Re: [tboot-devel] txt-acminfo report incorrect data if msr module is not loaded

2020-05-18 Thread Lukasz Hawrylko 
On Sat, 2020-05-16 at 16:03 +0300, Timo Lindfors wrote:
> Hi,
> 
> while testing latest tboot with latest debian unstable I noticed that 
> txt-acminfo reports "ACM does not match platform" for all ACM modules. It 
> seems that this happens since /dev/cpu/0/msr does not exist by default in 
> Debian. There is an error "Error: failed to open /dev/cpu/0/msr" but since 
> txt-acminfo reports so much information this can easily be missed by a 
> user. After I run "modprobe msr" txt-acminfo behaves normally again.
> 
> Could we make missing /dev/cpu/0/msr a fatal error that should suggest the 
> user to run "modprobe msr"? In any case txt-acminfo should not report 
> "ACM does not match platform" for a valid ACM file. It should report 
> "Could not determine if ACM matches platform (maybe you need to modprobe 
> msr)?" or something.
> 
> -Timo
> 
> 

Hi Timo

That sounds reasonable. Could you please send a patch with that change?

Thanks,
Lukasz



___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Re: [tboot-devel] rename parse_err?

2020-05-18 Thread Lukasz Hawrylko 
On Fri, 2020-05-15 at 18:13 +0300, Timo Lindfors wrote:
> Hi,
> 
> On Fri, 15 May 2020, Lukasz Hawrylko wrote:
> > Done.
> 
> Thanks, I'll do some testing and ask for further feedback. Would it be 
> possible to release a new version after some time with all these
> changes so that they would be part of the eventual Debian upload?

1.9.12 was released recently, so I don't have right now plans for new
release timeline. There are few more changes that I am working on right
now and I want to include them in next release.

> 
> Btw, can you recommend some tool for defining an NVRAM region that would 
> allow me to specify the DRTM PCR values that need to match before it can 
> be accessed? tpm_nvdefine -f works only with PCRs <= 15. I sent a patch
> last summer to fix this but the project does not seem to be very active
> and the patch appears to have been forgotten:
> 
> https://www.mail-archive.com/trousers-tech@lists.sourceforge.net/msg00684.html
> 
> 
> As far as I understand, the defindex tool in tboot does not let me specify 
> PCR values either. I need this for forward-sealing of data across 
> updates.
> 

As you are using trousers I guess that you have TPM 1.2 am I right? It
is EOL now that's why nobody cares about trousers project, is it
possible in your platform to use TPM 2.0? I highly recommend to upgrade,
than you can use tpm2-tools.

Thanks,
Lukasz



___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel