Hi Jimmy, thanks a lot for your suggestions!
Immediately new tboot 1.8.1 showed up I've tried it out (incl. creating new
policies), no change in behavior :-(
Just removed owner index (0x40000001) as you suggested, basically with same
results.
Regarding the BIOS, I fear it's the latest version I have (I also tried the
BIOS build-in SINIT).
I'm currently discussing same issue within Intel developer.
e.g. whether 4th_gen_i5_i7_SINIT_75.BIN is the correct SINIT
- i.e. it seems not to be meant for server boards
- basically tboot doesn't complain
- the other way around, tboot states
- "checking if module /4th_gen_i5_i7_SINIT_75.BIN is an SINIT
for this platform..."
- "SINIT matches platform"
- "BIOS-provided SINIT is older: date=20130612"
I guess the error is raised by the SINIT?
If so, I think the key question is, what circumstance can force SINIT to raise
this kind of error?
Could you imagine any other than a missing index?
I mean error is about the index as such not the content, but maybe I'm wrong
with that assumption ...
Attached you find the policy data files (generated with tboot version 1.8.1)
and the script how I set them up.
Thanks,
Dieter
-----Ursprüngliche Nachricht-----
Von: Wei, Gang [mailto:gang....@intel.com]
Gesendet: Montag, 26. Mai 2014 04:06
An: dknueppel; Ross Philipson; tboot-devel@lists.sourceforge.net
Betreff: RE: [tboot-devel] getting txt errorcode 0xc0001c41
Hi, Dieter,
Can you send out the lcp policy files (.pol & .data)? tboot 1.8.0 lcptools has
a bug and not able to create working lcp policy.
You can try two ways to check whether this is related to the lcptools bug:
Way1: remove the owner index and reboot. Or
Way2: regenerate the policy with lcptools in 1.8.1, and try again.
One more alternative, you might try to ask for a bios update from the board
vendor.
Thanks
Jimmy
-----Original Message-----
From: dknueppel [mailto:dknuep...@online.de]
Sent: Thursday, May 08, 2014 12:41 AM
To: Ross Philipson; dknueppel; tboot-devel@lists.sourceforge.net
Subject: Re: [tboot-devel] getting txt errorcode 0xc0001c41
Hi Ross,
I tried (removing the 4th_gen_i5_i7_SINIT_75.BIN ) using the SINIT within the
BIOS.
Ending up with the same error condition.
I also checked for an updated version of SINIT, current one seems to be the
latest one.
But good point!
Actually I haven't found any SINIT for the Xeon E3 v3 (Haswell) on Intel web
pages, just the given one.
I'm bit puzzled, don't think I'm the only one using an S1200RPx board with
tboot?!
Don't know, maybe I'm doing something wrong in between ...
Anyway, next thing I'll do is to follow your suggestion and analyze the SINIT
binary.
Thanks,
Dieter
-----Ursprüngliche Nachricht-----
Von: Ross Philipson [mailto:ross.philip...@citrix.com]
Gesendet: Dienstag, 6. Mai 2014 16:33
An: dknueppel; tboot-devel@lists.sourceforge.net
Betreff: RE: [tboot-devel] getting txt errorcode 0xc0001c41
> -----Original Message-----
> From: dknueppel [mailto:dknuep...@online.de]
> Sent: Monday, May 05, 2014 12:41 PM
> To: Ross Philipson; dknueppel; tboot-devel@lists.sourceforge.net
> Subject: AW: [tboot-devel] getting txt errorcode 0xc0001c41
>
> Hi Ross,
>
> Sorry for the delay, got an issue with my email server ...
>
> thanks for your hint.
> Agree, basically I have the same indexes. Even one more ...
>
> # tpmnv_getcap
> The response data is:
> 10 00 00 01 10 00 f0 00 50 00 00 03 50 00 00 01
>
> 4 indices have been defined
> list of indices for defined NV storage areas:
> 0x10000001 0x1000f000 0x50000003 0x50000001
>
> Guess those are created already by the BIOS when enabling the TPM.
Those indexes look right. They were put there by the OEM per instructions given
to them for TXT configuration.
>
> Do you know further details on how to debug tboot in order to find the
> missing (?) index?
The error is being set during the execution of the ACM. The best you could do
there for debugging in my experience is static analysis of the code in the
SINIT module.
Someone else suggested you we using an SINIT that would not work on a server
platform. It was suggested you remove the module and use the one in firmware -
did that lead anywhere? If not, is there a newer SINIT module for you server
platform you could download and try?
>
> Thanks a lot,
> Dieter
>
>
> -----Ursprüngliche Nachricht-----
> Von: Ross Philipson [mailto:ross.philip...@citrix.com]
> Gesendet: Montag, 28. April 2014 20:38
> An: dknueppel; tboot-devel@lists.sourceforge.net
> Betreff: Re: [tboot-devel] getting txt errorcode 0xc0001c41
>
> On 04/26/2014 02:09 AM, dknueppel wrote:
> > Hi,
> >
> > I'm getting txt error code 0xc0001c41 with rebooting the system
> afterwards.
> >
> > Mainboard Intel S1200RPL
> > CPU XEON E3-1265L
> > TPM AXXTPME5
> > Boot BIOS (i.e. no EFI, EFI boot shows identical behavior)
> > Distribution Ubuntu 14.04 w/ tboot 1.8
> > SINIT 4th_gen_i5_i7_SINIT_75.BIN
> >
> > Attached below how the TPM is set up and the tboot dump.
> >
> > I don't have any clue why I'm still getting the error.
> > According to SINIT_Errors.pdf error indicates "Invalid TPM NV index"
>
> You may be missing some NV indexes that the OEM is supposed to put
> there. For example on my Dell 6430 where I am using the TXT/TPM I have:
>
> # tpmnv_getcap
> The response data is:
> 10 00 00 01 50 00 00 01 50 00 00 03
>
> 3 indices have been defined
> list of indices for defined NV storage areas:
> 0x10000001 0x50000001 0x50000003
>
> The second two need to be there - the are LCP related indexes
> (0x50000001 is LCP supplier and 0x50000003 is AUX2 IIRC). These are
> supposed to be create by the OEM then locked in NV RAM to prevent
> removal.
>
> >
> > Help pretty much appreciated.
> >
> > Thanks,
> > Dieter
> >
> >
> > + tpm_takeownership -z
> > Enter owner password:
> > Confirm password:
> > + tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p
> > + password
> > Tspi_NV_DefineSpace failed failed: NVRAM area already exists
> > (0x08313b)
> >
> > Command DefIndex failed:
> > TSS API failed
> > + tpmnv_defindex -i owner -s 0x36 -p password
> > Haven't input permission value, use default value 0x2
> >
> > Successfully defined index 0x40000001 as permission 0x2, data size
> > is
> > 54
> > + tpmnv_defindex -i 0x20000001 -s 512 -pv 0x02 -p password
> >
> > Successfully defined index 0x20000001 as permission 0x2, data size
> > is
> > 512
> > + rm -r tmp
> > + mkdir tmp
> > + cd tmp
> > + lcp_mlehash -c logging=serial,vga,memory /boot/tboot.gz
> > + lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 0 --out
> > + tboot_mle.elt tboot_hash lcp_crtpollist --create --out
> > + list_unsig.lst tboot_mle.elt
> > + lcp_crtpol2 --create --type list --ctrl 0x02 --pol owner_list.pol
> > + --data owner_list.data list_unsig.lst lcp_writepol -i owner -f
> > + owner_list.pol -p password
> >
> > Successfully write policy into index 0x40000001
> > + cp owner_list.data /boot
> > + tb_polgen --create --type nonfatal tcb.pol tb_polgen --add --num 0
> > + --pcr 18 --hash image --cmdline
> 'root=/dev/mapper/test--node--vg-root ro intel_iommu=on' --image
> /boot/vmlinuz-3.13.0-24-generic tcb.pol
> > + tb_polgen --add --num 1 --pcr 19 --hash image --cmdline '' --image
> > + /boot/initrd.img-3.13.0-24-generic tcb.pol lcp_writepol -i
> > + 0x20000001 -f tcb.pol -p password
> >
> > Successfully write policy into index 0x20000001
> >
> >
> >
> >
> > TBOOT: ******************* TBOOT *******************
> > TBOOT: 2014-01-30 12:00 +0800 1.8.0
> > TBOOT: *********************************************
> > TBOOT: command line: logging=serial,vga,memory
> > TBOOT: BSP is cpu 0
> > TBOOT: original e820 map:
> > TBOOT: 0000000000000000 - 000000000009bc00 (1)
> > TBOOT: 000000000009bc00 - 00000000000a0000 (2)
> > TBOOT: 00000000000e0000 - 0000000000100000 (2)
> > TBOOT: 0000000000100000 - 00000000bbdc7000 (1)
> > TBOOT: 00000000bbdc7000 - 00000000be782000 (2)
> > TBOOT: 00000000be782000 - 00000000be788000 (4)
> > TBOOT: 00000000be788000 - 00000000be8be000 (2)
> > TBOOT: 00000000be8be000 - 00000000be8c2000 (4)
> > TBOOT: 00000000be8c2000 - 00000000be8e3000 (2)
> > TBOOT: 00000000be8e3000 - 00000000be8e4000 (4)
> > TBOOT: 00000000be8e4000 - 00000000be905000 (2)
> > TBOOT: 00000000be905000 - 00000000be915000 (4)
> > TBOOT: 00000000be915000 - 00000000be925000 (2)
> > TBOOT: 00000000be925000 - 00000000beb2f000 (4)
> > TBOOT: 00000000beb2f000 - 00000000bebf0000 (3)
> > TBOOT: 00000000bebf0000 - 00000000bec00000 (1)
> > TBOOT: 00000000bec00000 - 00000000c0000000 (2)
> > TBOOT: 00000000f8000000 - 00000000fc000000 (2)
> > TBOOT: 00000000fec00000 - 00000000fec01000 (2)
> > TBOOT: 00000000fed19000 - 00000000fed1a000 (2)
> > TBOOT: 00000000fed1c000 - 00000000fed20000 (2)
> > TBOOT: 00000000fee00000 - 00000000fee01000 (2)
> > TBOOT: 00000000ff400000 - 0000000100000000 (2)
> > TBOOT: 0000000100000000 - 0000000440000000 (1)
> > TBOOT: TPM: TPM Family 0x3
> > TBOOT: TPM is ready
> > TBOOT: TPM nv_locked: TRUE
> > TBOOT: TPM timeout values: A: 750, B: 750, C: 750, D: 750
> > TBOOT: Wrong timeout B, fallback to 2000
> > TBOOT: Wrong timeout C, fallback to 75000
> > TBOOT: reading Verified Launch Policy from TPM NV...
> > TBOOT: :512 bytes read
> > TBOOT: policy:
> > TBOOT: version: 2
> > TBOOT: policy_type: TB_POLTYPE_CONT_NON_FATAL
> > TBOOT: hash_alg: TB_HALG_SHA1
> > TBOOT: policy_control: 00000001 (EXTEND_PCR17)
> > TBOOT: num_entries: 2
> > TBOOT: policy entry[0]:
> > TBOOT: mod_num: 0
> > TBOOT: pcr: 18
> > TBOOT: hash_type: TB_HTYPE_IMAGE
> > TBOOT: num_hashes: 1
> > TBOOT: hashes[0]: d4 63 4c 11 a3 0f a3 ee a1 dc 4d 34 98 f8
> 99 f6 46 51 ca da
> > TBOOT: policy entry[1]:
> > TBOOT: mod_num: 1
> > TBOOT: pcr: 19
> > TBOOT: hash_type: TB_HTYPE_IMAGE
> > TBOOT: num_hashes: 1
> > TBOOT: hashes[0]: 00 ee 09 19 c8 57 c2 12 ce 23 0a 20 02 b8
> 10 8f 74 18 0f 60
> > TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07
> > TBOOT: CPU is SMX-capable
> > TBOOT: CPU is VMX-capable
> > TBOOT: SMX is enabled
> > TBOOT: TXT chipset and all needed capabilities present
> > TBOOT: TXT.ERRORCODE: 0xc0001c41
> > TBOOT: AC module error : acm_type=0x1, progress=0x04, error=0x7
> > TBOOT: TXT.ESTS: 0x0
> > TBOOT: TXT.E2STS: 0xc
> > TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07
> > TBOOT: CPU is SMX-capable
> > TBOOT: CPU is VMX-capable
> > TBOOT: SMX is enabled
> > TBOOT: TXT chipset and all needed capabilities present
> > TBOOT: TXT.HEAP.BASE: 0xbef20000
> > TBOOT: TXT.HEAP.SIZE: 0xe0000 (917504)
> > TBOOT: bios_data (@0xbef20008, 0x56):
> > TBOOT: version: 4
> > TBOOT: bios_sinit_size: 0xce40 (52800)
> > TBOOT: lcp_pd_base: 0x0
> > TBOOT: lcp_pd_size: 0x0 (0)
> > TBOOT: num_logical_procs: 8
> > TBOOT: flags: 0x00000000
> > TBOOT: ext_data_elts[]:
> > TBOOT: BIOS_SPEC_VER:
> > TBOOT: major: 0x2
> > TBOOT: minor: 0x1
> > TBOOT: rev: 0x0
> > TBOOT: ACM:
> > TBOOT: num_acms: 1
> > TBOOT: acm_addrs[0]: 0xfff7d000
> > TBOOT: CR0 and EFLAGS OK
> > TBOOT: supports preserving machine check errors
> > TBOOT: CPU is ready for SENTER
> > TBOOT: checking previous errors on the last boot.
> > last boot has error.
> > TBOOT: checking if module /4th_gen_i5_i7_SINIT_75.BIN is an SINIT
> > for
> this platform...
> > TBOOT: chipset production fused: 1
> > TBOOT: chipset ids: vendor: 0x8086, device: 0xb002, revision: 0x1
> > TBOOT: processor family/model/stepping: 0x306c3
> > TBOOT: platform id: 0x4000000000000
> > TBOOT: 1 ACM chipset id entries:
> > TBOOT: vendor: 0x8086, device: 0xb002, flags: 0x1, revision:
> 0x1, extended: 0x0
> > TBOOT: 3 ACM processor id entries:
> > TBOOT: fms: 0x306c0, fms_mask: 0xfff3ff0, platform_id: 0x0,
> platform_mask: 0x0
> > TBOOT: SINIT matches platform
> > TBOOT: TXT.SINIT.BASE: 0xbef00000
> > TBOOT: TXT.SINIT.SIZE: 0x20000 (131072)
> > TBOOT: BIOS has already loaded an SINIT module
> > TBOOT: 1 ACM chipset id entries:
> > TBOOT: vendor: 0x8086, device: 0xb002, flags: 0x1, revision:
> 0x1, extended: 0x0
> > TBOOT: 3 ACM processor id entries:
> > TBOOT: fms: 0x306c0, fms_mask: 0xfff3ff0, platform_id: 0x0,
> platform_mask: 0x0
> > TBOOT: BIOS-provided SINIT is older: date=20130612
> > TBOOT: copied SINIT (size=ce40) to 0xbef00000
> > TBOOT: AC mod base alignment OK
> > TBOOT: AC mod size OK
> > TBOOT: AC module header dump for SINIT:
> > TBOOT: type: 0x2 (ACM_TYPE_CHIPSET)
> > TBOOT: subtype: 0x0
> > TBOOT: length: 0xa1 (161)
> > TBOOT: version: 0
> > TBOOT: chipset_id: 0xb002
> > TBOOT: flags: 0x0
> > TBOOT: pre_production: 0
> > TBOOT: debug_signed: 0
> > TBOOT: vendor: 0x8086
> > TBOOT: date: 0x20130712
> > TBOOT: size*4: 0xce40 (52800)
> > TBOOT: code_control: 0x0
> > TBOOT: entry point: 0x00000008:000062dc
> > TBOOT: scratch_size: 0x8f (143)
> > TBOOT: info_table:
> > TBOOT: uuid: {0x7fc03aaa, 0x46a7, 0x18db, 0xac2e,
> > {0x69, 0x8f, 0x8d, 0x41, 0x7f, 0x5a}}
> > TBOOT: ACM_UUID_V3
> > TBOOT: chipset_acm_type: 0x1 (SINIT)
> > TBOOT: version: 4
> > TBOOT: length: 0x2c (44)
> > TBOOT: chipset_id_list: 0x4ec
> > TBOOT: os_sinit_data_ver: 0x6
> > TBOOT: min_mle_hdr_ver: 0x00020000
> > TBOOT: capabilities: 0x0000002e
> > TBOOT: rlp_wake_getsec: 0
> > TBOOT: rlp_wake_monitor: 1
> > TBOOT: ecx_pgtbl: 1
> > TBOOT: stm: 1
> > TBOOT: pcr_map_no_legacy: 0
> > TBOOT: pcr_map_da: 1
> > TBOOT: platform_type: 0
> > TBOOT: max_phy_addr: 0
> > TBOOT: acm_ver: 75
> > TBOOT: chipset list:
> > TBOOT: count: 1
> > TBOOT: entry 0:
> > TBOOT: flags: 0x1
> > TBOOT: vendor_id: 0x8086
> > TBOOT: device_id: 0xb002
> > TBOOT: revision_id: 0x1
> > TBOOT: extended_id: 0x0
> > TBOOT: processor list:
> > TBOOT: count: 3
> > TBOOT: entry 0:
> > TBOOT: fms: 0x306c0
> > TBOOT: fms_mask: 0xfff3ff0
> > TBOOT: platform_id: 0x0
> > TBOOT: platform_mask: 0x0
> > TBOOT: entry 1:
> > TBOOT: fms: 0x40660
> > TBOOT: fms_mask: 0xfff3ff0
> > TBOOT: platform_id: 0x0
> > TBOOT: platform_mask: 0x0
> > TBOOT: entry 2:
> > TBOOT: fms: 0x40650
> > TBOOT: fms_mask: 0xfff3ff0
> > TBOOT: platform_id: 0x0
> > TBOOT: platform_mask: 0x0
> > TBOOT: file addresses:
> > TBOOT: &_start=0x804000
> > TBOOT: &_end=0xac6460
> > TBOOT: &_mle_start=0x804000
> > TBOOT: &_mle_end=0x834000
> > TBOOT: &_post_launch_entry=0x804010
> > TBOOT: &_txt_wakeup=0x8041f0
> > TBOOT: &g_mle_hdr=0x81b5a0
> > TBOOT: MLE header:
> > TBOOT: uuid={0x9082ac5a, 0x476f, 0x74a7, 0x5c0f,
> > {0x55, 0xa2, 0xcb, 0x51, 0xb6, 0x42}}
> > TBOOT: length=34
> > TBOOT: version=00020001
> > TBOOT: entry_point=00000010
> > TBOOT: first_valid_page=00000000
> > TBOOT: mle_start_off=4000
> > TBOOT: mle_end_off=34000
> > TBOOT: capabilities: 0x00000027
> > TBOOT: rlp_wake_getsec: 1
> > TBOOT: rlp_wake_monitor: 1
> > TBOOT: ecx_pgtbl: 1
> > TBOOT: stm: 0
> > TBOOT: pcr_map_no_legacy: 0
> > TBOOT: pcr_map_da: 1
> > TBOOT: platform_type: 0
> > TBOOT: max_phy_addr: 0
> > TBOOT: MLE start=804000, end=834000, size=30000
> > TBOOT: ptab_size=3000, ptab_base=0x801000
> > TBOOT: TXT.HEAP.BASE: 0xbef20000
> > TBOOT: TXT.HEAP.SIZE: 0xe0000 (917504)
> > TBOOT: bios_data (@0xbef20008, 0x56):
> > TBOOT: version: 4
> > TBOOT: bios_sinit_size: 0xce40 (52800)
> > TBOOT: lcp_pd_base: 0x0
> > TBOOT: lcp_pd_size: 0x0 (0)
> > TBOOT: num_logical_procs: 8
> > TBOOT: flags: 0x00000000
> > TBOOT: ext_data_elts[]:
> > TBOOT: BIOS_SPEC_VER:
> > TBOOT: major: 0x2
> > TBOOT: minor: 0x1
> > TBOOT: rev: 0x0
> > TBOOT: ACM:
> > TBOOT: num_acms: 1
> > TBOOT: acm_addrs[0]: 0xfff7d000
> > TBOOT: discarding RAM above reserved regions: 0xbebf0000 -
> > 0xbec00000
> > TBOOT: min_lo_ram: 0x0, max_lo_ram: 0xbbdc7000
> > TBOOT: min_hi_ram: 0x100000000, max_hi_ram: 0x440000000
> > TBOOT: no LCP module found
> > TBOOT: os_sinit_data (@0xbef3517e, 0x7c):
> > TBOOT: version: 6
> > TBOOT: flags: 0
> > TBOOT: mle_ptab: 0x801000
> > TBOOT: mle_size: 0x30000 (196608)
> > TBOOT: mle_hdr_base: 0x175a0
> > TBOOT: vtd_pmr_lo_base: 0x0
> > TBOOT: vtd_pmr_lo_size: 0xbbc00000
> > TBOOT: vtd_pmr_hi_base: 0x100000000
> > TBOOT: vtd_pmr_hi_size: 0x340000000
> > TBOOT: lcp_po_base: 0x0
> > TBOOT: lcp_po_size: 0x0 (0)
> > TBOOT: capabilities: 0x00000002
> > TBOOT: rlp_wake_getsec: 0
> > TBOOT: rlp_wake_monitor: 1
> > TBOOT: ecx_pgtbl: 0
> > TBOOT: stm: 0
> > TBOOT: pcr_map_no_legacy: 0
> > TBOOT: pcr_map_da: 0
> > TBOOT: platform_type: 0
> > TBOOT: max_phy_addr: 0
> > TBOOT: efi_rsdt_ptr: 0x0
> > TBOOT: ext_data_elts[]:
> > TBOOT: EVENT_LOG_POINTER:
> > TBOOT: size: 16
> > TBOOT: elog_addr: 0xbef30176
> > TBOOT: Event Log Container:
> > TBOOT: Signature: TXT Event Container
> > TBOOT: ContainerVer: 1.0
> > TBOOT: PCREventVer: 1.0
> > TBOOT: Size: 20480
> > TBOOT: EventsOffset: [48,48)
> > TBOOT: setting MTRRs for acmod: base=0xbef00000, size=0xce40,
> > num_pages=13
> > TBOOT: executing GETSEC[SENTER]...
> >
> >
> >
> >
> > --------------------------------------------------------------------
> > --
> > -------- Start Your Social Network Today - Download eXo Platform
> > Build your Enterprise Intranet with eXo Platform Software Java Based
> > Open Source Intranet - Social, Extensible, Cloud Ready Get Started
> > Now And Turn Your Intranet Into A Collaboration Platform
> > http://p.sf.net/sfu/ExoPlatform
> > _______________________________________________
> > tboot-devel mailing list
> > tboot-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/tboot-devel
> >
>
>
> --
> Ross Philipson
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity • Requirements for
releasing software faster • Expert tips and advice for migrating your SCM
now http://p.sf.net/sfu/perforce _______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
lcp.tgz
Description: Binary data
------------------------------------------------------------------------------ The best possible search technologies are now affordable for all companies. Download your FREE open source Enterprise Search Engine today! Our experts will assist you in its installation for $59/mo, no commitment. Test it for FREE on our Cloud platform anytime! http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
