Re: [tboot-devel] Verified Launch Policies

Wed, 16 Jul 2014 22:52:22 -0700 

You are right, the verified launch policy is tboot specific, that is why it is 
not documented in TXT MLE DG. Sorry for the poor documentation for VL policy, I 
would like to list it as a near future enhancement for tboot.

PS policy is always there for any TPM able to be used on shipped TXT capable 
system. Users don't need to define it.

To fully take advantage of TXT/tboot to make local verification, PO(LCP policy) 
and VLP(tboot vl policy) indices should be defined and provisioned with correct 
contents. But even PO and VLP are not defined, TXT/tboot can still work 
properly to make current booting environment measured and measurement recorded 
in TPM PCRs. We can take advantage of local attestation such as seal/unseal or 
remote attestation such as quote based attestation (e.g. OpenAttestation, OAT).

Thanks
Jimmy

From: Ahmed, Safayet (GE Global Research) [mailto:safayet.ah...@ge.com]
Sent: Tuesday, July 15, 2014 11:25 PM
To: tboot-devel@lists.sourceforge.net
Subject: [tboot-devel] Verified Launch Policies

>From what I understood from the documentation in tboot, policy_v2.txt, you 
>need three indexes defined in the TPM NVRAM:


1)      The Platform Supplier (PS) policy in 0x50000001

2)      The Platform Owner (PO) policy in 0x40000001

3)      The verified launch policy in 0x20000001

The PS policy and PO policy formats are well documented in "Intel Trusted 
Execution Technology, Software Development Guide". However, I did not see a 
mention of the "verified launch policy" anywhere. It was not mentioned in the 
book, "Intel Trusted Execution Technology for Server Platforms", for example.

I understand that it can be generated with the tool tb_polgen and I have looked 
at the man pages, but I was wondering if there is more detailed documentation 
on the verified launch policy.

Is the verified launch policy something tboot specific?

Can I setup a TXT-enabled system with a Platform Owner policy and without a 
verified launch policy?

Thank you,

Safayet Ahmed,
Computer Engineer
GE Global Research

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to