Hi Lukasz and all,
thanks for your insight.
I understand that
> it is an expected behaviour that TBOOT is unable to read
my LCP policy with an MLE element.
But I don't see the reason why, on a Supermicro platform, TBOOT logs are:
TBOOT: bios_data (@0x77f00008, 0x2c):
TBOOT: version: 3
TBOOT: bios_sinit_size: 0x40000 (262144)
TBOOT: lcp_pd_base: 0x0
TBOOT: lcp_pd_size: 0x0 (0)
TBOOT: lcp_pd_base: 0x0
TBOOT: lcp_pd_size: 0x0 (0)
...
TBOOT: v2 LCP policy data found
TBOOT: lcp_po_base: 0x77f0014c
TBOOT: lcp_po_size: 0x5e (94)
TBOOT: lcp_pd_base: 0x0
TBOOT: lcp_pd_size: 0x0 (0)
TBOOT: lcp_pd_base: 0x0
TBOOT: lcp_pd_size: 0x0 (0)
...
TBOOT: lcp_po_base: 0x77f0014c
TBOOT: lcp_po_size: 0x5e (94)
TBOOT: lcp_policy_hash:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TBOOT: lcp_policy_control: 0x00000000
...
TBOOT: v2 LCP policy data found
TBOOT: no LCP module found
whereas and on a Getac platform, same policy ouptuts following TBOOT logs:
reading Launch Control Policy from TPM NV...
TBOOT: :70 bytes read
TBOOT: in unwrap_lcp_policy
TBOOT: no LCP module found
TBOOT: :reading failed
TBOOT: failed to read policy from TPM NV, using default
TBOOT: policy:
Cordialement / regards,
Olivier le Roy (contractor)
HW – SW development engineer
Thales LAS France
Tel.: +33 1 64 91 66 43
Mobile : +33 6 26 56 44 99
________________________________
De : Lukasz Hawrylko <lukasz.hawry...@linux.intel.com>
Envoyé : lundi 7 septembre 2020 14:25:58
À : LE ROY Olivier - Contractor; tboot-devel@lists.sourceforge.net
Objet : Re: [tboot-devel] "no LCP module found" on Getac X500 G3
Hi Olivier
On Fri, 2020-09-04 at 09:28 +0000, LE ROY Olivier - Contractor wrote:
> I tried to implement a LCP @ 0x01400001 and a VLP @ 0x01200001. These 2
> policies were known to work on same OS but different platform (Supermicro).
> For LCP, I have the following error:
>
> reading Launch Control Policy from TPM NV...
> TBOOT: :70 bytes read
> TBOOT: in unwrap_lcp_policy
> TBOOT: no LCP module found
> TBOOT: :reading failed
> TBOOT: failed to read policy from TPM NV, using default
> TBOOT: policy:
[snip]
> My LCP is created the following manner:
>
> tpm2_nvdefine -x 0x01400001 -a 0x40000001 -s 70 -t 0x204000a -P
> $TPM_OWNER_PASSWORD
> lcp2_mlehash --create --alg sha256 --cmdline "extpol=sha256
> logging=serial,memory" /boot/tboot.gz > mle_hash
> lcp2_crtpolelt --create --type mle --alg sha256 --ctrl 0x00 --minver
> 0 --out mle.elt mle_hash
> lcp2_crtpollist --create --out list_unsig.lst mle.elt
> lcp2_crtpol --create --type list --pol list.pol --alg sha256 --sign
> 0x0A --ctrl 0x00 --data list.data list_unsig.lst
> tpm2_nvwrite -x 0x01400001 -a 0x40000001 -P $TPM_OWNER_PASSWORD
> list.pol
> cp -f list.data /boot/
>
> Any idea why this LCP, which consists in just an mle element, could be
> functional on a platform and not on another?
With these commands you create LCP with MLE element that is consumed by
SINIT. It is an expected behaviour that TBOOT is unable to read it.
To create policy for TBOOT (VLP) you have to use tb_polgen tool, ex.:
tb_polgen --create --ctrl 0x00 --type continue vl.pol
tb_polgen --add --num 0 --pcr 19 --hash image \
--cmdline "intel_iommu=on console=ttyS0,115200n8" \
--image /boot/bzImage vl.pol
Then you have two options how to provision it to TPM:
* provision as standalone policy
* add it to LCP as custom element
If you already use LCP, easier way is to add custom element with TBOOT's
policy.
lcp2_crtpolelt --create --ctrl 0x00 --type custom --out vl.elt \
--uuid tboot vl.pol
Then build LCP list with all elements that you want to have, provision
it to TPM and copy .data file to /boot (and add entry to grub.cfg).
If anything is unclear, please ask. It would be helpful if you can
describe what is your goal, what behaviour you want to achieve.
Thanks,
Lukasz
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
