On Wed, 2019-11-06 at 20:12 +0000, travis.gilb...@dell.com wrote: > > -----Original Message----- > > From: Paul Moore (pmoore2) <pmoo...@cisco.com> > > Sent: Tuesday, November 5, 2019 19:28 > > To: Gilbert, Travis > > Cc: tboot-devel@lists.sourceforge.net > > Subject: Re: Creating a TXT/tboot policy suitable for a modern > > system with TXT+TPM2
... > > If you're willing to share your other examples, I'd love to see > > them, and I'm sure others would as well. > > > > Thanks again. > > I've got about 20 some of which are negative test cases. They're bash > scripts. I've stripped out the beginning shell line to make it more > email handler friendly. #9 is actually split into 5 different tests > signing various other policies that were previously unsigned. They > were designed to be run in order as some later tests rely on the > outputs of previous tests. I've included #3 and one of #9. Let me know > if you have interest in any of the others. Hi Travis, I'm sorry it took me a while to get back to this and try out the scripts, but if you are still willing to share I'd love to see all of them. Another question below ... > TXT - Scenario#1, Single MLE element and Unsigned Policy > TXT - Scenario#2, Three MLE elements and Unsigned LCP > TXT - Scenario#3, One PCONF element and Unsigned LCP > TXT - Scenario#4, Two PCONF elements and Unsigned LCP > TXT - Scenario#5, MLE, PCONF list Unsigned > TXT - Scenario#6, SINIT Revocation (Negative Testing) > TXT - Scenario#7, MLE Mismatch 1 - wrong hash file (Negative Testing) > TXT - Scenario#8, PCONF mismatch (Negative Testing) > TXT - Scenario#9, Signed policies with 2048 keys > TXT - Scenario#10, Signed policy with 1024 key > TXT - Scenario#11, Signed policy with 3072 key > TXT - Scenario#12: signed policy with invalid key size (2000) > TXT - Scenario#13 Input Validation, signed policy with invalid key > size (512) > TXT - Scenario#14, signed policy with invalid key size (4096) > TXT - Scenario#15, MLE Mismatch - change in boot parameters (Negative > Testing) > > <3> > cd /boot > tpm2_takeownership -o new -e new -l new > tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A > > #TXT - Scenario#3, One PCONF element and Unsigned LCP > tpm2_listpcrs -g 0x0B -o 1pcrs > truncate -s 32 1pcrs #only select PCR0 for the policy > lcp2_crtpolelt --create --type pconf --out 1pconf.elt 1pcrs It appears that lcptools-v2 doesn't understand the "pconf" type, do you have a patch/branch/etc. that I could take a look at? I see that lcptools seems to have some basic support, and I'm sure if I dug into Intel's specs I could add it, but I'm guessing you've already done the hard work :) Thanks, -Paul _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel