List view
To further improve AEM, we are introducing enhancements aimed at better usability, performance, and security. One planned improvement is adding TPM event log for all entries descriptions. While all components are already measured and the PCR value remains unchanged, this addition will make the event log more readable without requiring knowledge of the underlying code. This enhancement applies to both the legacy and UEFI boot paths, across supported CPU vendors. Additionally, we are optimizing performance, particularly for Intel platforms, to ensure a smoother and more efficient experience. Additional issues from other repositories: - https://github.com/TrenchBoot/xen/issues/16 - https://github.com/TrenchBoot/xen/issues/18
No due date•0/7 issues closedThis milestone will implement support for performing DRTM between coreboot and its payload, in this case edk2. While the implementation of dynamic launch will be in coreboot, the payload must be able to handle unusual state after the hand-off. It also has to carefully manage the access to memory, as well as control when and how other cores are allowed to be started. Finally, the payload binary must contain information that would tell coreboot that it can be started through dynamic launch.  Components marked in green will be added or modified as part of this milestone. The implementation will be done with Dasharo, with coreboot part of the implementation sent to upstream coreboot repository for review. Platforms chosen for initial implementation: - PC Engines apu2 (or later one), with TPM 2.0 - Protectli VP66xx with TPM 2.0
No due date•0/7 issues closedTo ensure proper implementation across wider set of newer platforms, we plan to introduce two new platforms to our test matrix: MSI PRO B650M-A WIFI with AMD Ryzen 5 8600G, and ASRock NUC BOX-125H/EU/AI with Intel 125H processor. In case of problems with availability or lack of support for required features in the firmware, the platforms may be changed to other, similar ones, so they are referenced just as "AMD platform" and "Intel platform" in the tasks. The tests will be performed on OEM firmware.
No due date•0/5 issues closedThe code implementing support for TrenchBoot UEFI boot mode shall be upstream to the official Xen and GRUB2 repositories. It would benefit the open-source community and enable access and utilization of the TrenchBoot UEFI boot mode support in other projects. Submitting patch sets to the Xen and GRUB2 mailing lists simultaneously ensures cohesive integration and community benefit. Project plan: https://docs.dasharo.com/projects/trenchboot-aem-v2/ Project page: https://nlnet.nl/project/TrenchBoot-AEM-UEFI/
No due date•0/2 issues closedThe more sophisticated test case involves the end-to-end validation of the TrenchBoot AEM solution. Due to the complex nature of the hardware features required here (such as the Intel TXT), it cannot be tested in emulation. The goal of this task is to automate the validation process as shown in the blog post, so we can ensure that the entire solution is working as expected on different hardware units, without being overloaded with manual testing. In order to implement the functional testing on hardware, the hardware must be integrated first into the testing lab. The goal of this integration is to perform the setup, and document it, so it can be replicated by the community. Project plan: https://docs.dasharo.com/projects/trenchboot-aem-v2/ Project page: https://nlnet.nl/project/TrenchBoot-AEM-UEFI/
No due date•5/5 issues closedFirst set of messages to both projects' mailing lists should be sent concurrently in order to allow maintainers to test the solution as a whole. This includes any necessary rebasing, patch preparation, and initial communication with maintainers.
No due date•1/3 issues closedTrenchBoot for AMD platform in Linux kernel/ 5. Secure Launch documentation and specification update
The task aims to fill the gap in Linux kernel documentation for AMD DRTM technology, that will be sent along with patches implementing AMD DRTM support in Linux kernel. Changes to SL specification shall also be done as part of this task.
No due date•2/3 issues closed