Intel Authenticated Code Modules

The Authenticated Code Modules (ACMs) are Intel digitally signed modules that contain code to be run before the traditional x86 CPU reset vector. The ACMs can be invoked at runtime through the GETSEC instruction, too.

A platform that wants to use Intel TXT must use two ACMs:

    • The BIOS ACM must be present in the boot flash.
    • The BIOS ACM must be referenced by the FIT.
    • The SINIT ACM isn’t referenced by the FIT.
    • The SINIT ACM should be provided by the boot firmware, but bootloaders like TBOOT are able to load them from the filesystem as well.

Retrieving ACMs

The ACMs can be downloaded on Intel’s website: Intel Trusted Execution Technology

If you want to extract the BLOB from vendor firmware you can search for the string LCP_POLICY_DATA or TXT.