Also,
To just get things working, I would skip creating the policy elements
for the pcrs andcustom, and just go with the mle element. After you get
things working, then is the time to add additional stuff.
Charles
From: Charles Bushong [mailto:[email protected]]
Sent: Wednesday, March
You haven't mentioned which processor you are using. From the commands
you are using, it appears that you are trying to do a version 2 lcp,
which is for processors designed after 2008. Also, did you copy the
list.data file to the /boot directory, and add the line module
/list.data to your grub con
There appear to be a couple of things that I don't understand. It
appears that while you have written you VL policy, you haven't written a
Launch Control Policy (which goes in the owner NV index). What your LCP
will be depends on the processor, which you didn't mention in you post.
That is the plac
It appears that you do not have an SINIT module in the grub.cfg file. As I
understand it, the BIOS ACM is handling things like measuring the BIOS stuff
and extending PCRs 0-5. I believe that tboot is unhappy because there is no
SINIT module in the grub file. Determine which SINIT module you need
Jay,
Basically the instructions for using the grub.conf file appl. The steps
are pretty much as outlines in the LCP_v2.txt document.
1) Create the LCP - this results in the list.data file
2) Create the VL
3) Take ownership of the TPM
4) Define the error index (if not already done)
5) Define the
Hi,
Does anyone have an idea of when the SINIT modules for the new Haswell
processors will be release?
Thanks
Charles
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Downlo
All,
While doing a routine update of a security review of the tboot code, I
found a couple of minor problems - two potential (but very unlikely)
buffer overrun problems, and one minor memory leak - although the
program is going to terminate almost immediately, so the memory comes
back anyway.
Patch [2/2]
Signed-off-by: Charles Fisher
#include
#include
+#include
+#include
#include
+#include
#include
#include
#include
+#include
#include
#include
#include
@@ -553,6 +557,118 @@ bool e820_reserve_ram(uint64_t base, uin
return true;
}
+/* Define the
Patch {1/2]
Signed-off-by: Charles Fisher wakeup_vector);
acpi_printk("wakeup_vector_value = %llxx\n", resume_vector);
+}
+
+void disable_smis(void)
+{
+printk("disabling legacy USB SMIs\n");
+uint32_t pmbase = pcireg_cfgread(0, 31, 0, 0x40, 4) & ~1;
+uint32_t
Patch {1/2]
Signed-off-by: Charles Fisher wakeup_vector);
acpi_printk("wakeup_vector_value = %llxx\n", resume_vector);
+}
+
+void disable_smis(void)
+{
+printk("disabling legacy USB SMIs\n");
+uint32_t pmbase = pcireg_cfgread(0, 31, 0, 0x40, 4) & ~1;
+uint32_t
Here is the real patch 2/2.
Patch [2/2]
Signed-off-by: Charles Fisher
#include
#include
+#include
+#include
#include
+#include
#include
#include
#include
+#include
#include
#include
#include
@@ -553,6 +557,118 @@ bool e820_reserve_ram(uint64_t base, uin
ret
Patch [1/2]
Signed-off-by: Charles Fisher wakeup_vector);
acpi_printk("wakeup_vector_value = %llxx\n", resume_vector);
+}
+
+void disable_smis(void)
+{
+printk("disabling legacy USB SMIs\n");
+uint32_t pmbase = pcireg_cfgread(0, 31, 0, 0x40, 4) & ~1;
+uint32_t
It appears from looking at the code that there was an original intent to
classify the messages displayed using printk into one of 3 levels (info,
warn, and error), although it does not appear that any of the existing
printk's utilize this feature.
Are there any plans to do so in the future? We
We have a mixed environment of Sandy Bridge and Ivy Bridge machines. We
want to use a standard image for installation, and in the past, have
just loaded all of the sinit modules in the grub.conf file, allowing
tboot to figure out which was the correct sinit to use.
We have run into a problem wi
I have a question about the Sandy Bridge SINIT module
(2nd_gen_i5_i7_SINIT_51.BIN).
The developers kit has a set of programs for defining the default policy
(NVRAM index 0x5001) and aux2 (NVRAM index 0x5003).
All of the Sandy Bridge Machines that we currently have, have aux
predefi
Joe,
Version two of the patch:
Signed-off-by: Charles Fisher
diff -up tboot-1.7.0/tb_polgen/param.c.orig
tboot-1.7.0/tb_polgen/param.c
--- tboot-1.7.0/tb_polgen/param.c.orig2012-04-26 08:33:58.631208000
-0700
+++ tboot-1.7.0/tb_polgen/param.c 2012-04-26 10:10:49.931844000 -0700
@
Joe,
Please put this patch on hold. I am going to make the change suggested
earlier and use a common definition for both tboot, and tb_polgen, as
well as add a check in tb_polgen for the cmdline length being larger
than the buffer so, and put out an error message to that effect so that
the cond
All,
I have found the problem - If you forget to include the list.data file
in the grub.cfg file, this is the result. A rather silly error true, but
the error code was somewhat less than helpful. Perhaps this might be
improved in the next version of the error list.
Charles
From: Fisher,
All,
There is a problem with tb_polgen. When it is parsing the kernel
cmdline, it uses the first 256 characters of the cmdline, and discards
the rest. Tboot itself, uses the first 1024 characters of the command
line received from grub2. This means that the hash generated by
tb_polgen will NOT m
All,
I am trying to use tboot on a DELL 64020 laptop, running FC16. This is a
Sandy Bridge machine, so it takes a v2 LCP.
I am taking an error during the SINIT processing that results in error
code 0xc00041d01, which is translated to
AC module error : acm_type=0x1, progress=0x10, error=0x
Jimmy,
I found it. The problem was that lcp_crtpol sets a default version of 0
in the policy structure. Apparently, you actually have to have a version
of 1, so the command lcp_crtpol -m mle_hash -v 1 -t hashonly -o lcp.pol
is what works.
Thanks for your help.
Charles
From: Wei, Gan
I am attempting to get tboot operating on a Dell Optiplex 960 (requires
the Q45_Q43_SINIT_51.BIN ACM), using FC16.
Following the instructions for creating the LCP and VL policies for a v1
LCP.
The only difference between the examples and what I wrote was to specify
a type of halt for the tb_po
Sure have. Works like a charm. First line of the grub file is the kernel
tboot.gz, second line is the module linux… with all of the options, third line
is the initrd and the fourth and subsequent lines are the SINIT and lcp data
(if required for version 2) . Requires a 2.6.20 or later kernel, un
The MLE Developers guide in on the Intel site. It is located at:
http://www.intel.com/content/www/us/en/software-developers/intel-txt-sof
tware-development-guide.html
The trick is to search for Measured Launch Environment (not MLE)
Developers Guide.
Hope this helps.
Charles
--
Hi,
I am attempting to get tboot running on a Dell 640 laptop - Sandy Bridge
chip set, so it requires a version 2 policy. My problem is that when I
attempt to follow the steps for generating the LCP listed in
lcptools2.txt, I get an error on the next to last step this is:
Lcp_crtpollist -ad
25 matches
Mail list logo
