Hi,
thanks Lukasz for your hints and advice on this mailing list, thanks Paul for your comprehensive README.md at https://github.com/anuvu/tboot, I was able to setup a LCP policy that checks integrity of tboot + cmdline and a VLP policy that checks integrity of kernel + cmdline and initramfs on my Supermicro X11SPM-TF server. Regards, Olivier ________________________________ De : Lukasz Hawrylko <lukasz.hawry...@linux.intel.com> Envoyé : jeudi 6 février 2020 10:22:49 À : LE ROY Olivier - Contractor; tboot-devel@lists.sourceforge.net Objet : Re: [tboot-devel] Intel TXT + TBOOT + TPM 2.0: can't get LCP_ANY policy working on Supermicro X11SPM-TF On Wed, 2020-02-05 at 14:41 +0000, LE ROY Olivier - Contractor wrote: > Hi Lukasz, > > > What exactly did you add to that policy in lcp-gen2 tool? LCP is a > policy dedicated for SINIT, not for TBOOT. > > The another approach is to create separate index for VLP (0x01C10131) > and put VLP there. > > I understand better why there weren't any log for the LCP_ANY policy and why > tboot expects a VLP. > Thanks for the comprehensive answer. > I am still learning to implement policies in TPM2.0, trying to transpose what > was done in a previous TPM1.2 based project. > > > What do mean "doesn't seem to understand it"? With LCP_ANY SINIT will > allow any MLE to be executed. > > I was following the recommendation to start with something simple, i.e. > LCP_ANY. > Presently, I am trying a list policy, with an MLE element which hash is the > tboot.gz hash, to implement a VLP at 0x01c10131. > > TBOOT logs are as follows: > TBOOT: reading Verified Launch Policy from TPM NV... > TBOOT: :70 bytes read > TBOOT: policy: > TBOOT: unsupported version (1) > TBOOT: :reading failed > TBOOT: reading Launch Control Policy from TPM NV... > TBOOT: :70 bytes read > TBOOT: :reading failed > TBOOT: failed to read policy from TPM NV, using default > TBOOT: policy: > TBOOT: version: 2 > > The policy was created using lcp-gen2 from tboot-1.9.9 python tools > (tboot-1.9.11 has the same results). > Do you have a hint why the generated policy has "version (1)" while tboot > expects a version: 2? > > Regards, > > Olivier > MLE element goes to LCP and is consumed by SINIT, not TBOOT. You can't provision VLP index with LCP. To create VLP you have to use tb_polgen tool. Here is an example: # create policy tb_polgen --create --ctrl 0x00 --type continue vl.pol # add kernel and its cmdline hash, extend PCR19 tb_polgen --add --num 0 --pcr 19 --hash image --cmdline "..." \ --image bzImage # add initrd hash, extend PCR20 tb_polgen --add --num 1 --pcr 20 --hash image --cmdline "" \ --image initrd.img If you want to create policy with MLE element you have to use lcp-gen2 tool and provision it to LCP index. But as I said, TBOOT has nothing to do with it, you should not expect that TBOOT will measure itself :) Thanks, Lukasz
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
