1# Intel Authenticated Code Modules 2 3The Authenticated Code Modules (ACMs) are Intel digitally signed modules 4that contain code to be run before the traditional x86 CPU reset vector. 5The ACMs can be invoked at runtime through the GETSEC instruction, too. 6 7A platform that wants to use Intel TXT must use two ACMs: 81. BIOS ACM 9 * The BIOS ACM must be present in the boot flash. 10 * The BIOS ACM must be referenced by the [FIT]. 112. SINIT ACM 12 * The SINIT ACM isn't referenced by the [FIT]. 13 * The SINIT ACM should be provided by the boot firmware, but bootloaders 14 like [TBOOT] are able to load them from the filesystem as well. 15 16## Retrieving ACMs 17 18The ACMs can be downloaded on Intel's website: 19[Intel Trusted Execution Technology](https://software.intel.com/en-us/articles/intel-trusted-execution-technology) 20 21If you want to extract the BLOB from vendor firmware you can search for the 22string ``LCP_POLICY_DATA`` or ``TXT``. 23 24## Header 25 26Every ACM has a fixed size header: 27 28```c 29/* 30 * ACM Header v0.0 without dynamic part 31 * Chapter A.1 32 * Intel TXT Software Development Guide (Document: 315168-015) 33 */ 34struct acm_header_v0 { 35 uint16_t module_type; 36 uint16_t module_sub_type; 37 uint32_t header_len; 38 uint16_t header_version[2]; 39 uint16_t chipset_id; 40 uint16_t flags; 41 uint32_t module_vendor; 42 uint32_t date; 43 uint32_t size; 44 uint16_t txt_svn; 45 uint16_t se_svn; 46 uint32_t code_control; 47 uint32_t error_entry_point; 48 uint32_t gdt_limit; 49 uint32_t gdt_ptr; 50 uint32_t seg_sel; 51 uint32_t entry_point; 52 uint8_t reserved2[63]; 53} __packed; 54``` 55 56[FIT]: ../../soc/intel/fit.md 57[TBOOT]: https://sourceforge.net/p/tboot/wiki/Home/ 58