Hi Lukasz and all,
thanks for your insight. I understand that > it is an expected behaviour that TBOOT is unable to read my LCP policy with an MLE element. But I don't see the reason why, on a Supermicro platform, TBOOT logs are: TBOOT: bios_data (@0x77f00008, 0x2c): TBOOT: version: 3 TBOOT: bios_sinit_size: 0x40000 (262144) TBOOT: lcp_pd_base: 0x0 TBOOT: lcp_pd_size: 0x0 (0) TBOOT: lcp_pd_base: 0x0 TBOOT: lcp_pd_size: 0x0 (0) ... TBOOT: v2 LCP policy data found TBOOT: lcp_po_base: 0x77f0014c TBOOT: lcp_po_size: 0x5e (94) TBOOT: lcp_pd_base: 0x0 TBOOT: lcp_pd_size: 0x0 (0) TBOOT: lcp_pd_base: 0x0 TBOOT: lcp_pd_size: 0x0 (0) ... TBOOT: lcp_po_base: 0x77f0014c TBOOT: lcp_po_size: 0x5e (94) TBOOT: lcp_policy_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 TBOOT: lcp_policy_control: 0x00000000 ... TBOOT: v2 LCP policy data found TBOOT: no LCP module found whereas and on a Getac platform, same policy ouptuts following TBOOT logs: reading Launch Control Policy from TPM NV... TBOOT: :70 bytes read TBOOT: in unwrap_lcp_policy TBOOT: no LCP module found TBOOT: :reading failed TBOOT: failed to read policy from TPM NV, using default TBOOT: policy: Cordialement / regards, Olivier le Roy (contractor) HW – SW development engineer Thales LAS France Tel.: +33 1 64 91 66 43 Mobile : +33 6 26 56 44 99 ________________________________ De : Lukasz Hawrylko <lukasz.hawry...@linux.intel.com> Envoyé : lundi 7 septembre 2020 14:25:58 À : LE ROY Olivier - Contractor; tboot-devel@lists.sourceforge.net Objet : Re: [tboot-devel] "no LCP module found" on Getac X500 G3 Hi Olivier On Fri, 2020-09-04 at 09:28 +0000, LE ROY Olivier - Contractor wrote: > I tried to implement a LCP @ 0x01400001 and a VLP @ 0x01200001. These 2 > policies were known to work on same OS but different platform (Supermicro). > For LCP, I have the following error: > > reading Launch Control Policy from TPM NV... > TBOOT: :70 bytes read > TBOOT: in unwrap_lcp_policy > TBOOT: no LCP module found > TBOOT: :reading failed > TBOOT: failed to read policy from TPM NV, using default > TBOOT: policy: [snip] > My LCP is created the following manner: > > tpm2_nvdefine -x 0x01400001 -a 0x40000001 -s 70 -t 0x204000a -P > $TPM_OWNER_PASSWORD > lcp2_mlehash --create --alg sha256 --cmdline "extpol=sha256 > logging=serial,memory" /boot/tboot.gz > mle_hash > lcp2_crtpolelt --create --type mle --alg sha256 --ctrl 0x00 --minver > 0 --out mle.elt mle_hash > lcp2_crtpollist --create --out list_unsig.lst mle.elt > lcp2_crtpol --create --type list --pol list.pol --alg sha256 --sign > 0x0A --ctrl 0x00 --data list.data list_unsig.lst > tpm2_nvwrite -x 0x01400001 -a 0x40000001 -P $TPM_OWNER_PASSWORD > list.pol > cp -f list.data /boot/ > > Any idea why this LCP, which consists in just an mle element, could be > functional on a platform and not on another? With these commands you create LCP with MLE element that is consumed by SINIT. It is an expected behaviour that TBOOT is unable to read it. To create policy for TBOOT (VLP) you have to use tb_polgen tool, ex.: tb_polgen --create --ctrl 0x00 --type continue vl.pol tb_polgen --add --num 0 --pcr 19 --hash image \ --cmdline "intel_iommu=on console=ttyS0,115200n8" \ --image /boot/bzImage vl.pol Then you have two options how to provision it to TPM: * provision as standalone policy * add it to LCP as custom element If you already use LCP, easier way is to add custom element with TBOOT's policy. lcp2_crtpolelt --create --ctrl 0x00 --type custom --out vl.elt \ --uuid tboot vl.pol Then build LCP list with all elements that you want to have, provision it to TPM and copy .data file to /boot (and add entry to grub.cfg). If anything is unclear, please ask. It would be helpful if you can describe what is your goal, what behaviour you want to achieve. Thanks, Lukasz
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel