Hi All!
After reading a lot of documentation [*], I think I figured out the answers
to some of the questions. I would like to confirm if what I think is
correct.
TBOOT sets up an environment and executes GETSEC[SENTER], which handles
control over to the SINIT ACM. The SINIT ACM will measure the MLE and
execute the policy engine, which validates the LCPs. The ACM will extend
the MLE hash to PCR17 among other things. After that, the ACM will handle
control back to TBOOT, which will execute the post_launch mechanism. There,
it will look for VLCPs, first in a special NV Index (0x01200001 or
0x01c10131), or as a LCP_CUSTOM_ELEMENT in the policy data file, and then
validates it.
For remote attestation, you would want to get PCR17 and PCR18, maybe PCR0
to make sure that BIOS is still the same? What I find unclear is how one
should handle updates, BIOS, Kernel and TBOOT. It seems like the best way
is to have a replicated setup for testing the updates and do all the
measurements there.
---------------------------
The problem with the NV Indices that I had (index 0x1400001 was being
deleted on every reboot) was a BIOS issue. I contacted the platform
supplier and asked for a BIOS update.
The way to check which set of indices are used by your ACM is by checking
the *tpm_nv_index_set* under the TPM capabilities in the loaded SINIT ACM
(tables A-8 and A-9 from the intel txt guide, in Appendix A). The NVRAM
Indices and attributes can be found in the Table J-2 (Appendix J TPM NV).
For example, it says that the LCP PO index is 0x1400001 or 0x1c10106
(depending on the tpm_nv_index_set).
I have more questions, but I will try to write another email for them, as
they are not related to this problem.
Thank you all for your time :)
Best Regards,
Marco
[*]:
Intel TXT Software Development Guide: http://www.intel.com/co
ntent/www/us/en/software-developers/intel-txt-software-devel
opment-guide.html
TPM 2.0 Spec: https://trustedcomputinggroup.org/tpm-library-specification/
A practical guide to TPM 2.0: http://www.apress.com/us/book/9781430265832
Intel Trusted Execution for Server Platforms: http://www.apress.c
om/us/book/9781430261483
TPM 2.0 registry of reserved handles: https://trustedcomputinggroup.org/
registry-reserved-tpm-2-0-handles-localities/
On Thu, May 4, 2017 at 7:19 PM, Marco Vanotti <mvano...@google.com> wrote:
> Hi All!
>
> I hope you are having a wonderful day today :). I am trying to get tboot
> to work in my machine. My computer has a TPM 2.0 and I am trying to
> understand some of the available features.
>
> The Intel TXT Software Development Guide defines Launch Control Policies.
> Given that I have TPM 2.0, I believe I should use version 3.0 or 3.1, there
> seem to be some utilities to write these files in the lcp-gen2 folder.
>
> Looking at the source code, I found that there's also TBOOT Control
> Policies, which seem to be referred as Verified Launch Control Policies.
> What is the difference between them? When should I use each of them? Are
> they also executed by the ACM? if not, when?
>
> It seems that VLCPs don't support policy data files, is that so?
>
> Regarding LCPs, where should I define them in NVRAM? I've tried using
> 0x1400001, but that index gets deleted every time I reboot the system,
> regardless of using TXT. I'm defining the space with attr 0xF00F, and size
> 102 bytes, which is the size of the lcp_policy_2 struct. There's another
> index to use that doesn't get deleted: 0x01c10106, but I am not sure how to
> tell TXT to use it.
>
> My original goal was to install a policy with POLTYPE_ANY, just to test,
> but I can't see anything related to it in txt-stat, should it be logged
> somehow?
>
> Any help with these issues would be really appreciated :)
>
> Best Regards,
> Marco
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
