| blob | b7dfacde8c7133c3765a4b6d4a3f62e800a827d3 |
1 # Intel Authenticated Code Modules
3 The Authenticated Code Modules (ACMs) are Intel digitally signed modules
4 that contain code to be run before the traditional x86 CPU reset vector.
5 The ACMs can be invoked at runtime through the GETSEC instruction, too.
7 A platform that wants to use Intel TXT must use two ACMs:
8 1. BIOS ACM
9 * The BIOS ACM must be present in the boot flash.
10 * The BIOS ACM must be referenced by the [FIT].
11 2. SINIT ACM
12 * The SINIT ACM isn't referenced by the [FIT].
13 * The SINIT ACM should be provided by the boot firmware, but bootloaders
14 like [TBOOT] are able to load them from the filesystem as well.
16 ## Retrieving ACMs
18 The ACMs can be downloaded on Intel's website:
19 [Intel Trusted Execution Technology](https://software.intel.com/en-us/articles/intel-trusted-execution-technology)
21 If you want to extract the BLOB from vendor firmware you can search for the
22 string ``LCP_POLICY_DATA`` or ``TXT``.
24 ## Header
26 Every ACM has a fixed size header:
28 ```c
29 /*
30 * ACM Header v0.0 without dynamic part
31 * Chapter A.1
32 * Intel TXT Software Development Guide (Document: 315168-015)
33 */
34 struct acm_header_v0 {
35 uint16_t module_type;
36 uint16_t module_sub_type;
37 uint32_t header_len;
38 uint16_t header_version[2];
39 uint16_t chipset_id;
40 uint16_t flags;
41 uint32_t module_vendor;
42 uint32_t date;
43 uint32_t size;
44 uint16_t txt_svn;
45 uint16_t se_svn;
46 uint32_t code_control;
47 uint32_t error_entry_point;
48 uint32_t gdt_limit;
49 uint32_t gdt_ptr;
50 uint32_t seg_sel;
51 uint32_t entry_point;
52 uint8_t reserved2[63];
53 } __packed;
54 ```
56 [FIT]: ../../soc/intel/fit.md
57 [TBOOT]: https://sourceforge.net/p/tboot/wiki/Home/