On Tue, 2020-02-04 at 13:50 +0000, LE ROY Olivier - Contractor wrote: > These two policies fail with following tboot error: > TBOOT: no SINIT provided by bootloader; using BIOS SINIT > ... > TBOOT: reading Verified Launch Policy from TPM NV... > TBOOT: TPM: fail to get public data of 0x01C10131 in TPM NV > TBOOT: :reading failed > TBOOT: reading Launch Control Policy from TPM NV... > TBOOT: :70 bytes read > TBOOT: :reading failed > TBOOT: failed to read policy from TPM NV, using default > TBOOT: policy: > > The point is the SINIT ACM reads my LCP_ANY policy from TPM2 NVram but > doesn't seem to understand it. > > There are no reason indicated in the TBOOT log. > > One reason I think of could be that the NVram index 0x01C10106 wasn't > defined with proper attributes. > I define it with: > > tpm2_nvdefine -x 0x01c10106 -a 0x40000001 -s 70 -t 0x0204000a -P > password > > Hoping someone will help me solve this problem,
Hi, I'm not sure if this would help, but here is the process I typically follow when first getting TXT working on a TPM2 system. 1. Reset / Clear the TPM and Take Ownership This may not be strictly necessary if you can guarantee the TPM is in a known good state, but if you aren't certain and you don't have anything stored in the TPM I think a full TPM reset/clear is a smart idea. You typically need to do the TPM clear via the BIOS menu system, and on some systems you need an admin/supervisor password set before you can access the TPM clear option. Once the TPM is cleared you can take ownership with the following command: # tpm2_takeownership -o <password> -e <password> -l <password> 2. Define the LCP Index You already know how to do this, but after you clear the TPM you will need to redefine the NVRAM index on the TPM. # tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P <password> \ -s 70 -t 0x204000A 3. Write the TPM's Portion of the LCP into the TPM The LCP is too large to fit into the TPM so we split into *.data and *.pol files when generating it via the lcp2_crtpol tool. You'll want to pass the *.data file to tboot during boot and the *.pol file (lists.pol in the example below) you'll want to write to the TPM using the following command: # tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P <password> lists.pol Hopefully that gets you closer to a working system. I'm in the process of writing up some better notes, I'll send a note to the list when they are available. Good luck! -Paul _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel