Hi Olivier,
Is your system hanging or resetting after: TBOOT: executing GETSEC[SENTER]... I've experienced very similar issues with a large quantity of Getac laptops, TBOOT, and RHEL. I don't see it in your log output, but check your TXT.ERRORCODE register value, and use Intel's error code mappings to gain more information. I believe this is proved in the zips from their website when downloading a SINIT ACM. In my case, I consistently saw errors related to an invalid bootguard profile. After much debugging and communications with Getac, the issue turned out to be in firmware/hardware, and all laptops needed to be shipped back and repaired by Getac. Also, I don't see it mentioned often online and in various resources, but it should be noted that LCP and VLP are optional features. The errors in txt-stat output relating to failure to read VLP/LCP from NVRAM are by no means fatal. In fact, even in your log output, you can see: ".failed to read policy from TPM NV, using default.", and below that, it probably says something like: "..policy_type: TB_POLTYPE_CONT_NON_FATAL". That of course isn't to say LCP/VLP are not useful features, but they are optional, and if you are for instance only intending to do remote attestation you may not even need them depending on how your system is designed. You can still TBOOT, create attestation keys, generate quotes, attest remotely to a verifier, and other things without ever using LCP/VLP. My point here is that I think it is unlikely that the LCP is the source of your issue. Kevin From: LE ROY Olivier - Contractor <olivier.le...@external.thalesgroup.com> Sent: Friday, September 4, 2020 5:29 AM To: tboot-devel@lists.sourceforge.net Subject: EXTERNAL: [tboot-devel] "no LCP module found" on Getac X500 G3 I have a Getac X500 G3 that I am trying to get TBOOT working on under a CentOS 7.7 OS with TBOOT 1.9.11. The TBOOT startup, without any policy, looks as follows: TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07 TBOOT: CPU is SMX-capable TBOOT: SMX is enabled TBOOT: TXT chipset and all needed capabilities present TBOOT: *********************** TBOOT *********************** TBOOT: 2019-11-25 16:00 +0200 1.9.11 TBOOT: ***************************************************** TBOOT: command line: extpol=sha256 logging=serial,memory ... TBOOT: TXT chipset and all needed capabilities present ... TBOOT: checking if module is an SINIT for this platform... TBOOT: ACM info_table version mismatch (6) TBOOT: chipset production fused: 1 TBOOT: chipset ids: vendor: 0x8086, device: 0xb006, revision: 0x1 TBOOT: processor family/model/stepping: 0x906e9 TBOOT: platform id: 0x14000000000000 TBOOT: 1 ACM chipset id entries: TBOOT: vendor: 0x8086, device: 0xb006, flags: 0x1, revision: 0x1, extended: 0x0 TBOOT: 4 ACM processor id entries: TBOOT: fms: 0x406e0, fms_mask: 0xfff3ff0, platform_id: 0x0, platform_mask: 0x0 TBOOT: fms: 0x506e0, fms_mask: 0xfff3ff0, platform_id: 0x0, platform_mask: 0x0 TBOOT: fms: 0x806e0, fms_mask: 0xfff3ff0, platform_id: 0x0, platform_mask: 0x0 TBOOT: fms: 0x906e0, fms_mask: 0xfff3ff0, platform_id: 0x0, platform_mask: 0x0 ... TBOOT: SINIT matches platform ... TBOOT: AC mod base alignment OK TBOOT: AC mod size OK ... TBOOT: reading Verified Launch Policy from TPM NV... TBOOT: TPM: fail to get public data of 0x01200001 in TPM NV TBOOT: :reading failed TBOOT: reading Launch Control Policy from TPM NV... TBOOT: TPM: fail to get public data of 0x01400001 in TPM NV TBOOT: :reading failed TBOOT: failed to read policy from TPM NV, using default TBOOT: policy: ... TBOOT: executing GETSEC[SENTER]... I tried to implement a LCP @ 0x01400001 and a VLP @ 0x01200001. These 2 policies were known to work on same OS but different platform (Supermicro). For LCP, I have the following error: reading Launch Control Policy from TPM NV... TBOOT: :70 bytes read TBOOT: in unwrap_lcp_policy TBOOT: no LCP module found TBOOT: :reading failed TBOOT: failed to read policy from TPM NV, using default TBOOT: policy: I tried to implement the LCP @ 0x01800001, but without success, for this index is locked. I.e.: tpm2_nvlist 0x1800001: hash algorithm: friendly: sha256 value: 0xB attributes: friendly: authwrite|policydelete|writelocked|writedefine|authread|no_da|written|platfo rmcreate value: 0x42C0462 size: 70 authorization policy: 1169A46A813A8CCDD0F3066785207BB9B67AFD3A6CD6DFE5C5AEE120867A96DF 0x1800003: hash algorithm: friendly: sha256 value: 0xB attributes: friendly: policywrite|policydelete|write_stclear|authread|no_da|written|platformcreate value: 0x8440462 size: 104 authorization policy: EF9A26FC22D1AE8CECFF59E9481AC1EC533DBE228BEC6D17930F4CB2CC5B9724 0x1800004: hash algorithm: friendly: sha256 value: 0xB attributes: friendly: authwrite|policydelete|authread|no_da|written|platformcreate value: 0x4040462 size: 8 authorization policy: 1169A46A813A8CCDD0F3066785207BB9B67AFD3A6CD6DFE5C5AEE120867A96DF 0x1c00002: hash algorithm: friendly: sha256 value: 0xB attributes: friendly: ppwrite|writeall|ppread|ownerread|authread|policyread|no_da|written|platform create value: 0x1100F62 size: 991 0x1c0000a: hash algorithm: friendly: sha256 value: 0xB attributes: friendly: ppwrite|writeall|ppread|ownerread|authread|policyread|no_da|written|platform create value: 0x1100F62 size: 788 My LCP is created the following manner: tpm2_nvdefine -x 0x01400001 -a 0x40000001 -s 70 -t 0x204000a -P $TPM_OWNER_PASSWORD lcp2_mlehash --create --alg sha256 --cmdline "extpol=sha256 logging=serial,memory" /boot/tboot.gz > mle_hash lcp2_crtpolelt --create --type mle --alg sha256 --ctrl 0x00 --minver 0 --out mle.elt mle_hash lcp2_crtpollist --create --out list_unsig.lst mle.elt lcp2_crtpol --create --type list --pol list.pol --alg sha256 --sign 0x0A --ctrl 0x00 --data list.data list_unsig.lst tpm2_nvwrite -x 0x01400001 -a 0x40000001 -P $TPM_OWNER_PASSWORD list.pol cp -f list.data /boot/ Any idea why this LCP, which consists in just an mle element, could be functional on a platform and not on another? Cordialement / regards, Olivier le Roy (contractor) HW - SW development engineer Thales LAS France
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel