> -----Original Message----- > From: Paul Moore (pmoore2) <pmoo...@cisco.com> > Sent: Tuesday, November 5, 2019 19:28 > To: Gilbert, Travis > Cc: tboot-devel@lists.sourceforge.net > Subject: Re: Creating a TXT/tboot policy suitable for a modern system with > TXT+TPM2 > > On Tue, 2019-11-05 at 23:02 +0000, travis.gilb...@dell.com wrote: > > > -----Original Message----- > > > From: Paul Moore (pmoore2) via tboot-devel <tboot- > > > de...@lists.sourceforge.net> > > > Sent: Tuesday, November 5, 2019 16:50 > > > To: lukasz.hawry...@linux.intel.com; > > > tboot-devel@lists.sourceforge.net > > > Subject: [tboot-devel] Creating a TXT/tboot policy suitable for a > > > modern system with TXT+TPM2 > > > > > > > > > > > > Hi Lukasz, others, > > > > > > I'm in the process of working on the TXT/sig extensions to the LCP > > > but I'm running into problems using the tboot tools to create a > > > working LCP as a baseline. Simply put, the instructions I've been > > > able to find either in the sources, the mailing list archives, or > > > through Google searches do not produce a working LCP on my test > > > system. The tools/arguments are either wrong, or the resulting LCP > > > is bogus. > > > > I had to patch lcptools-v2 because I found the same problem. Nothing > > would produce a good LCP. > > > > > Before I start hacking away at the tools to get them to create a > > > functional LCP that tboot understands, does anyone have a working > > > how-to for creating a LCP using the current sources? > > > > When I patched lcptools-v2, I added a simple how-to for an MLE LCP, > > it's in the mailing list archives at the link below. If you need more, > > I have a few other examples. > > > > https://sourceforge.net/p/tboot/mailman/message/35976955/ > > Thanks Travis, that got me going in the right direction; I needed to add a > tboot policy element to make my system happy, but that was a trivial > addition to your instructions above. > > If you're willing to share your other examples, I'd love to see them, and I'm > sure others would as well. > > Thanks again.
I've got about 20 some of which are negative test cases. They're bash scripts. I've stripped out the beginning shell line to make it more email handler friendly. #9 is actually split into 5 different tests signing various other policies that were previously unsigned. They were designed to be run in order as some later tests rely on the outputs of previous tests. I've included #3 and one of #9. Let me know if you have interest in any of the others. You don't have to take ownership or define the index every time, but keeping it in the script didn't cause us any issues. We could just copy some of the intermediate files and keep things simple when running tests out of order on multiple machines. TXT - Scenario#1, Single MLE element and Unsigned Policy TXT - Scenario#2, Three MLE elements and Unsigned LCP TXT - Scenario#3, One PCONF element and Unsigned LCP TXT - Scenario#4, Two PCONF elements and Unsigned LCP TXT - Scenario#5, MLE, PCONF list Unsigned TXT - Scenario#6, SINIT Revocation (Negative Testing) TXT - Scenario#7, MLE Mismatch 1 - wrong hash file (Negative Testing) TXT - Scenario#8, PCONF mismatch (Negative Testing) TXT - Scenario#9, Signed policies with 2048 keys TXT - Scenario#10, Signed policy with 1024 key TXT - Scenario#11, Signed policy with 3072 key TXT - Scenario#12: signed policy with invalid key size (2000) TXT - Scenario#13 Input Validation, signed policy with invalid key size (512) TXT - Scenario#14, signed policy with invalid key size (4096) TXT - Scenario#15, MLE Mismatch - change in boot parameters (Negative Testing) <3> cd /boot tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A #TXT - Scenario#3, One PCONF element and Unsigned LCP tpm2_listpcrs -g 0x0B -o 1pcrs truncate -s 32 1pcrs #only select PCR0 for the policy lcp2_crtpolelt --create --type pconf --out 1pconf.elt 1pcrs lcp2_crtpollist --create --out lists3_unsig.lst 1pconf.elt lcp2_crtpol --create --type list --pol lists3.pol --alg sha256 --sign 0x0A --data lists3.data lists3_unsig.lst tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P new -f lists3.pol echo TBOOT_POLICY_DATA_FILE="lists3.data" > /etc/default/grub-tboot grub2-mkconfig -o /boot/grub2/grub.cfg </3> <9> cd /boot tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A #TXT - Scenario#9, Signed policies with 2048 keys openssl genrsa -out privkey.pem 2048 openssl rsa -pubout -in privkey.pem -out pubkey.pem cp lists1_unsig.lst lists1_sig.lst lcp2_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out lists1_sig.lst lcp2_crtpol --create --type list --alg sha256 --sign 0x0A --pol lists9a.pol --data lists9a.data lists1_sig.lst tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P new -f lists9a.pol echo GRUB_TBOOT_POLICY_DATA="lists9a.data" > /etc/default/grub-tboot grub2-mkconfig -o /boot/grub2/grub.cfg </9> _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
