> I created the VL policy with type "nonfatal" first. With pcr_map=da, PCR-18 > was the same with different kernels/modules, as expected. > (btw it would be nice if a policy violation was visible in some PCR, even > with "nonfatal")
PCR 17 and possibly 19 (depending on your PCR settings for VLP) will depend on your actual kernel and initrd. > Then I changed the VL policy to "halt", and now PCR-18 is different from > before - but I have not even touched NVRAM, so the authorities measurement in > PCR-18 should be the same, am I right? Did you maybe use PCR 18 in your VLP? Check the --pcr option of your tb_polgen command line. Otherwise I don't know. You could check your tboot log for the detailed PCR logs, and try to find out the difference. Martin > > Jan > > > > On 09 May 2016, at 11:01, martin.wi...@ts.fujitsu.com wrote: > > > > Hi Jan, > > > >> So I want to use a signed policy, and use multiple policy data files for > >> lifecycle management (e.g. when I need to upgrade to MLE but want to be > >> able to "rollback" to a previous version if needed). > >> Using a signed policy means I don't have to touch the NVRAM (which might > >> break something, making rollback impossible). > >> > >> Sounds right? > > > > Yes. > > > >>> There are two ways to install the VLP - either in NVRAM (in which case > >>> you're right) or by simply adding it to the LCP as a "custom" element. > >>> If you do the latter, and use signed LCP, you don't need to update the > >>> NVRAM after a kernel update. You would just update the VLP element > >>> integrated in the LCP, and sign the updated LCP. > >> > >> Is it simply something like: > >> > >> lcp_crtpolelt --create --type custom --uuid tboot --out vlp.elt vlp.dat > >> and then add it vlp.elt to lcp_crtpollist when creating the LCP? > > > > Assuming that you created vlp.dat with tb_polgen before, yes. > > > > Regards > > Martin > > > ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
