On Wed, Feb 5, 2020 at 12:58 PM Paul Moore (pmoore2) via tboot-devel
wrote:
> ... I do have some interest in pursuing this on my own time, but considering
> all of the other demands on my time I'm not certain how much I will be able
> to contribute.
On a somewhat related top
Hello all,
I wanted to provide a quick update on the TXT/sig project and point you
at it's new location on GitHub:
* https://github.com/anuvu/tboot
... the TXT/sig changes can be found in the master branch. In addition
to the code changes, I've included a README.md with a lot of information
on
the tboot code to debug this further.
If you haven't found it already, a good starting point is the
tboot/common/policy.c:set_policy() function.
> De : Paul Moore (pmoore2)
> Envoyé : mardi 4 février 2020 15:44
> À : LE ROY Olivier - Contractor; tboot-devel@lists.sourceforge.net
> Ob
On Tue, 2020-02-04 at 13:50 +, LE ROY Olivier - Contractor wrote:
> These two policies fail with following tboot error:
> TBOOT: no SINIT provided by bootloader; using BIOS SINIT
> ...
> TBOOT: reading Verified Launch Policy from TPM NV...
> TBOOT: TPM: fail to get public data of 0x01C10131 in
On Sat, Dec 21, 2019 at 12:00 PM Paul Moore (pmoore2) via tboot-devel
wrote:
> On Fri, 2019-12-20 at 10:51 +0100, Lukasz Hawrylko wrote:
> > On Tue, 2019-12-17 at 20:12 +0000, Paul Moore (pmoore2) wrote:
> > > On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote:
> > &
if (handle2048 != 0)
> goto out;
You might be able to skip the patch by simply specifying an 'extpol'
parameter on the tboot command line, for example: "extpol=sha256".
The patch linked below also adds support for "extpol=acm" which checks
the
On Wed, 2020-01-15 at 15:25 +0100, Lukasz Hawrylko wrote:
> On Tue, 2020-01-14 at 11:47 -0500, Paul Moore wrote:
> > On Tue, Jan 14, 2020 at 10:31 AM Lukasz Hawrylko
> > <
> > lukasz.hawry...@linux.intel.com
> > > wrote:
> > > On Tue, 2020-01-14
On Tue, Jan 14, 2020 at 10:31 AM Lukasz Hawrylko
wrote:
> On Tue, 2020-01-14 at 00:18 +0000, Paul Moore (pmoore2) wrote:
> > On Mon, 2020-01-13 at 20:33 +0000, Paul Moore (pmoore2) via tboot-devel
> > wrote:
> > > On Thu, 2020-01-09 at 14:59 +, Hawrylko, Lukasz wrote:
On Mon, 2020-01-13 at 20:33 +, Paul Moore (pmoore2) via tboot-devel wrote:
On Thu, 2020-01-09 at 14:59 +, Hawrylko, Lukasz wrote:
On Fri, 2020-01-03 at 20:26 +, Paul Moore (pmoore2) via tboot-devel
wrote:
On Fri, 2020-01-03 at 20:07 +, Paul Moore (pmoore2) via tboot-devel
wrote
On Thu, 2020-01-09 at 14:59 +, Hawrylko, Lukasz wrote:
On Fri, 2020-01-03 at 20:26 +, Paul Moore (pmoore2) via tboot-devel
wrote:
On Fri, 2020-01-03 at 20:07 +, Paul Moore (pmoore2) via tboot-devel
wrote:
On Thu, 2020-01-02 at 22:27 +, Paul Moore (pmoore2) via tboot-
devel
On Mon, 2019-12-23 at 21:20 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> It appears that lcptools-v2 doesn't understand the "pconf" type ...
I just added a new "pconf2" policy element type to lcptools-v2 so you
can generate a LCP_PCONF_ELEMENT2 without havin
On Fri, 2020-01-03 at 20:07 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> On Thu, 2020-01-02 at 22:27 +0000, Paul Moore (pmoore2) via tboot-
> devel
> wrote:
> > I hope everyone had a nice holiday and is enjoying the new year thus
> > far.
> >
> > As you
On Thu, 2020-01-02 at 22:27 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> I hope everyone had a nice holiday and is enjoying the new year thus
> far.
>
> As you've seen in the other thread, I'm playing around with different
> tboot/TXT policies and I have a que
I hope everyone had a nice holiday and is enjoying the new year thus
far.
As you've seen in the other thread, I'm playing around with different
tboot/TXT policies and I have a question regarding tboot/VLP policies
that can extend PCRs using something other than SHA1: at present
tb_polgen seems lim
On Wed, 2019-11-06 at 20:12 +, travis.gilb...@dell.com wrote:
> > -Original Message-
> > From: Paul Moore (pmoore2)
> > Sent: Tuesday, November 5, 2019 19:28
> > To: Gilbert, Travis
> > Cc: tboot-devel@lists.sourceforge.net
> > Subject: Re: Creati
On Fri, 2019-12-20 at 10:51 +0100, Lukasz Hawrylko wrote:
> On Tue, 2019-12-17 at 20:12 +0000, Paul Moore (pmoore2) wrote:
> > On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote:
> > > On Thu, 2019-12-05 at 17:20 +, Paul Moore (pmoore2) wrote:
> > > > A q
On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote:
> On Thu, 2019-12-05 at 17:20 +0000, Paul Moore (pmoore2) wrote:
> > A question for discussion: if the VLP is loaded from it's own
> > nvindex,
> > and there is also a VLP present inside the LCP, which VLP do we
On Fri, 2019-12-06 at 21:28 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote:
> > On Wed, 2019-12-04 at 14:33 +0000, Paul Moore (pmoore2) wrote:
> > > Can you elaborate a bit more on what you mean by "the ro
On Mon, 2019-12-09 at 15:23 +0100, Lukasz Hawrylko wrote:
> On Fri, 2019-12-06 at 21:28 +0000, Paul Moore (pmoore2) wrote:
> > I know I've said this before, but please consider all of this code
> > still
> > a very rough prototype. Normally I wouldn't share code of
On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote:
> On Wed, 2019-12-04 at 14:33 +0000, Paul Moore (pmoore2) wrote:
> > Can you elaborate a bit more on what you mean by "the root of
> > certificate"? Alternatively, could you upload the kernel and
> > sign
On Wed, 2019-12-04 at 14:33 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> On Mon, 2019-12-02 at 14:09 +0100, Lukasz Hawrylko wrote:
> > If VLP is present under its own index (for TPM 2.0 it is
> > 0x01C10131),
> > tboot will not read LCP at all, so certificate will
On Mon, 2019-12-02 at 14:09 +0100, Lukasz Hawrylko wrote:
> Hi Paul
>
> I went through all steps and I was able to create LCP with
> certificated,
> VLP with TB_HTYPE_PECOFF and finally got platform booted with PCR 20
> extended by certificate hash (to be honest I didn't check if it is
> correct).
On Fri, 2019-10-18 at 13:27 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> On Thu, 2019-09-19 at 15:39 +0000, Paul Moore (pmoore2) via
> tboot-devel wrote:
> > Hello,
> >
> > I've been working on adding PECOFF/kernel signature verification to
> > tboot
GUI to CLI application,
> > > that's why I
> > > decided to go with lcp-gen2.
> >
> > We're very happy to work with Intel to get a solution that meets all
> > our needs. We want TXT to be a robust solution for everyone.
> &g
On Wed, 2019-11-13 at 17:17 +, travis.gilb...@dell.com wrote:
> > -Original Message-
> > From: Paul Moore (pmoore2)
> > Sent: Wednesday, November 13, 2019 09:51
> > To: lukasz.hawry...@linux.intel.com; Gilbert, Travis
> > Cc: tboot-devel@lists.sourcefor
migration if that
> will
> be less than month I will wait for that to release new version.
>
> Lukasz
>
> On Fri, 2019-11-08 at 18:34 +, travis.gilb...@dell.com wrote:
> > > -Original Message-
> > > From: Paul Moore (pmoore2) <
> > > pmoo
On Fri, 2019-11-08 at 12:47 +0100, Lukasz Hawrylko wrote:
> For TPM2.0 LCP generation there is a Python tool lcp-gen2 that is
> included in tboot's source code. To be honest I didn't try to generate
> LCP with tboot's VLP inside but it should work. If not - this is a bug
> and need to be fixed.
>
On Wed, 2019-11-06 at 20:12 +, travis.gilb...@dell.com wrote:
> > -Original Message-
> > From: Paul Moore (pmoore2)
> > Sent: Tuesday, November 5, 2019 19:28
> > To: Gilbert, Travis
> > Cc: tboot-devel@lists.sourceforge.net
> > Subject: Re: Creati
On Tue, 2019-11-05 at 23:02 +, travis.gilb...@dell.com wrote:
> > -Original Message-
> > From: Paul Moore (pmoore2) via tboot-devel > de...@lists.sourceforge.net>
> > Sent: Tuesday, November 5, 2019 16:50
> > To: lukasz.hawry...@linux.intel.com;
> &g
Hi Lukasz, others,
I'm in the process of working on the TXT/sig extensions to the LCP but
I'm running into problems using the tboot tools to create a working LCP
as a baseline. Simply put, the instructions I've been able to find
either in the sources, the mailing list archives, or through Google
Hi Lukasz,
That's great news, I'll look forward too meeting with you next week! I'll
follow up with you off-list with some contact information.
--
paul moore
www.paul-moore.com
On October 24, 2019 9:19:52 AM Lukasz Hawrylko
wrote:
> Hi
>
> I will be on LSS EU, I w
On Thu, 2019-09-19 at 15:39 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> Hello,
>
> I've been working on adding PECOFF/kernel signature verification to
> tboot and now that I have a rough working prototype I wanted to bring
> it to the list to see if this is something
of that file, so TBOOT will be able to verify if certificate is
> valid. Storing another hash in VLP is not a problem. What do you think
> about that? Hardcoding certificate in TBOOT should be avoided at all
> costs.
>
> Thanks,
> Lukasz
>
> On Fri, 2019-09-27 at 15:35 +, P
ture and extend PCRs with signature's public key hash, am I
> right?
> In this approach tboot is not able to verify if kernel is signed by
> proper authority, this need to be done be local/remote attestation in
> further boot process.
>
> Thanks,
> Lukasz
>
> On
Hello,
I've been working on adding PECOFF/kernel signature verification to
tboot and now that I have a rough working prototype I wanted to bring
it to the list to see if this is something the tboot community would
be interested in eventually merging (once the work is more complete
and polished).
35 matches
Mail list logo
