On Dec 8, 5:04pm, Brian E Luckau wrote: } Subject: Re: [tboot-devel] TPM 2.0 + TXT + EFI tboot
Hi Brian, good morning to the list as well. > On 12/08/2016 05:00 PM, Sun, Ning wrote: > > > > In grub.cfg, find the line=multiboot2 /boot/tboot.gz > > logging=serial,memory, add extpol=sha256 at end of the line. > Is that likely to also help an issue I am having where it reboots > after getsec[SENTER] every time I have EFI enabled? We are on a BIOS > that has the AC Init module built into the BIOS. As I indicated in my response to Travis, that may help, but it is currently not addressing similar issues we are seeing in more advanced measured launch configurations on TPM2/TXT systems. I'm assuming, based on your comment above, that you are able to demonstrate a basic MLE with legacy boot enabled? We have that rock solid on our development platforms. As I noted in my previous e-mail, EFI is its own can of worms. We are currently blocked, in our development efforts, with trying to get a successful MLE boot with any type of Platform Owner Launch Control Policy PO/LCP defined. Hence my question to Travis, and to you, as to whether or not you have PO NVram index locations defined on your development machines. If not I suspect you have an EFI related problem which is probably going to require involvement from whoever is doing the BIOS/firmware for these systems. The LCPv2 tool in the tboot package (lcp2_crtpol), according to our read of the Intel TXT Software Development Manual, is not capable of generating valid Launch Control Policies for TPM2 based systems. The tools do have command-line options which make it look like they can take algorithm agility into account but the generated policy appears to be invalid. We have patched the tools to generate what we believe is a valid PO ANY policy but we are still seeing immediate resets after GETSEC[SENTER] invocation of the ACM, when any type of policy is loaded into the PO NVram index. After the system reset the TXT.ERRCODE hardware register is zeroed out so there is no indication as to what the ACM is running into. Again, with legacy boot, we are able to get a successful launch with only the Platform Supplier (PS) index present. That index should be provisioned by the Intel EFI based TXT provisioning utilities which I assume that both you and Travis used to provision the TPM2 hardware on your development systems. We need to implement PCONF, or on TPM2 based systems PCONF2 based launch control policies, but we currently cannot get systems to boot when the most basic ANY policy is loaded. Just as an aside, the PCONF based policies on TPM1.2 based systems are based on the simple model of an extension measurement over a set of PCR registers. The PCONF2 based policy depends on the generation and inclusion of a tpms_quote (PCR quotation) value out of the TPM2 for a given set of registers. I'm not sure that this even exists outside of a description in the documentation, we would be really interested in knowing if anyone has even attempted to get this working. On that note. The e-mail address which this is coming from is my 20+ year INTERNET address which is from the company which owns the company that I do TPM/TXT/SGX hardware security engineering for. I'm pretty confident that I could get that company to spring for a conference call to get engineers from companies who are interested in getting these TPM2/TBOOT issues resolved together to coordinate getting a handle on some of these issues. As it stands now I think we have a lot of frustrated people working on an inherently undebuggable platform. This is limiting everyone's productivity with respect to creating whatever security systems are the ultimate objects of this work on basic infrastructure. Anyone interested can reply to me privately if they want to take if off list. Put tboot somewhere in the subject so my mail filters will pick it out. I get 10,000+ e-mails a week to this account... :-) Have a good weekend. Greg }-- End of excerpt from Brian E Luckau As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: g...@enjellic.com ------------------------------------------------------------------------------ "OK, f***ing mess with us. We're taking our fibre-channel switch and we're going home." -- SAN administrator Resurrection -- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel