On Wed, 2019-11-06 at 20:12 +0000, travis.gilb...@dell.com wrote: > > -----Original Message----- > > From: Paul Moore (pmoore2) <pmoo...@cisco.com> > > Sent: Tuesday, November 5, 2019 19:28 > > To: Gilbert, Travis > > Cc: tboot-devel@lists.sourceforge.net > > Subject: Re: Creating a TXT/tboot policy suitable for a modern > > system with > > TXT+TPM2 > > > > On Tue, 2019-11-05 at 23:02 +0000, travis.gilb...@dell.com wrote: > > > > -----Original Message----- > > > > From: Paul Moore (pmoore2) via tboot-devel <tboot- > > > > de...@lists.sourceforge.net> > > > > Sent: Tuesday, November 5, 2019 16:50 > > > > To: lukasz.hawry...@linux.intel.com; > > > > tboot-devel@lists.sourceforge.net > > > > Subject: [tboot-devel] Creating a TXT/tboot policy suitable for > > > > a > > > > modern system with TXT+TPM2 > > > > > > > > > > > > > > > > Hi Lukasz, others, > > > > > > > > I'm in the process of working on the TXT/sig extensions to the > > > > LCP > > > > but I'm running into problems using the tboot tools to create a > > > > working LCP as a baseline. Simply put, the instructions I've > > > > been > > > > able to find either in the sources, the mailing list archives, > > > > or > > > > through Google searches do not produce a working LCP on my test > > > > system. The tools/arguments are either wrong, or the resulting > > > > LCP > > > > is bogus. > > > > > > I had to patch lcptools-v2 because I found the same problem. > > > Nothing > > > would produce a good LCP. > > > > > > > Before I start hacking away at the tools to get them to create a > > > > functional LCP that tboot understands, does anyone have a > > > > working > > > > how-to for creating a LCP using the current sources? > > > > > > When I patched lcptools-v2, I added a simple how-to for an MLE > > > LCP, > > > it's in the mailing list archives at the link below. If you need > > > more, > > > I have a few other examples. > > > > > > https://sourceforge.net/p/tboot/mailman/message/35976955/ > > > > Thanks Travis, that got me going in the right direction; I needed to > > add a > > tboot policy element to make my system happy, but that was a trivial > > addition to your instructions above. > > > > If you're willing to share your other examples, I'd love to see > > them, and I'm > > sure others would as well. > > > > Thanks again. > > I've got about 20 some of which are negative test cases. They're bash > scripts. I've stripped out the beginning shell line to make it more > email handler friendly. #9 is actually split into 5 different tests > signing various other policies that were previously unsigned. They > were designed to be run in order as some later tests rely on the > outputs of previous tests. I've included #3 and one of #9. Let me know > if you have interest in any of the others. You don't have to take > ownership or define the index every time, but keeping it in the script > didn't cause us any issues. We could just copy some of the > intermediate files and keep things simple when running tests out of > order on multiple machines. > > TXT - Scenario#1, Single MLE element and Unsigned Policy > TXT - Scenario#2, Three MLE elements and Unsigned LCP > TXT - Scenario#3, One PCONF element and Unsigned LCP > TXT - Scenario#4, Two PCONF elements and Unsigned LCP > TXT - Scenario#5, MLE, PCONF list Unsigned > TXT - Scenario#6, SINIT Revocation (Negative Testing) > TXT - Scenario#7, MLE Mismatch 1 - wrong hash file (Negative Testing) > TXT - Scenario#8, PCONF mismatch (Negative Testing) > TXT - Scenario#9, Signed policies with 2048 keys > TXT - Scenario#10, Signed policy with 1024 key > TXT - Scenario#11, Signed policy with 3072 key > TXT - Scenario#12: signed policy with invalid key size (2000) > TXT - Scenario#13 Input Validation, signed policy with invalid key > size (512) > TXT - Scenario#14, signed policy with invalid key size (4096) > TXT - Scenario#15, MLE Mismatch - change in boot parameters (Negative > Testing) > > <3> > cd /boot > tpm2_takeownership -o new -e new -l new > tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A > > #TXT - Scenario#3, One PCONF element and Unsigned LCP > tpm2_listpcrs -g 0x0B -o 1pcrs > truncate -s 32 1pcrs #only select PCR0 for the policy > lcp2_crtpolelt --create --type pconf --out 1pconf.elt 1pcrs > lcp2_crtpollist --create --out lists3_unsig.lst 1pconf.elt > lcp2_crtpol --create --type list --pol lists3.pol --alg sha256 --sign > 0x0A --data lists3.data lists3_unsig.lst > tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P new -f lists3.pol > echo TBOOT_POLICY_DATA_FILE="lists3.data" > /etc/default/grub-tboot > grub2-mkconfig -o /boot/grub2/grub.cfg > </3> > > <9> > cd /boot > tpm2_takeownership -o new -e new -l new > tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A > > #TXT - Scenario#9, Signed policies with 2048 keys > openssl genrsa -out privkey.pem 2048 > openssl rsa -pubout -in privkey.pem -out pubkey.pem > cp lists1_unsig.lst lists1_sig.lst > lcp2_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out > lists1_sig.lst > lcp2_crtpol --create --type list --alg sha256 --sign 0x0A --pol > lists9a.pol --data lists9a.data lists1_sig.lst > tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P new -f lists9a.pol > echo GRUB_TBOOT_POLICY_DATA="lists9a.data" > /etc/default/grub-tboot > grub2-mkconfig -o /boot/grub2/grub.cfg > </9>
Thanks Travis! _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
