> > According to the latest spec > (https://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html) > from Intel (and at least since version 013 from August 2016), you have to > use 0x01C10106 for LCP Platform Owner. See Appendix J, the statement > beginning with "TXT ACMs will support only 0x1C1_xxxx index set." > > You should be able to provision that index with tpm2_tools' tpm2_nvdefine > command.
That was indeed a problem. After changing the index it works. Thank you Travis! I still get the 'reading failed' errors in Tboot logs. But from my tests, the MLE works fine, and the boot halts if there are changes detected. So I wouldn't bother about the error messages now. Also, are the "tb_polgen" generated policies still valid? I was attempting a verified launch (mostly following the guidelines here : https://wiki.gentoo.org/wiki/Trusted_Boot#Setting_the_Launch_Control_Policy and using lcp2_* tools instead of lcp). The VLP doesn't seem to have any effect. tb_polgen "--show" can't be used with new policy files, hence the question. Is there a way to generate VLP with lcp2_* tools ? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
