must be enabled and activated for RACM to be able to write into TPM NV.)
6
Microsoft Windows Based Revocation Tool
Only for use with Microsoft Windows* 7*
*Other names and brands may be claimed as the property of others.
7
Step # What?
How? Support
1 Boot into Windows and Run Provided Tools
Now that Intel® TXT has been disabled and TPM is verified to be Enabled and Activated we can run the Windows tool. Boot to windows and run “Execute.exe” as Administrator.
You will be asked by Windows User Account Control (UAC) to allow Execute.exe to make changes to your PC, select “Yes”. Program will run script and reboot system for the first time. OS will now be in “onecpu” mode(only CPU Core 0 is used)
2 Revocation of SINIT in TPM AUX Index
On Second Boot “ProcessTxtRevocation.exe” will be automatically run and you will need to once again select “Yes”(UAC). System will now run the second script and reboot for the second time. Note: This step will do the Revocation and put OS back into normal mode .
8
Step # What?
How? Support
3
Check to see if Revocation Worked.
Check to see if revocation worked by Reviewing Log file in Tool Root Directory. Should Read, “Success: Revocation completed.”
9
WinPE Based Revocation Tool Only for use with WinPE* Ver. 3.5 (Windows 7)
*Other names and brands may be claimed as the property of others.
10
Step # What?
How? Support
1 Boot to WinPE and put OS into “onecpu” mode.
Now that Intel® TXT has been disabled and TPM is verified to be Enabled and Activated we can run the WinPE tool. Boot to WinPE and run “cmd.exe”. Once in Command Prompt run the following command. “bcdedit –store d:\EFI\Microsoft\Boot\BCD \set onecpu on”
There are two BCD files present on UFD. The first one (located in D:\Boot) is for legacy BIOS booting and the second one (located in D:\EFI\Microsoft\Boot) is for EFI booting. Please navigate to the correct BCD file for your setup.
2 Reboot system and then run RACM tools.
Reboot system to apply the change made above and then proceed to run the Revocation tool. The command for this tools is, “racm_util.exe IVB_REVOCATION_20130211_PRODUCTION” this will run the revocation and let you know if it was successfully completed.
11
Step # What?
How? Support
3 OS back into Normal mode.
Run “cmd.exe”. Once in Command Prompt run the following command. “bcdedit –store d:\EFI\Microsoft\Boot\BCD \set onecpu off”
12
DOS Based Revocation Tool
13
Step # What?
How? Support
1 Create DOS Bootable Drive
You can find several websites explaining the process on how to create a DOS bootable drive
Example: http://www.sevenforums.com/tutorials/46707-ms-dos-bootable-flash-drive-create.html
2 Copy over Required Files for Revocation
Download the Revocation Tool and extract the DOS files to the root of the DOS Drive.
3 Boot to DOS and Run Revocation Script
Boot to the DOS Drive and run the “revoate.bat” file. This will complete the revocation process. You may now turn on TXT and proceed with the latest SINIT safely.
NOTE: If revocation is already complete you will see this message.
14
Linux Based Revocation Tool
TXT Tboot LiveImage using Fedora*
*Other names and brands may be claimed as the property of others.
15
Step # What?
How? Support
1 Platforms running Citrix XenClient* XT or other Intel® TXT solutions
Unseal and save secrets
This process will typically be handled by ISV VMM.
2 Make Tboot LiveUSB Drive
-To make a Tboot LiveUSB drive, download the Live Image Creator* from Fedora which is located here. -To prepare LiveUSB for the live image creator the drive has to be renamed to “LIVE”. Once the drive is renamed we can move on to using the tool.
Once you have installed the tool run it as administrator. Make sure that the “LIVE” USB drive letter (E:, G:, etc) is selected and then select “Browse” to select the Tboot LiveImage. Once the image has been selected Select “Create Live USB”, You may be asked to confirm by selecting “Create LiveUSB” again and the Tboot LiveImage will be created.
*Other names and brands may be claimed as the property of others.
16
Step # What?
How? Support
3 Boot to Linux Tboot LiveUSB drive and Run RACM Utility
Now that Intel® TXT has been disabled and TPM is verified to be Enabled and Activated we can run the Tboot LiveUSB. Boot to USB(Tboot LiveUSB) and select “Run RACM with Tboot” entry of startup menu. This will do revocation and reset platform automatically.
4 Check for Successful Revocation
System will reboot and once again boot to Tboot LiveUSB. Select "Check RACM Result with Tboot” entry of startup menu.
5 Restore System to Original Settings
Restore secrets and reseal them to new PCR values.
This process will typically be handled by ISV VMM.
17
EFI* Based Revocation Tool
*Other names and brands may be claimed as the property of others.
18
Step # What?
How? Support
1 Build EFI Bootable Drive
Use “USB Image Tool” and DUET_EFI64_USBIT_IVB_RACM_REL_SINIT_SVN.IMG and DUET_EFI64_USBIT_IVB_RACM_REL_SINIT_SVN.IMG.md5 to create bootable USB drive
Download and save the USB Image Tool and the included files to your computer. Boot to Windows *7(This is only for creating EFI USB and can be run on any PC with Windows* 7) and run USB Image Tool and select the correct USB device on the right. After selecting correct USB device, click on “Restore”.
*Other names and brands may be claimed as the property of others.
19
Step # What?
How? Support
1 Build EFI Bootable Drive
Once selecting “Restore” a window will open and ask you to select a file to restore to. Navigate to “DUET_EFI64_USBIT_IVB_RACM_REL_SINIT_SVN.IMG” and select it then select “Open”
You will now be asked if you want to restore to the selected USB device. Please verify if it is the correct device and then select “Yes”. The restore will begin and then you will be ready to use the EFI revocation tool.
20
Step # What?
How? Support
2 BOOT to EFI USB Reboot the system and go into system BIOS and make sure that “boot to USB” is enabled. Then boot to the EFI bootable device that you have created.
3 Revocate TPM AUX Index using EFI Revocation Tool
Once you have booted to the EFI Bootable device type “fs0:” then return. This will select the USB drive. Then type “REVACM64.EFI IVB_REVOCATION_20130211_PRODUCTION.bin” and then press return. This will run the revocation tool and patch will be return “Success: Revocation completed”.
