Intel TXT Validation Test Suite
This Golang utility tests whether the platform supports Intel TXT and FIT, TPM
boot chain has been configured correctly.
The suite is work in progress.
Usage
The test suite runs on GNU/Linux. The /dev/mem
device must allow access to the
full physical memory. You may have to add the following to the kernel command line:
iomem=relaxed strict-devmem=0 mem.devmem=1
Prepare the environment:
Load the msr kernel module:
modprobe msr
If /dev/tpm0 doesn't exist, load the TPM kernel module:
modprobe tpm_tis
Stop the tpm2-abrmd.service if running:
systemctl stop tpm2-abrmd.service
The only dependency is a working Go toolchain and the dep
tool. After cloning
the repository, fetch the dependencies:
dep ensure
Then, run the test suite as root.
go run cmd/txt-suite/main.go
Commandline arguments
-l : Lists all tests
-i : Enforces testing, so they won't stop at the first error
-t=<n,m,o> : Choose tests, seperated by comma
-t=<n-m> or -t=<n-m,o-p> : Choose ranges of tests, can be seperated by comma
-v : Gives information about Licence, Copyright and Version
-h : Shows this information
Tests
The test suite implements the following tests.
# |
Test |
Implementation status |
1 |
Check CPUID for Intel CPU |
✅ |
2 |
Check CPUID for CPU generation |
✅ |
3 |
Check if CPU supports TXT |
✅ |
4 |
Check if chipset supports TXT |
Unimplementable ❌ |
5 |
Check if TXT registers supports TXT |
✅ |
6 |
Check CPUID SMX support |
✅ |
7 |
Check CPUID VMX support |
✅ |
8 |
Check IA_32FEATURE_CONTROL bits |
✅ |
9 |
Check SMX is enabled |
✅ |
10 |
Check supported GetSec leaves |
Unimplementable ❌ |
11 |
Check TXT not disabled |
✅ |
12 |
Check IBB measured |
✅ |
13 |
Check firmware trusted |
✅ |
14 |
TXT registers are locked |
✅ |
15 |
BIOS ACM had no startup error |
✅ |
16 |
TPM is present |
✅ |
17 |
TPM is locked |
Only TPM 1.2 🕐 |
18 |
TPM PS index set |
Only TPM 1.2 🕐 |
19 |
TPM AUX index set |
Only TPM 1.2 🕐 |
20 |
TPM LCP_POLICY has set |
Only TPM 1.2 🕐 |
21 |
TPM PCR0 has been extended |
Only TPM 1.2 🕐 |
22 |
FIT exists |
✅ |
23 |
FIT contains BIOSACM entry |
✅ |
24 |
FIT contains IBB entry |
✅ |
25 |
FIT contains BIOS POLICY |
✅ |
26 |
FIT IBB covers reset vector |
✅ |
27 |
FIT IBB doesn’t overlap IBB |
✅ |
28 |
FIT IBBs doesn’t overlap BIOSACM |
✅ |
29 |
FIT IBBs and BIOSACM are in 32bit address space |
✅ |
30 |
FIT TXT_DISABLE_POLICY does not disable TXT |
✅ |
31 |
BIOSACM header is valid |
✅ |
32 |
BIOSACM size check |
✅ |
33 |
BIOSACM alignment check |
✅ |
34 |
BIOSACM matches chipset |
✅ |
35 |
BIOSACM matches processor |
✅ |
36 |
TXT memory is reserved in e820 map |
✅ |
37 |
TXT DPR protectes TXT memory |
✅ |
38 |
CPU DMA protected range equals hostbridge DPR |
✅ |
39 |
TXT SINIT in TXT region |
✅ |
40 |
TXT SINIT matches chipset |
✅ |
41 |
TXT SINIT matches processor |
✅ |
42 |
SINIT ACM startup errors |
✅ |
43 |
BIOSDATAREGION is present in TXT regions |
✅ |
44 |
Check CPUID MTRR support |
✅ |
45 |
Check MTRRcap for SMRR support |
✅ |
46 |
Get SMM/TSEG region |
✅ |
47 |
SMRRs are active |
✅ |
48 |
IOMMU/Vt-d is active |
Todo 🕐 |
49 |
TBOOT is active |
Todo 🕐 |
50 |
Servermode TXT |
Todo 🕐 |
51 |
FSB Interface is release fused |
Todo 🕐 |
52 |
Memory controller is release fused |
Todo 🕐 |