Re: [tboot-devel] "Invalid RSDP" TXT Error

[Marco Vanotti]

Hi All,

I still couldn't fix the issue. However, there was a problem with the
policies I used (the ones I created myself). I created another policy, with
the lcp-gen2 tools and tried them in another machine with the same MLE.

I was able to get a successful boot in the other machine, but not in the
NUC. I still get the same error "Invalid RSDP"

Reading the tboot source code, tboot/txt/txt.c is where the rdsp is set up:

http://hg.code.sf.net/p/tboot/code/file/f1d2d60eda9f/tboot/txt/txt.c#l557

/* capabilities : require MLE pagetable in ECX on launch */
/* TODO: when SINIT ready
 * os_sinit_data->capabilities.ecx_pgtbl = 1;
 */
os_sinit_data->capabilities.ecx_pgtbl = 0;
if (is_loader_launch_efi(lctx)){
/* we were launched EFI, set efi_rsdt_ptr */
struct acpi_rsdp *rsdp = get_rsdp(lctx);
if (rsdp != NULL){
if (version < 6){
/* rsdt */
/* NOTE: Winston Wang says this doesn't work for v5 */
os_sinit_data->efi_rsdt_ptr = (uint64_t) rsdp->rsdp1.rsdt;
} else {
/* rsdp */
memcpy((void *)_rsdp, rsdp, sizeof(struct acpi_rsdp));
os_sinit_data->efi_rsdt_ptr = (uint64_t)((uint32_t)_rsdp);
}
} else {
/* per discussions--if we don't have an ACPI pointer, die */
printk(TBOOT_ERR"Failed to find RSDP for EFI launch\n");
return NULL;
}
}


It says that "this doesn't work for v5", my sinit is v5. So maybe it is
related? Do I need a newer sinit?


---

Here are the policies I am using:


$ xxd mle.pol
: 0003 0b00        
0010:    0800   0800 0800  
0020:  0800  7505 ed2f c309 bd31 fc8e  ..u../...1..
0030: 544c ec55 1030 4e88 8457 2460 11e4 394f  TL.U.0N..W$`..9O
0040: b612 bc3a fbec   ...:..

$ xxd mle.data
: 496e 7465 6c28 5229 2054 5854 204c 4350  Intel(R) TXT LCP
0010: 5f50 4f4c 4943 595f 4441 5441    _POLICY_DATA
0020:  0001 0002 1000 3200  3200   2...2...
0030: 1000     0b00 0100 abc0  
0040: 5dd2 0aae d8bc ab2f 3dc1 7512 e9b5 f3b7  ]../=.u.
0050: 55da 3ab0 e62c 553d 45c8 4cd3 44f0   U.:..,U=E.L.D.


On Tue, May 23, 2017 at 9:59 PM, Marco Vanotti  wrote:

> Hi All!
>
> I am trying to get TXT working. I was able to get it to run with
> POLTYPE_ANY, however, as soon as I added a policy data file, I started
> getting *TXT error 0xC00020C1*, which for  my SINIT ACM means "*Invalid
> RSDP*". (note that this error doesn't happen if I don't add the policy
> data module in grub2).
>
> Specific details about my setup:
>
> * Intel NUC NUC5i5MYHE
> * TPM 2.0
> * PO NV Index: 0x141, with attributes 0x4000A:
> - TPMA_NV_OWNERWRITE
> - TPMA_NV_POLICYWRITE
> - TPMA_NV_AUTHREAD
> * "5th_gen_i5_i7_SINIT_79.BIN" SINIT ACM, downloaded from intel website.
> It seems to be "version 5"
> * Latest BIOS Update (couple of weeks old).
>
>
> This issue seems to have been discussed in this list previously (
> https://sourceforge.net/p/tboot/mailman/message/35623784/ is one message
> of that mailing thread), but it seems that they couldn't find a solution.
>
> Any help debugging this problem would be really appreciated :)
>
> Best Regards,
> Marco
>
> --
> --
>
> (details about Grub2 and Policies that I am using)
>
> This is my grub2 config related to tboot:
>
> menuentry 'CentOS Linux GNU/Linux, with tboot 1.9.4 and Linux
> 3.10.0-514.16.1.el7.x86_64' --class centos --class gnu-linux --class gnu
> --class os --class tboot {
> insmod multiboot2
> insmod part_gpt
> insmod xfs
> set root='hd0,gpt2'
> if [ x$feature_platform_search_hint = xy ]; then
>  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2
> --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2  dd1f25a9-de82-4943-8ba9-
> f3a5035678a2
> else
>  search --no-floppy --fs-uuid --set=root dd1f25a9-de82-4943-8ba9-
> f3a5035678a2
> fi
> echo 'Loading tboot 1.9.4 ...'
> multiboot2 /tboot.gz logging=serial,memory extpol=sha256
> echo 'Loading Linux 3.10.0-514.16.1.el7.x86_64 ...'
> module2 /vmlinuz-3.10.0-514.16.1.el7.x86_64 root=/dev/mapper/cl_txtnuc-root
> ro crashkernel=auto rd.lvm.lv=cl_txtnuc/root rd.lvm.lv=cl_txtnuc/swap
> rhgb quiet intel_iommu=on noefi
> echo 'Loading initial ramdisk ...'
> module2 /initramfs-3.10.0-514.16.1.el7.x86_64.img
> echo 'Loading sinit 5th_gen_i5_i7_SINIT_79.BIN ...'
> module2 /5th_gen_i5_i7_SINIT_79.BIN
> echo 'Loading tboot policy data file lcp.data ...'
> module2 /lcp.data
> }
>
> I have tried creating a Policy with the lcp-gen2 files, as well as
> creating my 

Re: [tboot-devel] Questions about Launch Control Policies

[Marco Vanotti]

Hi Ning,

Thank you for your answer.

1) I can't read the index, I believe it's because of the attributes (I
would need owner_read flag) I'm doing:

# tpm2_nvread -x 0x141 -a 0x4001 -s 10
Failed to read NVRAM area at index 0x141 (20971521).Error:0x149

# tpm2_rc_decode 0x149
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 0 error code
  hex: 0x49
  name: TPM_RC_NV_AUTHORIZATION
  description: NV access authorization fails in command actions (this
failure does not affect lockout.action)

This issue occurs in an Intel NUC NUC5i5MYHE, with "5th_gen_i5_i7_SINIT_79.BIN"
(downloaded from the Intel website). The bios is up to date.

I was able to test this on a different server and it doesn't give me the
error (same policy).

2) Ok. Thanks! I was trying to see whether I could see things changing with
a POLTYPE_ANY. I couldn't find anything on the Intel TXT Guide saying that
the capabilities won't be extended on TPM 2.0 (I might have missed it too
:)).

Thank you for your reply!

Best Regards,
Marco



On Thu, May 25, 2017 at 6:58 AM, Sun, Ning  wrote:

> For question1: PO NV Index attribute definition is correct, did you see
> this issue when reading from the index? What was the platform and SINIT ACM
> used in finding this issue?
>
>
>
> For question2: this is correct by design, OsSinitData_Capabilities bit in
> PolicyControl works only with TPM1.2 and legacy PCR mapping.
>
> For details/authorities PCR mapping, OsSinitData.Capabilities are always
> extended into PCR17 and have special event for it.
>
>
>
> -Ning
>
>
>
>
>
> *From:* Marco Vanotti [mailto:mvano...@google.com]
> *Sent:* Tuesday, May 23, 2017 10:15 PM
> *To:* Sun, Ning 
> *Cc:* tboot-devel@lists.sourceforge.net
>
> *Subject:* Re: [tboot-devel] Questions about Launch Control Policies
>
>
>
> Thanks for your answer, Ning.
>
>
>
> I have been using tpm2.0-tools and tpm2.0-TSS to work with the TPM. They
> have been very useful so far :).
>
>
>
> I have a couple more questions regarding the Intel TXT Guide:
>
>
>
> The Intel TXT Guide (Appendix J "TPM NV") says that the NVRAM PO Index
> should have the following attributes:
>
> - TPMA_NV_OWNERWRITE
>
> - TPMA_NV_POLICYWRITE
>
> - TPMA_NV_AUTHREAD
>
> - TPMA_NV_NO_DA
>
>
>
> That sets of attributes translate to 0x204000A, but that results in a
> 0xc0081c41 TXT Error (ERR_TPM_NV_INDEX_INVALID_PO_ATTR). I removed the
> TPMA_NV_NO_DA flag and it ended up working. What would the correct solution
> for this issue be?
>
>
>
> The Policy Control field in the LCP has a field that specifies whether
> the OS INIT DATA Capabilities should be extended or not. I tried changing
> that field in my PO LCP, but that didn't make a difference: the capabilites
> are always extended, regardless of the value in the field. I can see that
> my Policy is being read by checking the TPM Event log (type 0x414 tells me
> that my index is being read, and type 0x40c shows that my policy control is
> being loaded). I was playing with this to see the effect of changing things
> in the policy.
>
>
>
> These are minor issues that I are not blocking me, but I would like to get
> an answer to better understand how TXT works.
>
>
>
> Best Regards,
> Marco
>
>
>
> On Tue, May 23, 2017 at 5:12 PM, Sun, Ning  wrote:
>
> Hi Marco,
>
>
>
> Thanks for the write-up, you got most of the answers correct for your
> questions.
>
>
>
> Both lcptools and lcptools-v2 folders (in tboot source package) are for
> LCP V2 on TPM 1.2 platforms
>
>
>
> Folder lcp-gen2 is for LCP V3 creation on TPM 2.0 platform, so far tboot
> does not provide tpm 2.0 tools to write the LCP to TPM nv index, there are
> TPM 2.0 TSS and tools from Intel as well, see below.
>
>
>
> For tboot VLP, there is a default VLP in tboot source code, if there is no
> VLP found from TPM NV index, tboot will apply the default VLCP.
>
>
>
> For TPM 2.0 TSS and tools, here are the website for your reference:
>
>
>
> https://github.com/01org/TPM2.0-TSS
>
>
>
> https://github.com/01org/tpm2.0-tools
>
>
>
> -Ning
>
>
>
> *From:* Marco Vanotti [mailto:mvano...@google.com]
> *Sent:* Tuesday, May 23, 2017 1:32 PM
> *To:* tboot-devel@lists.sourceforge.net
> *Subject:* Re: [tboot-devel] Questions about Launch Control Policies
>
>
>
> Hi All!
>
>
>
> After reading a lot of documentation [*], I think I figured out the
> answers to some of the questions. I would like to confirm if what I think
> is correct.
>
>
>
> TBOOT sets up an environment and executes GETSEC[SENTER], which handles
> control over to the SINIT ACM. The SINIT ACM will measure the MLE and
> execute the policy engine, which validates the LCPs. The ACM will extend
> the MLE hash to PCR17 among other things.  After that, the ACM will handle
> control back to TBOOT, which will execute the post_launch mechanism. There,
> it will look for VLCPs, first in a special NV Index (0x0121 or
>