Hi Olivier,
Is your system hanging or resetting after:
TBOOT: executing GETSEC[SENTER]...
I've experienced very similar issues with a large quantity of Getac laptops,
TBOOT, and RHEL. I don't see it in your log output, but check your
TXT.ERRORCODE register value, and use Intel's error code mappings to gain
more information. I believe this is proved in the zips from their website
when downloading a SINIT ACM.
In my case, I consistently saw errors related to an invalid bootguard
profile. After much debugging and communications with Getac, the issue
turned out to be in firmware/hardware, and all laptops needed to be shipped
back and repaired by Getac.
Also, I don't see it mentioned often online and in various resources, but it
should be noted that LCP and VLP are optional features. The errors in
txt-stat output relating to failure to read VLP/LCP from NVRAM are by no
means fatal. In fact, even in your log output, you can see: ".failed to
read policy from TPM NV, using default.", and below that, it probably says
something like: "..policy_type: TB_POLTYPE_CONT_NON_FATAL".
That of course isn't to say LCP/VLP are not useful features, but they are
optional, and if you are for instance only intending to do remote
attestation you may not even need them depending on how your system is
designed. You can still TBOOT, create attestation keys, generate quotes,
attest remotely to a verifier, and other things without ever using LCP/VLP.
My point here is that I think it is unlikely that the LCP is the source of
your issue.
Kevin
From: LE ROY Olivier - Contractor <olivier.le...@external.thalesgroup.com>
Sent: Friday, September 4, 2020 5:29 AM
To: tboot-devel@lists.sourceforge.net
Subject: EXTERNAL: [tboot-devel] "no LCP module found" on Getac X500 G3
I have a Getac X500 G3 that I am trying to get TBOOT working on under a
CentOS 7.7 OS with TBOOT 1.9.11. The TBOOT startup, without any policy,
looks as follows:
TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07
TBOOT: CPU is SMX-capable
TBOOT: SMX is enabled
TBOOT: TXT chipset and all needed capabilities present
TBOOT: *********************** TBOOT ***********************
TBOOT: 2019-11-25 16:00 +0200 1.9.11
TBOOT: *****************************************************
TBOOT: command line: extpol=sha256 logging=serial,memory
...
TBOOT: TXT chipset and all needed capabilities present
...
TBOOT: checking if module is an SINIT for this platform...
TBOOT: ACM info_table version mismatch (6)
TBOOT: chipset production fused: 1
TBOOT: chipset ids: vendor: 0x8086, device: 0xb006, revision: 0x1
TBOOT: processor family/model/stepping: 0x906e9
TBOOT: platform id: 0x14000000000000
TBOOT: 1 ACM chipset id entries:
TBOOT: vendor: 0x8086, device: 0xb006, flags: 0x1, revision: 0x1,
extended: 0x0
TBOOT: 4 ACM processor id entries:
TBOOT: fms: 0x406e0, fms_mask: 0xfff3ff0, platform_id: 0x0,
platform_mask: 0x0
TBOOT: fms: 0x506e0, fms_mask: 0xfff3ff0, platform_id: 0x0,
platform_mask: 0x0
TBOOT: fms: 0x806e0, fms_mask: 0xfff3ff0, platform_id: 0x0,
platform_mask: 0x0
TBOOT: fms: 0x906e0, fms_mask: 0xfff3ff0, platform_id: 0x0,
platform_mask: 0x0
...
TBOOT: SINIT matches platform
...
TBOOT: AC mod base alignment OK
TBOOT: AC mod size OK
...
TBOOT: reading Verified Launch Policy from TPM NV...
TBOOT: TPM: fail to get public data of 0x01200001 in TPM NV
TBOOT: :reading failed
TBOOT: reading Launch Control Policy from TPM NV...
TBOOT: TPM: fail to get public data of 0x01400001 in TPM NV
TBOOT: :reading failed
TBOOT: failed to read policy from TPM NV, using default
TBOOT: policy:
...
TBOOT: executing GETSEC[SENTER]...
I tried to implement a LCP @ 0x01400001 and a VLP @ 0x01200001. These 2
policies were known to work on same OS but different platform (Supermicro).
For LCP, I have the following error:
reading Launch Control Policy from TPM NV...
TBOOT: :70 bytes read
TBOOT: in unwrap_lcp_policy
TBOOT: no LCP module found
TBOOT: :reading failed
TBOOT: failed to read policy from TPM NV, using default
TBOOT: policy:
I tried to implement the LCP @ 0x01800001, but without success, for this
index is locked. I.e.: tpm2_nvlist
0x1800001:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly:
authwrite|policydelete|writelocked|writedefine|authread|no_da|written|platfo
rmcreate
value: 0x42C0462
size: 70
authorization policy:
1169A46A813A8CCDD0F3066785207BB9B67AFD3A6CD6DFE5C5AEE120867A96DF
0x1800003:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly:
policywrite|policydelete|write_stclear|authread|no_da|written|platformcreate
value: 0x8440462
size: 104
authorization policy:
EF9A26FC22D1AE8CECFF59E9481AC1EC533DBE228BEC6D17930F4CB2CC5B9724
0x1800004:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: authwrite|policydelete|authread|no_da|written|platformcreate
value: 0x4040462
size: 8
authorization policy:
1169A46A813A8CCDD0F3066785207BB9B67AFD3A6CD6DFE5C5AEE120867A96DF
0x1c00002:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly:
ppwrite|writeall|ppread|ownerread|authread|policyread|no_da|written|platform
create
value: 0x1100F62
size: 991
0x1c0000a:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly:
ppwrite|writeall|ppread|ownerread|authread|policyread|no_da|written|platform
create
value: 0x1100F62
size: 788
My LCP is created the following manner:
tpm2_nvdefine -x 0x01400001 -a 0x40000001 -s 70 -t 0x204000a -P
$TPM_OWNER_PASSWORD
lcp2_mlehash --create --alg sha256 --cmdline "extpol=sha256
logging=serial,memory" /boot/tboot.gz > mle_hash
lcp2_crtpolelt --create --type mle --alg sha256 --ctrl 0x00 --minver
0 --out mle.elt mle_hash
lcp2_crtpollist --create --out list_unsig.lst mle.elt
lcp2_crtpol --create --type list --pol list.pol --alg sha256 --sign
0x0A --ctrl 0x00 --data list.data list_unsig.lst
tpm2_nvwrite -x 0x01400001 -a 0x40000001 -P $TPM_OWNER_PASSWORD
list.pol
cp -f list.data /boot/
Any idea why this LCP, which consists in just an mle element, could be
functional on a platform and not on another?
Cordialement / regards,
Olivier le Roy (contractor)
HW - SW development engineer
Thales LAS France
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
