Lines Matching full:and
15 - Measurement and verification of launched environment
17 Intel TXT is part of the vPro(TM) brand and is also available some
19 based on the Q35, X38, Q45, and Q43 Express chipsets (e.g. Dell
20 Optiplex 755, HP dc7800, etc.) and mobile systems based on the GM45,
21 PM45, and GS45 Express chipsets.
47 uses Intel TXT to perform a measured and verified launch of an OS
55 w/ TXT support since v3.2), and now Linux kernels.
61 While there are many products and technologies that attempt to
64 Measurement Architecture (IMA) and Linux Integrity Module interface
69 starting at system reset and requires measurement of all code
73 bootloader and the boot config. In practice, this is a lot of
78 protection, memory configuration/alias checks and locks, crash
85 of platform configuration checks are performed and values locked,
87 shutdown, and there is support for policy-based execution/verification.
88 This provides a more stable measurement and a higher assurance of
89 system configuration and initial state than would be otherwise
91 almost all parts of the trust chain is available (excepting SMM and
100 platform supports Intel TXT and, if so, executes the GETSEC[SENTER]
108 terminal, serial port, and/or an in-memory log; the output
111 - The GETSEC[SENTER] instruction will return control to tboot and
115 instruction had put them in and place them into a wait-for-SIPI
122 VMEXITs, and then disable VT and jump to the SIPI vector. This
127 verify the kernel and initrd.
129 - This policy is rooted in TPM NV and is described in the tboot
131 create and provision the policy.
132 - Policies are completely under user control and if not present
134 - Policy action is flexible and can include halting on failures
135 or simply logging them and continuing.
142 in order to remove this blanket protection and use VT-d's
144 - Tboot will populate a shared page with some data about itself and
150 - The kernel will look for the tboot shared page address and, if it
153 of the VT-d DMARs in a DMA-protected region of memory and verifies
155 launched with tboot and use this copy instead of the one in the
157 - At this point, tboot and TXT are out of the picture until a
161 attempt to crash the system to gain control on reboot and steal
164 - The kernel will perform all of its sleep preparation and
169 - Tboot will clean up the environment and disable TXT, then use the
175 has been restored, it will restore the TPM PCRs and then
178 provides tboot with a set of memory ranges (RAM and RESERVED_KERN
181 authentication code) over and then seal with the TPM. On resume
182 and once the measured environment has been re-established, tboot
183 will re-calculate the MAC and verify it against the sealed value.
194 This code works with 32bit, 32bit PAE, and 64bit (x86_64) kernels.
197 allow these to be individually enabled/disabled and the screens in
211 Security top-level menu and is called "Enable Intel(R) Trusted
212 Execution Technology (TXT)". It is considered EXPERIMENTAL and
215 platform actually supports Intel TXT and thus whether any of the
220 system and can also be found on the Trusted Boot site. It is an
222 DRTM process to verify and configure the system. It is signed
224 any other macrocode and its correct operation is critical to the