On Wed, Jul 12, 2017 at 06:01:02PM -0700, Xiao Li wrote:
> Hi,
>
> Wish everyone has a good day.
Hi Xiao, I hope this note finds you day and week going well.
> I have been trying to use tpm2-tools and tboot to setup LCP policy
> for my platform using TPM 2.0. I have successfully done it with
> tboot provided nvdef and nvwrite with a TPM 1.2 chip on the same
> host. However when it comes to TPM2.0 my setup never succeeds.
Launch Control Policies on TXT/TPM2 are a bit of a problem. We have
poured a ton of time into resolving functionality issues with only
limited success.
First of all it would be helpful to know what hardware platform you
are using as different platforms have different issues associated with
them. Depending on what the platform OEM has decided to do it may not
even be possible to use TXT/TBOOT even if the processor and chipset
technically support it.
I'm assuming since you are using 0x204000A for the NVram attributes
that this is a post-Broadwell platform?
In addition what version of tboot are you using? I see that they have
the 1.9.6 up on Sourceforge. If you are experimenting with TPM2 based
systems you will want to be running that since earlier versions had no
hope of working on TPM2 based hardware.
> I have tried to use nvindex:
> #0x01C10131
> #0x01C10106
> #0x01400001
> they all behaved a bit different from each other, but all seem like tboot
> failed to load launch control policy:
The NVram index locations which should be used are defined by the ACM
module you are using, which is in turn defined by your hardware
platform.
After you get the most recent release of the tboot package run the
'acminfo' command on your ACM module and look for the following in the
output:
TPM info list:
TPM capability:
ext_policy: 0x3
tpm_family : 0x3
tpm_nv_index_set : 0x0
The 'tpm_nv_index_set' value specifies the NVram index locations which
will be used. If it is 0x0 you will need to use the 'old' values, ie
the 0x1400001 for the PO policy.
We have not personally seen any hardware in the wild which is using
the 'new' values.
> My first attempt was using the following commands:
>
> tpm2_takeownership -o new -e new -l new
> tpm2_nvdefine -x 0x01C10106 -a 0x40000001 -s 70 -t 0x204000A -P new
> lcp2_mlehash --verbose --create --alg sha256 --cmdline
> "logging=serial,memory,vga extpol=sha256" /boot/tboot.gz > mle_hash
> lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl 0x00
> --minver 0 --out tbootmle.elt mle_hash
> lcp2_crtpollist --verbose --create --out list_unsig.lst tbootmle.elt
> lcp2_crtpol --verbose --create --type list --pol list.pol --alg sha256
> --data list.data list_unsig.lst
> tpm2_nvwrite -x 0x01C10106 -a 0x40000001 -f list.pol -P new
The lcp2_* tools will not create valid policies for TPM2 systems. At
a minimum they are not encoding valid hash function selector
attributes into the policy files.
I believe that the python based tools in the lcp-gen2 directory are
the only hope for getting valid policy files. Those are cumbersom so
we are fiddling in our spare time trying to get the C based utilities
to work properly.
> Thanks in advance,
> Xiao Li
Hopefully the above information will get you started.
If you report back to the list answer the questions above on what
hardware you are using since that will be important in making further
progress.
Good luck wih your efforts and have a good remainder of the week.
Greg
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: g...@enjellic.com
------------------------------------------------------------------------------
"... remember that innovation is saying 'no' to 1000 things."
-- Moxie Marlinspike
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
