For TPM2.0 LCP generation there is a Python tool lcp-gen2 that is included in tboot's source code. To be honest I didn't try to generate LCP with tboot's VLP inside but it should work. If not - this is a bug and need to be fixed.
lcptools-v2 will is not maintained, any new features like new signing algorithms will not be included there, so I suggest not to use it for new designs. We are actively improving lcp-gen2, if there is something that is missing in your opinion please let me know. Thanks, Lukasz On Thu, 2019-11-07 at 21:09 +0000, Paul Moore (pmoore2) via tboot-devel wrote: > On Wed, 2019-11-06 at 20:12 +0000, > travis.gilb...@dell.com > wrote: > > > -----Original Message----- > > > From: Paul Moore (pmoore2) < > > > pmoo...@cisco.com > > > > > > > Sent: Tuesday, November 5, 2019 19:28 > > > To: Gilbert, Travis > > > Cc: > > > tboot-devel@lists.sourceforge.net > > > > > > Subject: Re: Creating a TXT/tboot policy suitable for a modern > > > system with > > > TXT+TPM2 > > > > > > On Tue, 2019-11-05 at 23:02 +0000, > > > travis.gilb...@dell.com > > > wrote: > > > > > -----Original Message----- > > > > > From: Paul Moore (pmoore2) via tboot-devel <tboot- > > > > > de...@lists.sourceforge.net > > > > > > > > > > > Sent: Tuesday, November 5, 2019 16:50 > > > > > To: > > > > > lukasz.hawry...@linux.intel.com > > > > > ; > > > > > tboot-devel@lists.sourceforge.net > > > > > > > > > > Subject: [tboot-devel] Creating a TXT/tboot policy suitable for > > > > > a > > > > > modern system with TXT+TPM2 > > > > > > > > > > > > > > > > > > > > Hi Lukasz, others, > > > > > > > > > > I'm in the process of working on the TXT/sig extensions to the > > > > > LCP > > > > > but I'm running into problems using the tboot tools to create a > > > > > working LCP as a baseline. Simply put, the instructions I've > > > > > been > > > > > able to find either in the sources, the mailing list archives, > > > > > or > > > > > through Google searches do not produce a working LCP on my test > > > > > system. The tools/arguments are either wrong, or the resulting > > > > > LCP > > > > > is bogus. > > > > > > > > I had to patch lcptools-v2 because I found the same problem. > > > > Nothing > > > > would produce a good LCP. > > > > > > > > > Before I start hacking away at the tools to get them to create a > > > > > functional LCP that tboot understands, does anyone have a > > > > > working > > > > > how-to for creating a LCP using the current sources? > > > > > > > > When I patched lcptools-v2, I added a simple how-to for an MLE > > > > LCP, > > > > it's in the mailing list archives at the link below. If you need > > > > more, > > > > I have a few other examples. > > > > > > > > https://sourceforge.net/p/tboot/mailman/message/35976955/ > > > > > > > > > > Thanks Travis, that got me going in the right direction; I needed to > > > add a > > > tboot policy element to make my system happy, but that was a trivial > > > addition to your instructions above. > > > > > > If you're willing to share your other examples, I'd love to see > > > them, and I'm > > > sure others would as well. > > > > > > Thanks again. > > > > I've got about 20 some of which are negative test cases. They're bash > > scripts. I've stripped out the beginning shell line to make it more > > email handler friendly. #9 is actually split into 5 different tests > > signing various other policies that were previously unsigned. They > > were designed to be run in order as some later tests rely on the > > outputs of previous tests. I've included #3 and one of #9. Let me know > > if you have interest in any of the others. You don't have to take > > ownership or define the index every time, but keeping it in the script > > didn't cause us any issues. We could just copy some of the > > intermediate files and keep things simple when running tests out of > > order on multiple machines. > > > > TXT - Scenario#1, Single MLE element and Unsigned Policy > > TXT - Scenario#2, Three MLE elements and Unsigned LCP > > TXT - Scenario#3, One PCONF element and Unsigned LCP > > TXT - Scenario#4, Two PCONF elements and Unsigned LCP > > TXT - Scenario#5, MLE, PCONF list Unsigned > > TXT - Scenario#6, SINIT Revocation (Negative Testing) > > TXT - Scenario#7, MLE Mismatch 1 - wrong hash file (Negative Testing) > > TXT - Scenario#8, PCONF mismatch (Negative Testing) > > TXT - Scenario#9, Signed policies with 2048 keys > > TXT - Scenario#10, Signed policy with 1024 key > > TXT - Scenario#11, Signed policy with 3072 key > > TXT - Scenario#12: signed policy with invalid key size (2000) > > TXT - Scenario#13 Input Validation, signed policy with invalid key > > size (512) > > TXT - Scenario#14, signed policy with invalid key size (4096) > > TXT - Scenario#15, MLE Mismatch - change in boot parameters (Negative > > Testing) > > > > <3> > > cd /boot > > tpm2_takeownership -o new -e new -l new > > tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A > > > > #TXT - Scenario#3, One PCONF element and Unsigned LCP > > tpm2_listpcrs -g 0x0B -o 1pcrs > > truncate -s 32 1pcrs #only select PCR0 for the policy > > lcp2_crtpolelt --create --type pconf --out 1pconf.elt 1pcrs > > lcp2_crtpollist --create --out lists3_unsig.lst 1pconf.elt > > lcp2_crtpol --create --type list --pol lists3.pol --alg sha256 --sign > > 0x0A --data lists3.data lists3_unsig.lst > > tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P new -f lists3.pol > > echo TBOOT_POLICY_DATA_FILE="lists3.data" > /etc/default/grub-tboot > > grub2-mkconfig -o /boot/grub2/grub.cfg > > </3> > > > > <9> > > cd /boot > > tpm2_takeownership -o new -e new -l new > > tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A > > > > #TXT - Scenario#9, Signed policies with 2048 keys > > openssl genrsa -out privkey.pem 2048 > > openssl rsa -pubout -in privkey.pem -out pubkey.pem > > cp lists1_unsig.lst lists1_sig.lst > > lcp2_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out > > lists1_sig.lst > > lcp2_crtpol --create --type list --alg sha256 --sign 0x0A --pol > > lists9a.pol --data lists9a.data lists1_sig.lst > > tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P new -f lists9a.pol > > echo GRUB_TBOOT_POLICY_DATA="lists9a.data" > /etc/default/grub-tboot > > grub2-mkconfig -o /boot/grub2/grub.cfg > > </9> > > Thanks Travis! > > > _______________________________________________ > tboot-devel mailing list > tboot-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
