On Wed, Jul 12, 2017 at 06:01:02PM -0700, Xiao Li wrote: > Hi, > > Wish everyone has a good day.
Hi Xiao, I hope this note finds you day and week going well. > I have been trying to use tpm2-tools and tboot to setup LCP policy > for my platform using TPM 2.0. I have successfully done it with > tboot provided nvdef and nvwrite with a TPM 1.2 chip on the same > host. However when it comes to TPM2.0 my setup never succeeds. Launch Control Policies on TXT/TPM2 are a bit of a problem. We have poured a ton of time into resolving functionality issues with only limited success. First of all it would be helpful to know what hardware platform you are using as different platforms have different issues associated with them. Depending on what the platform OEM has decided to do it may not even be possible to use TXT/TBOOT even if the processor and chipset technically support it. I'm assuming since you are using 0x204000A for the NVram attributes that this is a post-Broadwell platform? In addition what version of tboot are you using? I see that they have the 1.9.6 up on Sourceforge. If you are experimenting with TPM2 based systems you will want to be running that since earlier versions had no hope of working on TPM2 based hardware. > I have tried to use nvindex: > #0x01C10131 > #0x01C10106 > #0x01400001 > they all behaved a bit different from each other, but all seem like tboot > failed to load launch control policy: The NVram index locations which should be used are defined by the ACM module you are using, which is in turn defined by your hardware platform. After you get the most recent release of the tboot package run the 'acminfo' command on your ACM module and look for the following in the output: TPM info list: TPM capability: ext_policy: 0x3 tpm_family : 0x3 tpm_nv_index_set : 0x0 The 'tpm_nv_index_set' value specifies the NVram index locations which will be used. If it is 0x0 you will need to use the 'old' values, ie the 0x1400001 for the PO policy. We have not personally seen any hardware in the wild which is using the 'new' values. > My first attempt was using the following commands: > > tpm2_takeownership -o new -e new -l new > tpm2_nvdefine -x 0x01C10106 -a 0x40000001 -s 70 -t 0x204000A -P new > lcp2_mlehash --verbose --create --alg sha256 --cmdline > "logging=serial,memory,vga extpol=sha256" /boot/tboot.gz > mle_hash > lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl 0x00 > --minver 0 --out tbootmle.elt mle_hash > lcp2_crtpollist --verbose --create --out list_unsig.lst tbootmle.elt > lcp2_crtpol --verbose --create --type list --pol list.pol --alg sha256 > --data list.data list_unsig.lst > tpm2_nvwrite -x 0x01C10106 -a 0x40000001 -f list.pol -P new The lcp2_* tools will not create valid policies for TPM2 systems. At a minimum they are not encoding valid hash function selector attributes into the policy files. I believe that the python based tools in the lcp-gen2 directory are the only hope for getting valid policy files. Those are cumbersom so we are fiddling in our spare time trying to get the C based utilities to work properly. > Thanks in advance, > Xiao Li Hopefully the above information will get you started. If you report back to the list answer the questions above on what hardware you are using since that will be important in making further progress. Good luck wih your efforts and have a good remainder of the week. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: g...@enjellic.com ------------------------------------------------------------------------------ "... remember that innovation is saying 'no' to 1000 things." -- Moxie Marlinspike ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel