During a launch using Intel(r) Trusted Execution Technology (Intel(r) TXT), TXT
provides memory integrity until Xen installs page tables, VT-d mappings, etc.
However, in order to put the system into S3 the TXT environment must be torn
down (and protections lost). On resume, the TXT environment will be
re-launched. During resume, code that was not measured and is not trusted may
execute prior to the re-establishment of the TXT environment. This would
include BIOS code and DMA from devices (possibly with malicious/corrupted
firmware). Importantly, the BIOS code used during S3 resume is typically the
RAM copy and thus it could also have been modified by any code that ran during
the initial boot before TXT (e.g. option ROMs, bootloader).
In order to ensure that nothing has altered the memory image during this
window, memory integrity checks must be made on all of the hypervisor, domain,
and heap pages. The initial integrity values (MACs = message authentication
codes) are calculated prior to entering S3 when protections are still in place.
tboot uses the TPM to seal these (encrypt and bind to PCRs). On resume, after
the TXT environment has been restored, they are unsealed (which will only
succeed if the environment is the same as it was during seal). Then MACs are
re-calculated and compared to the saved values.
This MAC'ing is done in Xen in order to provide the per-domain support as well
as because tboot runs in protected mode and so wouldn't have access to memory
>4GB. tboot already MACs the hypervisor/bitmap/etc.
Unofficial timing shows that the MAC algorithm used (VMAC; see the code for
references) takes ~900ms to MAC 2GB memory. While this is very good, we made
the choice of MAC'ing a domain configurable (default to 'yes') for those usage
models that want faster S3 and have other methods of domain protection (e.g.
introspection, agentry, etc.). Domain 0 is always MAC'ed.
As with other TXT code, the MACs are only performed when Xen is booted using
These patches are against the current xen-unstable tip, c/s 19238. They work
for 32b and 64b, debug and ndebug builds.
Joe & Shane
Xen-devel mailing list