close

趁近期比較空閒,離開前公司之後有些時間可以撰寫紀錄工作上的knowhow

-----------------------------------------------------------------------------------------------

在BIOS底下CPU Function頁面底下,有個 Intel TXT選項,其作用適用於安全性開機相關的功能。

RHEL 官方對於 tboot 套件的說明:The tboot package provides Trusted Boot (tboot), an open source pre- kernel/VMM module, that uses Intel Trusted Execution Technology (Intel TXT) to initialize the launch of a operating system kernels and virtual machines.

主要適用於保護BIOS與OS Kernel相關的安全性紀錄 

Intel TXT uses a Trusted Platform Module (TPM) and cryptographic techniques to provide measurements of software and platform components so that system software as well as local and remote management applications may use those measurements to make trust decisions. It complements Intel Management Engine. This technology is based on an industry initiative by the Trusted Computing Group (TCG) to promote safer computing. It defends against software-based attacks aimed at stealing sensitive information by corrupting system or BIOS code, or modifying the platform's configuration.

Ref: http://en.wikipedia.org/wiki/Trusted_Execution_Technology

簡而言之,Intel® Trusted Execution Technology,TXT(可信賴執行技術)– Intel® TXT 主要保護 BIOS , kernel ,VMM (虛擬管理作業模組)

驗證方式:搭配 TPM( Trust platform module)來使用.

 

Trusted Boot 套件:tboot,https://sourceforge.net/projects/tboot/

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

RHEL  相關的資訊:

Is Trusted Execution Technology(TXT) is supported in Red Hat Enterprise Linux? Ref: https://access.redhat.com/articles/186583

Trusted Execution Technology(TXT) and tboot are supported in RHEL 6 when using legacy BIOS. TXT and tboot will does not work with uEFI mode enabled. With uEFI and tboot enabled the server will not boot.

 

On RHEL installed with UEFI, tboot must be uninstalled before enabling TPM/TXT hardware Ref: https://access.redhat.com/articles/2464721

tboot on UEFI is specifically disabled by the grub2-efi maintainers, because the grub2-efi modules required to make tboot work may compromise security. There is a way to fix this, but business justification has not reached the critical mass necessary to foster such an effort. See Advisory https://access.redhat.com/articles/2217041 for details.

If tboot is installed on a UEFI-based RHEL platform, and TPM/TXT is enabled in the firmware, the boot will stop at the grub prompt.

If that happens, type "reboot" at the grub prompt and invoke the firmware management console, usually by pressing the F2, F9 or Delete key. In the firmware management console, disable TPM/TXT. Exit the firmware management console and reboot.

After the system is rebooted, type "yum erase -y tboot".

Once tboot is uninstalled, you can enable the TPM/TXT hardware.

 

tboot not supported in RHEL installed with UEFI Ref: https://access.redhat.com/articles/2217041

(PS: But目前找到的安裝方法,指向efi路徑下的檔案)

tboot not supported in RHEL installed with UEFI
Updated April 15 2016 at 8:39 PM - English 
Why is tboot not supported on RHEL installed with UEFI?
In order for tboot to work with RHEL installed with UEFI, the grub2-efi (RHEL7) and grub.efi (RHEL6) boot loaders must be able to launch more than one image. In such a scenario, tboot could unknowingly load a blacklisted image whose keys are in the platform vendor's Secure Boot blacklisted keys database.

What will happen if I install tboot on a UEFI system?
On RHEL7 with UEFI
tboot-1.8.3-2.el7.x86_64.rpm, and newer, will install tboot, but will print following message to the screen.
WARNING: tboot is not supported on RHEL installed with UEFI.

The install is allowed to complete without error to prevent aborting a provision. However, when the users try to boot the tboot menu item in grub, they will be presented with an error message and a grub prompt. At that point, the user can press the 'ESC' key, whereupon the other grub options will appear. The user can then boot from one of those other options.

On RHEL6 with UEFI
tboot will install, but when the users try to boot the tboot menu item in grub, they will be presented with an error message and a grub prompt. At that point, the user can press the ESC key, whereupon the other grub options will appear. The user can then boot from one of those other options.

What is the supported security protocol for RHEL7 installed with UEFI?
Secure Boot is the recommended boot protocol for RHEL7 installed with UEFI.

Is tboot still supported in RHEL7 installed with legacy BIOS?
Yes.

Is Secure Boot available for RHEL7 installed with legacy BIOS?
No. tboot is the recommended secure launch mechanism for RHEL7 installed with legacy BIOS in intel based systems.

Is Secure Boot available for RHEL6 installed with UEFI?
No. For secure launches on intel platforms provisioned with RHEL6, it is recommended to install with legacy BIOS and use tboot.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Tboot Installation in Linux Distributions  
RHEL/CentOS 7.x - UEFI boot
# yum install grub2-efi-modules
# grub2-mkimage -O x86_64-efi -o /boot/efi/EFI/redhat/grubx64.efi -p /EFI/redhat "all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg loadenv lvm mdraid09 mdraid1x minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png reboot search search_fs_uuid search_fs_file search_label sleep syslinuxcfg test tftp regexp video xfs linuxefi multiboot multiboot2"
# yum install tboot
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Ref: https://sourceforge.net/p/tboot/wiki/Tboot%20Installation%20in%20Linux%20Distributions/

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

從Red Hat Bugzilla – Bug 1654202上反應的問題來看,從Fedora 29 & RHEL8.0 就不適用RHEL 7.x設定tboot的方式了

Uused to use script below to create customized grubx64.efi:
GRUB_MODULES="all_video boot btrfs cat chain configfile echo efifwsetup \
efinet ext2 fat font gfxmenu gfxterm gzio halt hfsplus iso9660 \
jpeg loadenv lvm mdraid09 mdraid1x minicmd normal part_apple \
part_msdos part_gpt password_pbkdf2 png reboot search \
search_fs_uuid search_fs_file search_label sleep syslinuxcfg \
test tftp regexp video xfs linuxefi multiboot multiboot2"
grub2-mkimage -O x86_64-efi -o grubx64.efi.new -p /EFI/fedora $GRUB_MODULES

With grub2-efi-x64-modules installed, this script works for Fedora 28 & RHEL7.x, but it does not work anymore on Fedora 29 & RHEL8.0, with errors showing not able to find modules like linuxefi.mod/multiboot2.mod/multiboot.mod under /usr/lib/grub/x86_64-efi/.

Grub2-efi-x64-modules for Fedora 28 is at version 2.02-34, while it’s currently at 2.02-62 for Fedora 29.

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1654202

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

CentOS 8.0 ~ 8.1 ~ 8.2,與 RHEL 8.0 ~ 8.1 ~ 8.2有著OS UEFI Mode 使用tboot套件的問題。會導致無法進OS,看起來是 8.3解決了。

有關於tboot不能使用於UEFI的問題,從Red Hat Bugzilla – Bug 1654202上的訊息來看

似乎是希望legacy使用tboot,UEFI使用tboot.efi

"Just for the record: Intel will eventually move from tboot to tboot.efi in 2019, then tboot will not rely on grub."

the problem has been fixed in RHEL-8.3.0, which has grub2 2.02-84.

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1654202

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

以我目前查到的資料,CentOS(RHEL) 8.2 裝新的套件就能順利用tboot開機 (但我實際測試是選了tboot進不去OS... 所以我是用Ubuntu確認這個功能)
舉個例子:先去BIOS把TXT, VX-d, VX-t features設定成Enable,然後進OS。
1.# yum install grub2-efi-x64-modules / dnf install grub2-efi-x64-modules
2.# mkdir /boot/efi/EFI/redhat/x86_64-efi/
3.# cp /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/efi/EFI/centos(redhat)/x86_64-efi/
4.# cp /usr/lib/grub/x86_64-efi/relocator.mod /boot/efi/EFI/centos(redhat)/x86_64-efi/
PS: #(如果在grub menu選tboot顯示缺什麼檔案就回到一般的boot複製什麼進去再做一次grub2-mkconfig;有試過能複製整個資料夾過去)
5.# yum install tboot / dnf install tboot
6.# grub2-mkconfig -o /boot/efi/EFI/centos(redhat)/grub.cfg
7.# reboot
8.ㄖㄧChoose tboot on Grub Menu.
# txt-stat

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1654202
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1896848
Ref: https://access.redhat.com/articles/2464721 (On RHEL installed with UEFI, tboot must be uninstalled before enabling TPM/TXT hardware )

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

對了,RHEL 8系列的Grub2,就先前使用RHEL8.0 / 8.1 / 8.2 設定nomodeset與設定serial port for physical COM port and BMC COM port的經驗
,編寫default內容(/etc/grub/default)後,執行grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg後,並沒有起作用,需要換個方式。
新的方式:https://www.golinuxcloud.com/update-grub2-grubby-grub2-editenv-rhel-8/
或是直接編輯# vi /boot/grub2/grubenv,編輯完,重開機就可以了。
顯示目前GRUB的設定grub2-editenv list

但CentOS 8.1 / 8.2 卻沒有這個新的方式,延續RHEL7/CentOS7的編輯與產生檔案的方法使用即可,RHEL 8/CentOS 8 這邊出現差異,讓我覺得有點奇怪XD

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

EFI-TBOOT Project: https://github.com/rossphilipson/efi-tboot

efi-tboot installing steps (from github)

                       --- Install EFI TBOOT ---

Build and install EFI TBOOT and needed support files:

$ cd efi-tboot/tboot
$ make
$ sudo mkdir /boot/efi/EFI/TBOOT
$ sudo cp tboot.efi /boot/efi/EFI/TBOOT
$ sudo cp tboot.cfg /boot/efi/EFI/TBOOT

Create new EFI boot target:

$ efibootmgr -w -L TBOOT -l "\EFI\TBOOT\tboot.efi" -c

EFI TBOOT needs a number of platform support files used with TXT (called
Authenticated Code Modules or ACMs). For convenience the packages can be
gotten from the OpenXT mirror:

http://mirror.openxt.org/

Download:

5-i7-sinit-67.zip
4th-gen-i5-i7-sinit-75.zip
5th-gen-i5-i7-sinit_79.zip
5th_gen_i5_i7-SINIT_79.zip
6th_gen_i5_i7-SINIT_71.zip
7th_gen_i5_i7-SINIT_74.zip
GM45_GS45_PM45-SINIT_51.zip
Q35-SINIT_51.zip
Q45_Q43-SINIT_51.zip
Xeon-5600-3500-SINIT-v1.1.zip
Xeon-E7-8800-4800-2800-SINIT-v1.1.zip
i5_i7_DUAL-SINIT_51.zip
i7_QUAD-SINIT_51.zip

Each package must be unzipped and the .bin or .BIN file in the package needs
to be copied to /boot/efi/EFI/TBOOT

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Go to BIOS Setup, Enable the TXT, VX-d, VX-t features
Fresh install Linux OS with tboot selected on a server.
Power on the server and load it(tboot) into Linux OS.
Run txt-stat command to check “TXT measured launch: SUCCESS”. 
#txt-stat | grep “TXT measured launch”

@ Take Ubuntu Server 18.04.x as sample:
! Please make sure that enable VT-x, VT-d, TPM ,TXT in BIOS setup menu, and enable EFI booting mode in BIOS setup menu, save and exit.

1. Fresh install Ubuntu Server 18.04.x
2. Install tboot under Ubuntu Server 18.04.x
# apt-get update
#apt-get install tboot
3. Reboot, and choose tboot option at GRUB MENU.
#reboot
4. #txt-stat | grep “TXT measured launch”

 

@ Take Ubuntu Server 18.04 with make/make install tboot "from tboot source code."
Setup environment for tboot:
! Please make sure that enable VT-x, VT-d, TPM ,TXT in BIOS setup menu, and enable EFI booting mode in BIOS setup menu, save and exit.
# apt-get update
# apt-get install tpm-tools
# apt-get install mercurial
# hg clone http://hg.code.sf.net/p/tboot/code tboot-code
# cd tboot-code/tboot
# make install
# cd ../utils
# make install
copy your /sbin/init to /boot      *(( I think this were not necessary))
# grub-mkconfig -o /boot/grub/grub.cfg
# reboot
select tboot from grub boot menu
login as root
After booting into ubuntu, run command: txt-stat.
# txt-stat | grep "TXT measured launch"

實測不需要同平台的SINIT.bin檔案。就能確認狀態了

PS: Intel Whitley Platform 比較新的Source Code,需要tboot 1.9.11才能驗txt-stat才會OK;
(但如果被強制要求要加SINIT.bin,而且是同平台的SINIT.bin,那就只能從BIOS code提取這個bin檔案,再做grub-mkconfig
;但我實際測試的經驗,透過套件管理(apt)是不需要啦)

Ubuntu Server 18.04可以手動下載Ubuntu Server 21.04 提供的tboot下來安裝使用
(wget  http://archive.ubuntu.com/ubuntu/pool/universe/t/tboot/tboot_1.9.12+hg20200718-1_amd64.deb)
。或是直接使用Ubuntu Server 21.04,透過apt-get套件管理command進行安裝驗證。

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

System hangs when Intel tboot is used to boot the operating system

Description
In legacy BIOS boot mode, system hangs when tboot version 1.9.12-2 is used to boot the operating system. The issue is observed with both TPM v2.0 and v1.2.
Workaround
Use tboot version 1.9.10-1 from RHEL 8.2 GA. For more information, see Red Hat Enterprise Linux Knowledge Base article 6013091.
Solution
The issue is resolved in Red Hat Enterprise Linux 8.5.
Systems affected
All Dell EMC PowerEdge systems.
Applies to
Red Hat Enterprise Linux 8.3 and later.
Tracking number
197339
arrow
arrow
    文章標籤
    IntelTXT TXT Intel Linux RHEL6 RHEL7 RHEL8 Ubuntu 18.04 Ubuntu18.04 tboot
    全站熱搜

    吾給力 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄