On Tue, 2020-02-04 at 14:59 +0000, LE ROY Olivier - Contractor wrote: > Hi, > > thanks for this checklist , but unfortunately, I already observed > these manipulations, without success. > > I must say the same attempt was done on two Supermicro platforms > (Brodwell based and Cascade Lake based) with same result: > > TBOOT: :70 bytes read > TBOOT: :reading failed
I'm sorry to hear that didn't help. Unfortunately the tboot code that reads the LCP doesn't provide a lot of detailed information by default; you may need to instrument the tboot code to debug this further. If you haven't found it already, a good starting point is the tboot/common/policy.c:set_policy() function. > De : Paul Moore (pmoore2) <pmoo...@cisco.com> > Envoyé : mardi 4 février 2020 15:44 > À : LE ROY Olivier - Contractor; tboot-devel@lists.sourceforge.net > Objet : Re: [tboot-devel] Intel TXT + TBOOT + TPM 2.0: can't get > LCP_ANY policy working on Supermicro X11SPM-TF > > On Tue, 2020-02-04 at 13:50 +0000, LE ROY Olivier - Contractor wrote: > > These two policies fail with following tboot error: > > TBOOT: no SINIT provided by bootloader; using BIOS SINIT > > ... > > TBOOT: reading Verified Launch Policy from TPM NV... > > TBOOT: TPM: fail to get public data of 0x01C10131 in TPM NV > > TBOOT: :reading failed > > TBOOT: reading Launch Control Policy from TPM NV... > > TBOOT: :70 bytes read > > TBOOT: :reading failed > > TBOOT: failed to read policy from TPM NV, using default > > TBOOT: policy: > > > > The point is the SINIT ACM reads my LCP_ANY policy from TPM2 NVram > but > > doesn't seem to understand it. > > > > There are no reason indicated in the TBOOT log. > > > > One reason I think of could be that the NVram index 0x01C10106 > wasn't > > defined with proper attributes. > > I define it with: > > > > tpm2_nvdefine -x 0x01c10106 -a 0x40000001 -s 70 -t 0x0204000a -P > > password > > > > Hoping someone will help me solve this problem, > > Hi, > > I'm not sure if this would help, but here is the process I typically > follow when first getting TXT working on a TPM2 system. > > 1. Reset / Clear the TPM and Take Ownership > > This may not be strictly necessary if you can guarantee the TPM is in > a > known good state, but if you aren't certain and you don't have > anything > stored in the TPM I think a full TPM reset/clear is a smart idea. You > typically need to do the TPM clear via the BIOS menu system, and on > some > systems you need an admin/supervisor password set before you can > access > the TPM clear option. Once the TPM is cleared you can take ownership > with the following command: > > # tpm2_takeownership -o <password> -e <password> -l <password> > > 2. Define the LCP Index > > You already know how to do this, but after you clear the TPM you will > need to redefine the NVRAM index on the TPM. > > # tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P <password> \ > -s 70 -t 0x204000A > > 3. Write the TPM's Portion of the LCP into the TPM > > The LCP is too large to fit into the TPM so we split into *.data and > *.pol files when generating it via the lcp2_crtpol tool. You'll want > to > pass the *.data file to tboot during boot and the *.pol file > (lists.pol > in the example below) you'll want to write to the TPM using the > following command: > > # tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P <password> lists.pol > > Hopefully that gets you closer to a working system. I'm in the > process > of writing up some better notes, I'll send a note to the list when > they > are available. > > Good luck! > > -Paul > > _______________________________________________ > tboot-devel mailing list > tboot-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tboot-devel _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
