On Dec 8, 10:22pm, <travis.gilb...@dell.com> wrote: } Subject: [tboot-devel] TPM 2.0 + TXT + EFI tboot
Good morning, I hope this note finds the end of the week going well for everyone. > I am trying to perform a simple trusted boot on SLES 12 SP2 with TPM > 2.0 and EFI mode. I can verify that TXT works using getsec64.efi and > performing SENTER, setting the secrets flag, rebooting and doing > SENTER then SEXIT. When I select the "tboot 1.9.4" entry in grub2, my > server pauses for a bit after the loading initial RAM disk step and > then reboots. I then get an SINIT error notification from BIOS that > points to a log error (ERR_BAD_LOG_POINTER_PTR2_MATCH). > > I am working with a freshly provisioned TPM and a new install of > SLES 12 SP2. I added the tboot and tpm2.0-tools packages to that > install and modified grub2 to give me a tboot prompt (I think I added > a file grub-tboot to /etc/default/ to accomplish this). > > Am I missing anything? We've been working for almost 10 months, albeit intermittently, attempting to get a TPM2/TXT environment operational for our security platforms without complete success. I see that Brian Luckau from SGI commented downthread and it appears they are still struggling to get something working as well. So you folks at Dell are probably not missing anything as much as the fact that we are not convinced that anyone has worked out all of the issues with Trusted Boot on modern Intel hardware, ie. TPM2 based systems. If possible, could you provide some feedback on the hardware platform you are working on. I'm assuming it is a Dell box of some sort... :-) I'm also assuming it is vPro compliant, with hardware TPM2 and that you are able to successfully access the TPM2 hardware from a standard Linux boot and read NVram, dump PCR's etc? For your reference purposes, I see that you are attempting an EFI based boot, have you tried to demonstrate a successful measured launch environment (MLE) with legacy boot enabled? We are currently able to demonstrate a successful, but minimal, MLE with legacy boot on our Broadwell NUC5i5MYBE development platforms. We are currently avoiding EFI due to complexity and firmware vagary issues. I see that Ning Sun from Intel replied downthread as well and recommended that you restrict algorithm agility to SHA256 with the extpol=sha256 command-line directive to tboot. We have been using that for months in our minimal boot environment but that doesn't get us past where we are currently blocked on more advanced MLE configurations. Secondly, do you have a Platform Owner Launch Control Policy PO/LCP defined? You can check this by seeing whether or not the NVram index location 0x1400001 has been defined. I'm assuming your hardware/ACM environment is not so new that it would be using the newer 0x1c10106 index location. The tpm2-tools package should have a utility for dumping out NVram index locations. We wrote our own TPM2 tooling from scratch based on Ken Goldman's TSS2 reference library, which comes out of IBM's TJ Watson labs and which is rock solid from a standards conformance perspective. I can send you a Linux statically linked diagnostic binary if you have problems looking for the PO policy indexes. Provided, of course, that you have basic userspace control of the TPM2 chip in hand. I'm assuming your hardware is implementing a TIS/MSFT0101 ACPI interface? ACPI/CRB support seems to be a big dodgy unless you are using custom rolled Linux kernels. Hopefully the above information is helpful in moving your work forward. We would be interested in any feedback you might have on our questions above. Have a good day. Greg }-- End of excerpt from <travis.gilb...@dell.com> As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: g...@enjellic.com ------------------------------------------------------------------------------ "If you get to thinkin' you're a person of some influence, try orderin' somebody else's dog around." -- Cowboy Wisdom -- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel