> -----Original Message----- > From: Sant Y [mailto:satish.va...@gmail.com] > Sent: Monday, July 30, 2018 07:41 > To: Gilbert, Travis > Cc: tboot-devel@lists.sourceforge.net > Subject: Re: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control > policy > > On Sat, Jul 21, 2018 at 6:54 PM, Sant Y <satish.va...@gmail.com> wrote: > > On Fri, Jul 20, 2018 at 6:06 PM, <travis.gilb...@dell.com> wrote: > >> > >> >From: Sant Y [mailto:satish.va...@gmail.com] > >> >Sent: Friday, July 20, 2018 05:03 > >> >To: tboot-devel@lists.sourceforge.net > >> >Subject: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control > >> >policy > >> > > >> >Hello tboot devs! > >> > > >> >I wish to revive this old discussion, on generating LCP for TPM2. > There were at least 2 threads I found in this list, however none of them > seem to have anything conclusive. > >> > > >> >A tboot with the default policies are working, however, for a policy > with MLE it fails. > >> > > >> >For writing to the NV index I use the tpm2-tss tools. > >> >As for tboot, I use the current sources from the development > branch, > >> >compiled and installed. I follow the steps mostly like in this > >> >discussion : > >> >https://sourceforge.net/p/tboot/mailman/message/35942299/ > >> > >> Please post the exact commands you're using. > >> > > > > # Done once > > nv_index="0x1400001" > > tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x > $nv_index -a > > 0x40000001 -s 70 -t 0x204000A -P new > > > > # Policy creation > > lcp2_mlehash --verbose --create --alg sha256 --cmdline > > "logging=serial,memory,vga extpol=sha256" /boot/tboot.gz >mle_hash > > lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl 0x00 > > --minver 0 --out tbootmle.elt mle_hash lcp2_crtpollist --verbose > > --create --out list_unsig.lst tbootmle.elt # The sign command "--out" > > option is a bit confusing, as it expects a policy list file here, > > which must be more like --in file. > > # and should output the signed file as a newly created file. > > lcp2_crtpollist --sign --sigalg rsa --pub pubkey.pem --priv > > privkey.pem --out list_unsig.lst lcp2_crtpol --verbose --create --type > > list --pol list.pol --alg sha256 --data list.data --sign 0x8 > > list_unsig.lst > > > > tpm2_nvwrite -x $nv_index -a 0x40000001 -P new list.pol cp -f > > list.data /boot grub2-mkconfig -o /boot/grub2/grub.cfg > > > > With both policy and data supplied, the show output now looks like > > this. Note that I had attempted both signed and unsigned policy > > before, the tboot behaved the same (read failed) # lcp2_crtpol --show > > list.pol list.data policy file: list.pol > > version: 0x300 > > hash_alg: sha256 > > policy_type: list > > sinit_min_version: 0x0 > > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, > > policy_control: 0x0 > > max_sinit_min_ver: 0x0 > > max_biosac_min_ver: 0x0 > > lcp_hash_alg_mask: 0x8 > > lcp_sign_alg_mask: 0x8 > > aux_hash_alg_mask: 0x8 > > policy_hash: 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 > > 6a 97 34 ad 96 b8 a1 ef b5 86 67 7a f4 ac 19 > > > > policy data file: list.data > > file_signature: Intel(R) TXT LCP_POLICY_DATA > > num_lists: 1 > > list 0: > > version: 0x200 > > sig_alg: rsa > > policy_elements_size: 0x32 (50) > > policy_element[0]: > > size: 0x32 (50) > > type: 'mle' (16) > > policy_elt_control: 0x00000000 > > data: > > sinit_min_version: 0x0 > > hash_alg: sha256 > > num_hashes: 1 > > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a 0d > > c6 4a 03 32 3c 13 > > 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 > > signature: > > revocation_counter: 0x0 (0) > > pubkey_size: 0x100 (256) > > pubkey_value: > > 37 72 de dd ca 4e cd f8 65 14 ab 21 2d b1 2b 36 8f e5 4a d1 > > b7 e7 89 76 ab a2 75 c4 ce 32 29 f6 5e a6 47 33 02 0b 2f 73 > > d0 12 34 3a ff c3 7f 65 f4 16 27 c1 cb 64 9a 4d 4b d9 10 5e > > 18 1a 23 09 18 44 b0 08 6d 97 96 cd 41 2e 13 e9 7f 32 4a 0a > > 54 73 79 9a 85 d1 15 73 5f 0f 9e 97 3f 37 41 0d 1b 36 16 8c > > b2 e4 e1 7c 67 c8 61 39 5b d9 5d b7 b3 f2 6b 42 3a 9b 7c 8c > > 52 01 57 d2 4c 6a 9d db c0 48 29 8b 5f 62 9d c5 88 4e 54 40 > > 88 26 cc 9b 51 57 7f 7a 86 ae 3b d7 cc 1f 4f a5 b5 aa 12 70 > > 09 d8 f0 0a 5e 35 e8 d9 5f 81 5e b2 b6 2e 90 a7 81 ca 73 81 > > 47 67 2f ce c2 2b d1 a9 4e d6 6e 05 d9 17 41 8a 92 d6 a6 5e > > 99 50 82 14 92 f1 ef c6 c7 02 2f bc eb bb 3f 75 ce 5d 76 5a > > 09 52 c6 73 ce 98 24 48 1f f0 9b 8e aa 54 2c 96 9e 98 6d bb > > ad e0 a5 ed 7e 84 12 b8 41 c8 77 3b 48 62 f1 d2 > > sig_block: > > b2 a2 0b b8 69 9e 55 d1 b7 48 bd e0 2d 98 f9 f3 06 05 74 70 > > 7e 29 49 de 9c 99 7c b1 64 4b 94 81 90 0e 32 5e 9c 20 13 d6 > > 1b 7f b9 3d 55 70 39 f0 f4 5a 66 24 c4 4b f3 ed e2 7d 17 49 > > 35 8e 93 f6 e9 09 c1 98 91 37 88 3c b8 d3 80 8c b5 ce 06 3e > > 4e 91 6a e0 a9 d7 fc 0e 6f 93 bc e1 2e af 68 82 9b 11 79 3d > > 08 f4 fe 75 ce 2c 2e 71 5d 85 d3 e7 3b d3 ca c6 20 8e 07 61 > > b8 53 e8 43 1a d2 e1 b7 d6 92 09 f0 27 fb 77 f7 05 60 84 5a > > c9 91 a8 c1 1d 86 16 e2 b0 43 3f f5 64 2c 30 1a 91 02 03 40 > > 73 49 b9 83 2f 22 36 b5 33 b2 3a 43 35 69 dc 08 f6 78 05 ba > > c2 b2 d7 a9 56 34 7b b0 58 2c 16 9c 0d ce 3f e1 cb 21 95 6c > > 31 d7 71 54 fe b3 f8 5d c0 7d 50 36 7d 28 16 55 11 61 ec db > > f0 d2 db 9c 77 ed f2 93 8a 58 d9 66 88 9f 62 c7 2f b3 78 10 > > db e0 de a9 93 54 a7 e1 48 af b5 e7 97 ed 40 b5 > > signature verifies > > 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 6a 97 34 ad 96 b8 > > a1 ef b5 86 67 7a f4 ac 19 > > > > policy data hash matches policy hash > > > > > >> Are you in a UEFI environment? > > No. > > > >> > >> You'll have to do something like the following: > >> #echo GRUB_TBOOT_POLICY_DATA="list.data" > /etc/default/grub- > tboot > >> > >> In order to have grub actually verify the LCP. You also need to modify > your grub-mkconfig file for the GRUB_CMDLINE_TBOOT option to add > "extpol=sha256". Then you have to run "grub2-mkconfig -o > /boot/grub2/grub.cfg" to re-generate your grub.cfg file with the > changes. > >> > >> My relevant line is the following: > >> # Command line for tboot itself > >> : ${GRUB_CMDLINE_TBOOT='logging=serial,memory extpol=sha256'} > >> > > > > Already have necessary grub configuration. > > > >> The vga/video logging option didn't work for me, but is sometimes in > the default options. The grub-mkconfig that I have will strip that option > out of a UEFI boot if it's there. > >> > >> >The current lcp2_crtpol requires the signing algorithm, for which I > >> >supply 0x8 (RSA 2048, SHA256). I get the following for listing the > >> >created policy file > >> > > >> ># lcp2_crtpol --show list.pol > >> >policy file: list.pol > >> > version: 0x300 > >> > hash_alg: sha256 > >> > policy_type: list > >> > sinit_min_version: 0x0 > >> > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, > >> > policy_control: 0x0 > >> > max_sinit_min_ver: 0x0 > >> > max_biosac_min_ver: 0x0 > >> > lcp_hash_alg_mask: 0x8 > >> > lcp_sign_alg_mask: 0x8 > >> > aux_hash_alg_mask: 0x8 > >> > policy_hash: ff 0d 04 10 6d 45 3e e0 98 01 44 b3 65 f2 51 7e 1b > >> >41 1c 50 2c e3 9e d9 64 c4 8b 22 ff 66 fd c0 > >> > > >> >However, the parse of policy data file itself fails as seen below > >> > > >> ># lcp2_crtpol --show list.data > >> >Error: invalid policy version: 0x6e49 > >> > > >> >policy data file: list.data > >> > file_signature: Intel(R) TXT LCP_POLICY_DATA > >> > num_lists: 1 > >> > list 0: > >> > version: 0x200 > >> > sig_alg: unknown (16) > >> > policy_elements_size: 0x32 (50) > >> > policy_element[0]: > >> > size: 0x32 (50) > >> > type: 'mle' (16) > >> > policy_elt_control: 0x00000000 > >> > data: > >> > sinit_min_version: 0x0 > >> > hash_alg: sha256 > >> > num_hashes: 1 > >> > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a > >> >0d c6 4a 03 32 3c 13 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 I also did > >> >the signing with a 2048 bit RSA key, however the lcp2_crtpol always > shows an invalid policy version. > >> > >> I've never used the --show option, but it appears it has user- > unfriendly output. You can pass a policy and policy data or just policy > data. If you pass just policy data, it can't distinguish between the two and > tries to process it as a policy first. This fails and gives your error. It > then > processes the file as policy data because processing it as a policy failed. > So your "invalid policy version" is a red herring. Try passing your policy > file > and your data file and see what the output is. > >> > >> If you can post at least the data file or both data and policy files, that > will help us troubleshoot. The main reason is the sig_alg output. The fact > that it's unknown type isn't surprising (see below about changes > needed), but that it's printed as decimal 16. That corresponds to > TPM_ALG_NULL (0x0010). This makes me suspect that you followed the > steps in the other thread exactly. That was an example of an unsigned > policy. This is the reason we need you to post the full list of commands > you're running to generate everything. > > > > Yes, I had tried both signed and unsigned policies. The results were > > the same. In txt-stat it complains about "read failed" and later > > "write TPM error: 0x18b" and "no policy in TPM NV". > > The current lcp data and policy are in attachment. > > I have the full txt-stat output here : https://pastebin.com/daVzY6VF > > > >> > >> Either way I wouldn't necessarily trust the --show option since I didn't > touch that code when I updated the lcptools-v2 code and it looks like > that whole code flow needs updating based on the LCPv3 changes. > >> > >> >The txt-stat results in this : > >> > > >> >TBOOT: timeout values: A: 750, B: 2000, C: 75000, D: 750 > >> >TBOOT: SGX:verify_IA32_se_svn_status is called > >> >TBOOT: SGX is not enabled, cpuid.ebx: 0x21cbfbb > >> >TBOOT: reading Verified Launch Policy from TPM NV... > >> >TBOOT: :70 bytes read > >> >TBOOT: :reading failed > >> >TBOOT: reading Launch Control Policy from TPM NV... > >> >TBOOT: :70 bytes read > >> >TBOOT: in unwrap_lcp_policy > >> >TBOOT: v2 LCP policy data found > >> >TBOOT: :reading failed > >> >TBOOT: failed to read policy from TPM NV, using default > >> >TBOOT: TPM: write NV 01200002, offset 00000000, 00000004 bytes, > >> >return value = 0000018B > >> >TBOOT: Error: write TPM error: 0x18b. > >> >The ':reading failed' is coming from tboot/common/policy.c where it > does a verify_policy() and it fails. So the problem is indeed with the > policy creation. I cannot troubleshoot it further, as the verify_policy() > logs itself are not available from txt-stat. > >> > > >> >Finally, I also tried the lcp-gen2 python tool to generate the policy > files. However, it's a bit confusing to use, the file pickup dialogs doesn't > work and there is no option to specify commandline for MLE hash etc. > >> > > >> >Can someone please help with the topic? I'm okay to experiment if > anyone has patches to deal with this. > >> > Some details on my TPM 2.0 is pasted here : > >> >https://pastebin.com/FEdf3ZTQ > >> > > >> >Regards, > >> >Sant > >> > > > Could someone help with this? If anyone has patches, I'll be happy to > experiment with.
Have you verified that the NV index is written as you expect? I have only used 0x01c10106. I wrote a parser to look at LCPs and LCP data and your files look fine. You'll have to put some debug prints in txt-stat or look at the code for what's going wrong. I used the tools with my patches that were merged and was able to get good results. I'll run the same scripts again with the current code and see what happens. I vaguely recall something wonky with the messages from txt-stat. I'll see if I can dig up my notes. I may have a patch I could generate with my own txt-stat debug messages. I know I did patch it just to figure out what was going on. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
