This Golang utility tests whether the platform supports Intel TXT and FIT, TPM boot chain has been configured correctly.
The suite is work in progress.
The test suite runs on GNU/Linux. The /dev/mem device must allow access to the
full physical memory. You may have to add the following to the kernel command line:
iomem=relaxed strict-devmem=0 mem.devmem=1The only dependency is a working Go toolchain and the dep tool. After cloning
the repository, fetch the dependencies:
dep ensureThen, run the test suite as root.
go run cmd/txt-suite/main.goThe test suite implements the following tests.
| # | Test | Implementation status |
|---|---|---|
| 1 | Check CPUID for Intel CPU | ✅ |
| 2 | Check CPUID for CPU generation | ✅ |
| 3 | Check if CPU supports TXT | ✅ |
| 4 | Check if chipset supports TXT | Unimplementable ❌ |
| 5 | Check if TXT registers supports TXT | ✅ |
| 6 | Check CPUID SMX support | ✅ |
| 7 | Check CPUID VMX support | ✅ |
| 8 | Check IA_32FEATURE_CONTROL bits | ✅ |
| 9 | Check SMX is enabled | ✅ |
| 10 | Check supported GetSec leaves | Unimplementable ❌ |
| 11 | Check TXT not disabled | ✅ |
| 12 | Check IBB measured | ✅ |
| 13 | Check firmware trusted | ✅ |
| 14 | TXT registers are locked | ✅ |
| 15 | BIOS ACM had no startup error | ✅ |
| 16 | TPM is present | ✅ |
| 17 | TPM is locked | Only TPM 1.2 🕐 |
| 18 | TPM PS index set | Only TPM 1.2 🕐 |
| 19 | TPM AUX index set | Only TPM 1.2 🕐 |
| 20 | TPM LCP_POLICY has set | Only TPM 1.2 🕐 |
| 21 | TPM PCR0 has been extended | Only TPM 1.2 🕐 |
| 22 | FIT exists | ✅ |
| 23 | FIT contains BIOSACM entry | ✅ |
| 24 | FIT contains IBB entry | ✅ |
| 25 | FIT contains BIOS POLICY | ✅ |
| 26 | FIT IBB covers reset vector | ✅ |
| 27 | FIT IBB doesn’t overlap IBB | ✅ |
| 28 | FIT IBBs doesn’t overlap BIOSACM | ✅ |
| 29 | FIT IBBs and BIOSACM are in 32bit address space | ✅ |
| 30 | FIT TXT_DISABLE_POLICY does not disable TXT | ✅ |
| 31 | BIOSACM header is valid | ✅ |
| 32 | BIOSACM size check | ✅ |
| 33 | BIOSACM alignment check | ✅ |
| 34 | BIOSACM matches chipset | ✅ |
| 35 | BIOSACM matches processor | ✅ |
| 36 | TXT memory is reserved in e820 map | ✅ |
| 37 | TXT DPR protectes TXT memory | ✅ |
| 38 | CPU DMA protected range equals hostbridge DPR | ✅ |
| 39 | TXT SINIT in TXT region | ✅ |
| 40 | TXT SINIT matches chipset | ✅ |
| 41 | TXT SINIT matches processor | ✅ |
| 42 | SINIT ACM startup errors | ✅ |
| 43 | BIOSDATAREGION is present in TXT regions | ✅ |
| 44 | Check CPUID MTRR support | ✅ |
| 45 | Check MTRRcap for SMRR support | ✅ |
| 46 | Get SMM/TSEG region | ✅ |
| 47 | SMRRs are active | ✅ |
| 48 | IOMMU/Vt-d is active | Todo 🕐 |
| 49 | TBOOT is active | Todo 🕐 |
| 50 | Servermode TXT | Todo 🕐 |
| 51 | FSB Interface is release fused | Todo 🕐 |
| 52 | Memory controller is release fused | Todo 🕐 |