Hi Miguel On Fri, 2022-10-07 at 14:30 +0000, Miguel Mota wrote: > If I change either the kernel or the initrd the system still boots as > expected (since I have policy of continue instead of halt) and the > PCR will have different values (as expected) but the TBOOT tool says > the "TXT Measured Launch: True" when I expected it to to be false. Am > I miss-interpreting the normal behaviour of TXT here? Also, is this > VLP (without the LCP) enough for remote attestation? I'd say yes > since pcr 17-20 have all the required information and they can't be > altered by an bad actor due to their locality requirements.
"TXT Measured Launch: True" means that system was successfully booted with TXT. Measured launch is a process where measures of boot components are collected and stored to TPM PCRs, but not verified. This is the standard behaviour of TXT. For remote attestation you don't have to provision LCP or VLP, because default policies already collect measurements. You can use LCP or VLP to configure what PCRs will be extended with particular boot components, but in general this is not required. To sum up, you are right, your system is ready to enable remote attestation. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
