On Fr, 2016-04-29 at 12:27 +0200, Jan Schermer wrote:
> Hello,
> can someone confirm my understanding and clarify my questions, please?
>
> 1) Launch control policy
> - protects tboot integrity (MLE)
> - can limit boot to certain PCRs
> - can I have multiple generations of LCPs i
Hi Jan,
> So I want to use a signed policy, and use multiple policy data files for
> lifecycle management (e.g. when I need to upgrade to MLE but want to be able
> to "rollback" to a previous version if needed).
> Using a signed policy means I don't have to touch the NVRAM (which might
> break
t?
Did you maybe use PCR 18 in your VLP? Check the --pcr option of your
tb_polgen command line.
Otherwise I don't know. You could check your tboot log for the detailed
PCR logs, and try to find out the difference.
Martin
>
> Jan
>
>
> > On 09 May 2016, at 11:01, martin
On Mo, 2016-05-09 at 11:56 +0200, Jan Schermer wrote:
> I don't know what actual use a policy of type "nonfatal" is outside of testing
Neither do I. It's kind of unfortunate that most docs are using this
policy.
Martin
> I sort_of_assumed that PCR-18 would only be present if the policy
> verification passed, and would be different different (or all 0s) when the
> verification failed.
> This is a bit dangerous if anyone uses it.
You need to use "halt" policy.
> I think something simple like hashing "1" into it
