I am new to the forums, and I hope I am posting this to the appropriate forum.
I have a NUC5i5MYHE and I am trying to use tboot on Ubuntu 16.04 LTS. I enabled Intel TXT and VT from the BIOS. Then installed tboot and obtained the 5th generation SINIT ACM (Authenticated Code Module) from the Intel website (https://software.intel.com/en-us/articles/intel-trusted-execution-technology Intel® Trusted Execution Technology (TXT) | Intel® Software). I updated grub and selected tboot for booting. The system rebooted after trying to load the SINIT module (5th_gen_i5_i7-SINIT_79.bin). Then I did some more investigation and found that the SINIT module corresponds to TXT.DIDVID.DeviceID: 0xb002. Running the command txt-stat to obtain the TXT register on my NUC yielded the device_id as 0xb005. There were no ACMs for this particular device ID. So I tried the 6th generation ACM (deviceID: 0xb003) and 7th generation ACM (deviceID: 0xb006) with the same result. Where can I find the appropriate ACM corresponding to device ID: 0xb005 for my NUC?
Thanks a lot
Thank you for joining this Intel Community.
Intel does not test and validate Intel® NUC on Linux. Also, questions about Intel® Trusted Execution Technology (TXT) are usually supported on the the https://software.intel.com/en-us/forums/intel-vpro-software-development/ Intel Business Client Developer Forum. However, since Intel® NUC Kit NUC5i5MYHE supports this technology, I would like to do further research to determine which SINIT ACM is needed to address this issue.
We will get back to you soon.
Intel Customer Support Technician
Under Contract to Intel Corporation
I found the solution to my question. Posting it here so that it would be useful to someone in the future.
I was using tboot 1.8.3 which came from the Ubuntu distribution. When I downloaded tboot (1.9.8) and built it, I was able to use the SINIT ACM (5th_gen_i5_i7-SINIT_79.bin) successfully.
Well there was one more twist to the story - I was seeing only a mouse cursor even after 10 minutes and the kernel login prompt wouldn't show up. Looking at the kernel logs indicated gpu hang to be the problem.
Doing some search suggested that I need to turn off the intel_iommu. But setting it to off wasn't helpful because tboot turned it on. I found that using the parameter intel_iommu=tboot_noforce for the kernel helped me to boot to the kernel.
This option lowers the security provided by tboot because it makes the system vulnerable to DMA attacks.
Thanks again for all the help.