[tboot-devel] booting tboot directly as EFI STUB?

Hello, is it possible to add support for loading tboot directly instead of using GRUB, in the same way Linux kernel supports it? https://www.kernel.org/doc/Documentation/efi-stub.txt This would greatly simplify the setup of tboot and remove one unnecessary component (grub) which presents a quite

Re: [tboot-devel] booting tboot directly as EFI STUB?

h UEFI and > legacy platforms. > Meanwhile, we are working on a PoC of UEFI 64 bit tboot, which will support > multiple usages including what you mentioned in your email. > As this work is non-trivial, any suggestions/proposals are welcome! > > Thanks, > -Ning >

Re: [tboot-devel] booting tboot directly as EFI STUB?

ng there's any security in it, but it's cheap compliance proof for those that need that kind of thing. Jan > On 19 Apr 2016, at 00:58, Dr. Greg Wettstein wrote: > > On Apr 18, 8:55pm, Jan Schermer wrote: > } Subject: Re: [tboot-devel] booting tboot

[tboot-devel] Questions about LCP x VLP

Hello, can someone confirm my understanding and clarify my questions, please? 1) Launch control policy - protects tboot integrity (MLE) - can limit boot to certain PCRs - can I have multiple generations of LCPs if I need to upgrade tboot or change a PCR? >From my understa

Re: [tboot-devel] Questions about LCP x VLP

Thank you very much for answers! I re-read the development guide, but it's hard to swallow for the uninitiated... See replies below > On 03 May 2016, at 11:34, martin.wi...@ts.fujitsu.com wrote: > > On Fr, 2016-04-29 at 12:27 +0200, Jan Schermer wrote: >> Hello, >&

Re: [tboot-devel] Questions about LCP x VLP

I am testing this now and I've hit something odd I created the VL policy with type "nonfatal" first. With pcr_map=da, PCR-18 was the same with different kernels/modules, as expected. (btw it would be nice if a policy violation was visible in some PCR, even with "nonfatal") Then I changed the VL

Re: [tboot-devel] Questions about LCP x VLP

> On 09 May 2016, at 11:39, martin.wi...@ts.fujitsu.com wrote: > > >> I created the VL policy with type "nonfatal" first. With pcr_map=da, PCR-18 >> was the same with different kernels/modules, as expected. >> (btw it would be nice if a policy violation was visible in some PCR, even >> with "n

Re: [tboot-devel] Questions about LCP x VLP

ld make it useful (that should be simple to compute if anyone is using it on purpose). Jan > On 09 May 2016, at 11:59, martin.wi...@ts.fujitsu.com wrote: > > On Mo, 2016-05-09 at 11:56 +0200, Jan Schermer wrote: > >> I don't know what actual use a policy of type &qu

[tboot-devel] Slight OT: Sealing to PCR >15 possible?

I've hit another snag # tpm_nvdefine -i 1 -s 6 p -r 18 -w 18 --permissions="AUTHWRITE" -z Cannot seal NVRAM area to PCR > 15 Why? :( How to get around it? Do I have to use tpm_sealdata (for example) which does not have this limitation (but requires a blob and a SRK)? I'd like to avoid that if a

Re: [tboot-devel] Questions about LCP x VLP

> On 09 May 2016, at 12:50, martin.wi...@ts.fujitsu.com wrote: > >> I sort_of_assumed that PCR-18 would only be present if the policy >> verification passed, and would be different different (or all 0s) when the >> verification failed. >> This is a bit dangerous if anyone uses it. > > You need

[tboot-devel] OT: Most generic way to provision TXT on bare metal?

Hi, are there any tools available for provisioning/enabling Intel TXT on bare metal servers? I'd like to avoid vendor-specific tools as much as possible. What I'm looking for is either some toolkit able to enable TPM and TXT in BIOS of several vendors remotely (using BMC/IPMI), or some way to do

[tboot-devel] Calculating PCR 18 (Authorities)

Hi, I'd like to calculate PCR 18 before first reboot. I am using tboot with "pcr_map=da", signed policy and TB_POLCTL_EXTEND_PCR17 disabled docs say: PCR 18 (Authorities): It will be extended with the following values (in this order): - The values as documented in the MLE Developers Ma

[tboot-devel] Help interpreting this launch failure?

Hello, I am seeing this launch failure on a Lenovo T510 laptop (attached is the output of txt-stat with nonfatal policy). Can someone take a look and let me know what the problem could be? This looks suspect: TBOOT: verifying module 1 of mbi (b54000 - 6e691ff) in e820 table (range from

[tboot-devel] tboot corrupting cmdline when started form PXE?

Hi, I've seen this happen with both iPXE and GRUB now. For example if I load tboot+linux like this in GRUB: multiboot boot/tboot.gz logging=vga,serial,memory module boot/Ubuntu-TXT-16.04-x86_64-linux interface=auto url=http://something.somewhere ramdisk_size=10800 root=/dev/rd/0

Re: [tboot-devel] tboot corrupting cmdline when started form PXE?

ing) and tboot now works for me over PXE, e.g. cmdline is not corrupted anymore. I've only tested this on one machine. Is this patch correct? Or shoulld the target memory be NULL-ed beforehand? (I suspect this might cause problems with modules that have no parameters?) Jan > On 06 J

[tboot-devel] TPM provisioning (SuperMicro)

Hi, SuperMicro sells TPMs either unprovisioned, provisioned as "client txt" (workstation/desktop processors) or provisioned "server txt". I'm having a hard time getting the server provisioned type, so I'll probably have to provision them myself when they arrive. There are instructions (https://w

Re: [tboot-devel] Loading multiboot(2) images

I just wonder how it relates to this patch? https://sourceforge.net/p/tboot/mailman/message/28249969/ For what it's worth, I tested this patch on my system, boots fine using PXE GRUB2 multiboot. Jan > On 13 Jun 2016, at 16:52, Ahmed, Safayet (GE Global Research, US) > wrote: > > We have be

Re: [tboot-devel] Loading multiboot(2) images

ver, just moving > modules above the memory occupied by TBoot is not always enough for a > successful launch (especially when your kernel is large or you have a whole > bunch of modules). > > Safayet > > -Original Message- > From: Jan Schermer [mailto:j...@

[tboot-devel] Uniqueness of PCR-18 with pcr_map=da?

Hi, can someone please tell me from experience whether PCR-18 can be treated as non-changing between different servers or platforms when pcr_map=da is used and I use the same signing key? Can I safely assume that PCR-18 will be the same on different servers or different brands of servers even?

Re: [tboot-devel] Loading multiboot(2) images

The problem is you didn't attach it but pasted it inline (or so it appears). When I copy&pasted it, it lacked space indentations on some lines and patch complained. I had to copy&paste it in Textedit I think... Jan > On 16 Jun 2016, at 15:53, Ahmed, Safayet (GE Global Research, US) > wrote: >

Re: [tboot-devel] Crash/system reset with linux 4.4

Just FYI - I'm using tboot with 4.4 kernels (Ubuntu 16.04) and I haven't had this issue Jan > On 03 Aug 2016, at 05:35, Sun, Ning wrote: > > There is an explanation in README of tboot source code about 'min_ram' > parameter: https://sourceforge.net/p/tboot/code/ci/default/tree/. > To identify

Re: [tboot-devel] Crash/system reset with linux 4.4

> Which version of tboot are you using? > > > Chris > > > On 08/03/2016 11:28 AM, Jan Schermer wrote: >> Just FYI - I'm using tboot with 4.4 kernels (Ubuntu 16.04) and I haven't had >> this issue >> >> Jan >> >>> On 03

Re: [tboot-devel] PCR values?

Do you have the correct TPM driver loaded in kernel? Does /sys/class/misc/tpm0 exist? AFAIK you can TXT-launch a kernel that has no driver (as it is likely loaded in initramfs or later anyway), txt-stat will probably also work even without a working in the kernel... Jan > On 01 Sep 2016, at 1

Re: [tboot-devel] user-provided AC modules

I'd also like to know this - including all the ACMs in a distribution seems... hackish. This is most likely vendor-specific. Older machines that I tried didn't include it (old Thinkpads for example), the newest one that didn't include it that I've seen was of ~2014 vintage (pre-EFI methinks]. S

Re: [tboot-devel] garbage characters on the command line

We already solved this (unless it's come back). It was fixed by this commit: https://sourceforge.net/p/tboot/code/ci/356ad4b1d363c70d7b25907f812bd411a28eecd3/ However, this was after 1.9.4 was tagged and distrib

[tboot-devel] SINIT ACM not present on a Workstation-class computer?

Hi, I just got HP Z240 workstation (i7-6700 cpu) and it seems to lack SINIT ACM embedded in the BIOS I see this in one of the BIOS changelogs: • Updates Intel TXT BIOS ACM to v1.3. ^ shouldn't this mean it is there? tboot says: TBOOT: checking if module is an SINIT for this platform... TBOOT:

Re: [tboot-devel] SINIT ACM not present on a Workstation-class computer?

/register needs to be initialised isn't. Wouldn't be the first. > > On 18 November 2016 at 12:27, Jan Schermer <mailto:j...@schermer.cz>> wrote: > Hi, > I just got HP Z240 workstation (i7-6700 cpu) and it seems to lack SINIT ACM > embedded in the BIOS

Re: [tboot-devel] SINIT ACM not present on a Workstation-class computer?

reason why SINIT ACM is not embedded in BIOS for > their workstation SKU Z240 > > Regards, > -ning > > <>From: Jan Schermer [mailto:j...@schermer.cz <mailto:j...@schermer.cz>] > Sent: Friday, November 18, 2016 9:52 AM > To: Justin King-Lacroix <mailto:justin.

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

My HP z240 workstation occassionaly refuses to boot at all if I yank out the power cable while in TXT mode. Solution: leave power disconnected for >5 minutes, then reset BIOS (yes, really). I had similiar issues with Lenovo system. I don’t think OEMs test anything... Jan > On 26 Feb 2018, at