Hi tboot devs, I am trying to get tboot to work with TPM2.0 on an Intel NUC5i5MYHE on Ubuntu 16.04. I am able to boot with tboot using the default policy. However when I try to define my own policy, it fails to read the policy from the NV and uses the default policy. I have looked up the different posts on this list, but couldn't figure out the process exactly. I would appreciate any help to understand tboot and get it working. My end goal is to be replicate a policy for TPM2.0 similar to one suggested in https://wiki.gentoo.org/wiki/Trusted_Boot
These are the commands I used: tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x 0x1400001 -a 0x40000001 -s 70 -t 0x004000A -P new (attribute of 0x204000A gave error 'Invalid PO Attr') lcp2_mlehash --create --alg sha256 --cmdline "logging=serial,memory extpol=sha256" /boot/tboot.gz > tboot_hash lcp2_crtpolelt --create --type mle --alg sha256 --ctrl 0x00 --minver 0 --out tbootmle.elt tboot_hash lcp2_crtpollist --create --out list_unsig.lst tbootmle.elt cp list_unsig.lst list_sig.lst openssl genrsa -out privkey.pem 2048 openssl rsa -pubout -in privkey.pem -out pubkey.pem lcp2_crtpollist --sign 0x8 --sigalg rsa --pub pubkey.pem --priv privkey.pem --out list_sig.lst lcp2_crtpol --create --type list --pol list.pol --alg sha256 --sign 0x8 --data list.data list_sig.lst sudo cp list.data /boot tpm2_nvwrite -x 0x1400001 -a 0x40000001 -P new -f list.pol My grub settings are: insmod multiboot2 insmod part_gpt insmod ext2 set root='hd0,gpt2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 57da2c3c-2c6d-49e1-ac1a-e36155bbe884 else search --no-floppy --fs-uuid --set=root 57da2c3c-2c6d-49e1-ac1a-e36155bbe884 fi echo 'Loading tboot 1.9.8 ...' multiboot2 /boot/tboot.gz logging=serial,memory extpol=sha256 echo 'Loading Linux 4.15.0-39-generic ...' module2 /boot/vmlinuz-4.15.0-39-generic root=UUID=57da2c3c-2c6d-49e1-ac1a-e36155bbe884 ro quiet intel_iommu=tboot_noforce noefi echo 'Loading initial ramdisk ...' module2 /boot/initrd.img-4.15.0-39-generic echo 'Loading sinit 5th_gen_i5_i7_SINIT_79.BIN ...' module2 /boot/5th_gen_i5_i7_SINIT_79.BIN module2 /boot/list.data (sudo update-grub doesn't add the list.data, so I added manually - not sure if this is the expected way. Also I had to use tboot_noforce for the iommu setting since setting it to 'on' caused the system to behave very slow and inconsistently.) The txt-stat logs indicate the following: TBOOT: reading Verified Launch Policy from TPM NV... TBOOT: TPM: fail to get public data of 0x01200001 in TPM NV TBOOT: :reading failed TBOOT: reading Launch Control Policy from TPM NV... TBOOT: rayees:01400001 TBOOT: :70 bytes read TBOOT: in unwrap_lcp_policy TBOOT: rayees: in LCP_POLICY_DATA_FILE_SIGNATURE match TBOOT: rayees: poldata->num_lists: 1 TBOOT: rayees: [0] pollist->version: 00000200 TBOOT: rayees: in LCP_TPM20_POLICY_LIST_VERSION TBOOT: :reading failed TBOOT: failed to read policy from TPM NV, using default (Entire logs are here: https://pastebin.com/R0SCz0Uc<https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_R0SCz0Uc&d=DwMFaQ&c=zU8zY2zCUszYt_I-pOyd_mv7l16V_LqUcVo_CQ1Hrvg&r=xCzFiavp4AvlZMRboFbhUNHIE4_VgtudgLzlNKIi7-s&m=jJMcNogToGaC_s3NY9mcCB9MATAcjE5fK19feM1bhos&s=yXbdTFepowUqZjiVpTAwyrvZ1wTA6gKtXQpnjU3jLNs&e=>) By looking at the code, it expects to read the verified launch policy from 0x1200001 and then from the location 0x1400001, it expects to read only a custom element. If it is anything other than a custom element, the read fails and it uses the default policy. I tried the address 0x1C10106, which was also mentioned in some posts - but that didnt work either. If I build a modified version of tboot and then copy it to the boot directory and use the same policy, the boot fails. This would indicate that my policy is being used. Policy files are attached, output from the show option is below: $ lcp2_crtpol --show list.pol list.data policy file: list.pol version: 0x300 hash_alg: sha256 policy_type: list sinit_min_version: 0x0 data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, policy_control: 0x0 max_sinit_min_ver: 0x0 max_biosac_min_ver: 0x0 lcp_hash_alg_mask: 0x8 lcp_sign_alg_mask: 0x8 aux_hash_alg_mask: 0x8 policy_hash: 01 44 2e f1 27 b3 4e a0 7b 86 8c e2 65 0c 9b 41 1a 0d bf aa 9c d0 22 87 48 36 3e 3a db ea 4a 9d policy data file: list.data file_signature: Intel(R) TXT LCP_POLICY_DATA num_lists: 1 list 0: version: 0x200 sig_alg: rsa policy_elements_size: 0x32 (50) policy_element[0]: size: 0x32 (50) type: 'mle' (16) policy_elt_control: 0x00000000 data: sinit_min_version: 0x0 hash_alg: sha256 num_hashes: 1 hashes[0]: ef 8f 4e 0c d7 fe f6 56 18 11 55 4f 14 7b 8f 82 5a 6c 07 f8 e7 68 fd 71 aa c8 09 be af 7b 7f 1f signature: revocation_counter: 0x0 (0) pubkey_size: 0x100 (256) pubkey_value: 8f ff 60 c6 0e a6 61 6a b1 4d cc c1 96 4f 6e 01 9a 1d 45 3d 56 60 9a af fb e4 11 f5 88 ad 51 12 6b c1 e5 26 32 3c 86 3a 5c 22 87 27 61 b1 22 0a d8 b6 ba 11 ae 79 5e af 37 b6 a1 dc 22 14 30 27 17 f0 a6 1e a9 24 b6 90 49 5d 1e f1 82 fe d2 2f 7a b2 93 8a 17 47 17 fb 4f 6f d0 19 bf 61 48 e4 a5 69 8f 9c 50 a9 73 77 13 77 25 86 fe d7 b1 64 a9 59 97 b3 88 a1 d2 60 22 08 ce 49 95 52 44 ed 93 94 13 13 7b 9d 3c 37 71 51 b0 26 6f 68 b1 59 e6 71 0b fe 4d c4 04 e5 1f e5 19 b7 9b 09 ec 26 ba c7 61 03 48 9d 96 ee 5b 49 e3 ba 5c 90 3b bc 92 c3 7c d8 e6 a2 d0 2d 73 9e 30 c7 8a e3 bb e7 42 2b cd 75 c8 81 64 06 08 c3 16 2e 4e e6 d9 86 cb 06 5a 72 c0 01 2a be 39 91 19 1a 71 be 30 14 51 31 67 bf 93 c7 62 28 18 98 2c d8 6f 56 f2 49 9d 95 f3 6c b5 2d bb 76 93 09 ec 30 a4 25 ff a9 sig_block: e0 c9 97 30 6e ed 37 62 62 ab 9a 53 a0 e8 5b af 1a 89 5f 65 2a 43 7d 05 bf 5c 79 9c 37 3e 02 bf b5 ff 4f 36 2d e2 cc 7b e1 dc 5a 65 1a 24 9a 5d f8 25 b4 61 af 68 e2 97 09 a7 86 ee d9 f0 7e 86 1f 9b 41 4f f6 52 34 c9 34 da 6d a2 e7 05 96 50 74 42 6b 1e b3 2a b7 b1 d4 5a 5c 52 99 06 f9 4d 77 87 23 c3 00 a5 6a 58 cd be 2f 8d 33 c8 3c d7 09 eb 36 0d 7e e5 8b b5 26 f2 3e 09 48 b0 c3 21 b7 9f 8b 33 d1 fd ba 7d 0f 1c 2a b5 5d db de 2f b6 6f fe a3 e2 4c 36 39 b8 30 9f 09 bb 8a 1c 7b dd 72 1f 00 1d 45 39 65 80 66 e3 b7 b4 bb b7 57 10 8c 48 7e c8 0a 63 38 9a 32 ef 6f 15 f2 70 b1 f6 f3 80 1f 74 c9 a9 e6 68 e9 37 9f 83 b1 03 14 5e 4b 33 df 4f 19 0d 37 45 83 d9 f7 85 72 d7 2f d2 63 b8 a6 6e 07 f1 4e 3f 4f c0 89 43 c3 8d 38 ed 15 13 3f 90 38 59 44 a2 e3 f8 09 9a 30 14 20 signature verifies 01 44 2e f1 27 b3 4e a0 7b 86 8c e2 65 0c 9b 41 1a 0d bf aa 9c d0 22 87 48 36 3e 3a db ea 4a 9d policy data hash matches policy hash I would appreciate help from the tboot devs to understand tboot better and get it to work with LCP and VLP on TPM 2.0. Also, I haven't been able to get the serial debug output with NUC after attaching the cable: https://www.microsatacables.com/serial-db9-to-2-0mm-10-pin-header-cable-672 If someone has any experience working with the Intel NUC and were able to get serial output, I would appreciate the help. Thanks a lot Rayees Shamsuddin
list.pol
Description: list.pol
list.data
Description: list.data
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel