On Tue, 2020-02-04 at 13:50 +0000, LE ROY Olivier - Contractor wrote:
> These two policies fail with following tboot error:
> TBOOT: no SINIT provided by bootloader; using BIOS SINIT
> ...
> TBOOT: reading Verified Launch Policy from TPM NV...
> TBOOT: TPM: fail to get public data of 0x01C10131 in TPM NV
> TBOOT: :reading failed
> TBOOT: reading Launch Control Policy from TPM NV...
> TBOOT: :70 bytes read
> TBOOT: :reading failed
> TBOOT: failed to read policy from TPM NV, using default
> TBOOT: policy:
>
> The point is the SINIT ACM reads my LCP_ANY policy from TPM2 NVram but
> doesn't seem to understand it.
>
> There are no reason indicated in the TBOOT log.
>
> One reason I think of could be that the NVram index 0x01C10106 wasn't
> defined with proper attributes.
> I define it with:
>
> tpm2_nvdefine -x 0x01c10106 -a 0x40000001 -s 70 -t 0x0204000a -P
> password
>
> Hoping someone will help me solve this problem,
Hi,
I'm not sure if this would help, but here is the process I typically
follow when first getting TXT working on a TPM2 system.
1. Reset / Clear the TPM and Take Ownership
This may not be strictly necessary if you can guarantee the TPM is in a
known good state, but if you aren't certain and you don't have anything
stored in the TPM I think a full TPM reset/clear is a smart idea. You
typically need to do the TPM clear via the BIOS menu system, and on some
systems you need an admin/supervisor password set before you can access
the TPM clear option. Once the TPM is cleared you can take ownership
with the following command:
# tpm2_takeownership -o <password> -e <password> -l <password>
2. Define the LCP Index
You already know how to do this, but after you clear the TPM you will
need to redefine the NVRAM index on the TPM.
# tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P <password> \
-s 70 -t 0x204000A
3. Write the TPM's Portion of the LCP into the TPM
The LCP is too large to fit into the TPM so we split into *.data and
*.pol files when generating it via the lcp2_crtpol tool. You'll want to
pass the *.data file to tboot during boot and the *.pol file (lists.pol
in the example below) you'll want to write to the TPM using the
following command:
# tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P <password> lists.pol
Hopefully that gets you closer to a working system. I'm in the process
of writing up some better notes, I'll send a note to the list when they
are available.
Good luck!
-Paul
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
