On Mon, 2019-12-02 at 14:09 +0100, Lukasz Hawrylko wrote: > Hi Paul > > I went through all steps and I was able to create LCP with > certificated, > VLP with TB_HTYPE_PECOFF and finally got platform booted with PCR 20 > extended by certificate hash (to be honest I didn't check if it is > correct). So everything works, however I have few notes :)
No worries, thanks for giving it a test. The code is still pretty rough, so I expect there to be plenty of feedback :) I guess what I'm most concerned about at this point are the changes to the policy: both the new LCP certificate payload element as well as the VLP/TB_HTYPE_PECOFF changes. Do those seem reasonable? > If VLP is present under its own index (for TPM 2.0 it is 0x01C10131), > tboot will not read LCP at all, so certificate will not be available. > I > think that we should modify program flow, so even if VLP is present, > LCP > should be read to check if LCP_CUSTOM_ELEMENT_CERTS_UUID element is > there. That sounds reasonable, let me see what I can do. > Still I can't verify signature of custom build kernel signed by my own > key, I am trying to figure out what is wrong, but without luck. One > thing that I found is a problem in pkcs1_search_signer > function (pkcs1.c:101), it is comparing certificate subject, but not > from the root of certificate. Can you elaborate a bit more on what you mean by "the root of certificate"? Alternatively, could you upload the kernel and signing certificate somewhere I could grab so I can play with it? > I know that this is working fine with > Fedora's certificate, but I don't know if this is valid for every > case. > With my simple certificate this was a first problem that I found. At > least, you should check if pointer to next element in chain is not > NULL. _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel