XT/tboot policy suitable for a modern
> > system with TXT+TPM2
> >
> > On Fri, 2019-11-08 at 12:47 +0100, Lukasz Hawrylko wrote:
> > > For TPM2.0 LCP generation there is a Python tool lcp-gen2 that is
> > > included in tboot's source code. To be honest I
of developing new tool that nobody is going to use, continue
support for lcptools-v2.
On Wed, 2019-11-13 at 17:15 +, travis.gilb...@dell.com wrote:
> > -Original Message-
> > From: Lukasz Hawrylko <
> > lukasz.hawry...@linux.intel.com
> > >
> > Sent
For TPM2.0 LCP generation there is a Python tool lcp-gen2 that is
included in tboot's source code. To be honest I didn't try to generate
LCP with tboot's VLP inside but it should work. If not - this is a bug
and need to be fixed.
lcptools-v2 will is not maintained, any new features like new
On Fri, 2019-12-06 at 21:28 +, Paul Moore (pmoore2) wrote:
> I know I've said this before, but please consider all of this code still
> a very rough prototype. Normally I wouldn't share code of this quality,
> but since there are a large number of uncertainties surrounding this
> work (e.g.
On Wed, 2019-12-04 at 14:33 +, Paul Moore (pmoore2) wrote:
>
> Can you elaborate a bit more on what you mean by "the root of
> certificate"? Alternatively, could you upload the kernel and signing
> certificate somewhere I could grab so I can play with it?
>
Maybe I used wrong words, I am
Hi
I will be on LSS EU, I will catch you after your presentation for a
short (or not short) conversation.
Thanks,
Lukasz
On Fri, 2019-10-18 at 13:27 +, Paul Moore (pmoore2) via tboot-devel
wrote:
> On Thu, 2019-09-19 at 15:39 +, Paul Moore (pmoore2) via tboot-devel
> wrote:
> > Hello,
>
validated the kernel/etc. using PCR A. However, I am open to other
> ideas if you have suggestions - this effort is still in the early
> stages. This is one of the reasons I wanted to bring this effort to
> the
> list as soon as the basic idea (PECOFF signature verification in
> tboo
On Tue, 2019-12-17 at 20:06 +, Paul Moore (pmoore2) wrote:
> On Fri, 2019-12-06 at 21:28 +, Paul Moore (pmoore2) via tboot-devel
> wrote:
> > On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote:
> > > On Wed, 2019-12-04 at 14:33 +, Paul Moore (pmoore2) w
On Thu, 2020-01-23 at 14:41 -0300, Martin Galvan wrote:
> Hi all,
>
> I just ran txt-stat on a system which has an IceLake CPU and a 495
> Series PCH, and am seeing the following output:
>
> Intel(r) TXT Configuration Registers:
> STS: 0x0003
> senter_done: TRUE
>
On Fri, 2020-01-24 at 12:34 -0300, Martin Galvan wrote:
> The TXT.STS values make more sense now, though the PCH DID is still
> incorrect. Is there a way to check whether TXT is enabled other than
> looking at SINIT.BASE and HEAP.BASE?
Please look at txt_verify_platform() function in verify.c
On Fri, 2020-01-24 at 10:40 -0800, Christopher Clark wrote:
> Allow compilation with -Werror, which is enabled by default in OpenEmbedded.
>
> -Wunused-parameter fixes are macro related.
>
> -Wswitch-default fixes fall-throughs in format parsing that
> would be caught during compilation by
On Fri, 2020-01-24 at 10:40 -0800, Christopher Clark wrote:
> To simplify integration of tboot into build systems such as
> OpenEmbeddded, use softer assignments and appends to define
> the build tool and flag variables.
>
> Signed-off-by: Christopher Clark <
> christopher.w.cl...@gmail.com
> >
>
Hi Olivier
On Tue, 2020-02-04 at 13:50 +, LE ROY Olivier - Contractor wrote:
> Hi,
>
> I am trying to get a simple LCP_ANY launch control policy to work on a
> Supermicro X11SPM-TF server with AOM-TPM-9670V TPM 2.0 module, without
> success. I get the "read error" from SINIT ACM each time.
On Wed, 2020-02-05 at 14:41 +, LE ROY Olivier - Contractor wrote:
> Hi Lukasz,
>
> > What exactly did you add to that policy in lcp-gen2 tool? LCP is a
> policy dedicated for SINIT, not for TBOOT.
> > The another approach is to create separate index for VLP (0x01C10131)
> and put VLP there.
On Mon, 2020-02-10 at 12:07 -0500, Paul Moore wrote:
> On Wed, Feb 5, 2020 at 12:58 PM Paul Moore (pmoore2) via tboot-devel
> <
> tboot-devel@lists.sourceforge.net
> > wrote:
> > ... I do have some interest in pursuing this on my own time, but
> > considering all of the other demands on my time
On Tue, 2020-01-14 at 11:47 -0500, Paul Moore wrote:
> On Tue, Jan 14, 2020 at 10:31 AM Lukasz Hawrylko
> <
> lukasz.hawry...@linux.intel.com
> > wrote:
> > On Tue, 2020-01-14 at 00:18 +, Paul Moore (pmoore2) wrote:
> > > On Mon, 2020-01-13 at 20:33 +, Pau
On Tue, 2020-01-14 at 00:18 +, Paul Moore (pmoore2) wrote:
> On Mon, 2020-01-13 at 20:33 +, Paul Moore (pmoore2) via tboot-devel wrote:
> > On Thu, 2020-01-09 at 14:59 +, Hawrylko, Lukasz wrote:
> > > On Fri, 2020-01-03 at 20:26 +, Paul Moore (pmoore2) via tboot-devel
> > > wrote:
On Wed, 2020-01-15 at 18:36 -0800, Christopher Clark wrote:
> Hello
>
> I am trying to boot with tboot and TPM 2.0 on a Dell PowerEdge R730
> and encountering reboot at SENTER every time with the following:
>
> TBOOT: TXT.ERRORCODE: 0xc0033451
> TBOOT: AC module error : acm_type=0x1,
On Fri, 2020-01-03 at 20:26 +, Paul Moore (pmoore2) wrote:
> On Fri, 2020-01-03 at 20:07 +, Paul Moore (pmoore2) via tboot-devel
> wrote:
> > On Thu, 2020-01-02 at 22:27 +, Paul Moore (pmoore2) via tboot-
> > devel
> > wrote:
> > > I hope everyone had a nice holiday and is enjoying the
On Wed, 2020-04-08 at 17:12 +0300, Timo Lindfors wrote:
> On Tue, 7 Apr 2020, Lukasz Hawrylko wrote:
> > Unfortunately, this bug is not reported anywhere. In real life scenarios
> > I don't see any benefits of loading multiple SINITs. In most cases you
> > have one SI
On Thu, 2020-04-02 at 17:25 +0300, Timo Lindfors wrote:
> Hi,
>
> On Thu, 2 Apr 2020, Lukasz Hawrylko wrote:
> > There is a bug in TBOOT that may results in overlapping loaded SINITs by
> > TBOOT's logs. That problem occurs when you load multiple SINITs in GRUB
> > and
On Wed, 2020-04-08 at 18:34 +0300, Timo Lindfors wrote:
> On Wed, 8 Apr 2020, Lukasz Hawrylko wrote:
> > TBOOT has an algorithm that checks if SINIT matches platform. I can't
> > tell you right now what is wrong here, I need some logs. Please run it
> > once again, than
On Tue, 2020-03-31 at 23:27 +0300, Timo Lindfors wrote:
> Hi,
>
> if I have the following ACM modules in /boot
>
> 018c4c0bc64cad7c939061e111937849f61af395c9981a03ac4a10083058aa5d
> 4th_gen_i5_i7_SINIT_75.BIN
> 0848adfea4c9479b1cd096aeda1d4a3afe309dd45ca43a1e8d8b3cf972c9c14f
>
On Sat, 2020-05-09 at 00:55 +0300, Timo Lindfors wrote:
> Hi,
>
> I get the following build failure on debian unstable with GCC 9.3.0:
>
> tar xf tboot-1.9.12.tar.gz
> cd tboot-1.9.12/
> env CFLAGS="-g" make
> ...
> cc -z noexecstack -z relo -z now -c -o obj/mem_primitives_lib.o
>
On Sat, 2020-05-09 at 18:22 +0300, Timo Lindfors wrote:
> Hi,
>
> at the moment it seems that the links on
>
> https://software.intel.com/content/www/us/en/develop/articles/intel-trusted-execution-technology.html
>
> under the table "SINIT AC Modules" are all broken and redirect to just
>
>
On Sun, 2020-05-10 at 15:12 +0300, Timo Lindfors wrote:
> Hi,
>
> I'm planning to package tboot for Debian. As part of the process I went
> through all the copyright and license notices in tboot-1.9.12.tar.gz.gpg.
>
> Everything looks pretty smooth but I do have two concerns:
>
> 1)
On Sat, 2020-05-09 at 21:02 +0300, Timo Lindfors wrote:
> Hi,
>
> I made some spelling fixes. My mercurial skills are quite rusty but I
> think you should be able to access them by pulling the
> fix/spelling-fixes-1 branch from https://lindi.iki.fi/lindi/hg/tboot
>
> Should I prefer sending
On Fri, 2020-05-08 at 13:28 +0300, Timo Lindfors wrote:
> Hi,
>
> where could I get the GPG used for signing releases?
>
> $ gpg tboot-1.9.12.tar.gz.gpg
> gpg: WARNING: no command supplied. Trying to guess what you mean ...
> gpg: Signature made Wed 29 Apr 2020 04:29:59 PM EEST
> gpg:
On Sat, 2020-05-16 at 16:03 +0300, Timo Lindfors wrote:
> Hi,
>
> while testing latest tboot with latest debian unstable I noticed that
> txt-acminfo reports "ACM does not match platform" for all ACM modules. It
> seems that this happens since /dev/cpu/0/msr does not exist by default in
>
On Fri, 2020-05-15 at 18:13 +0300, Timo Lindfors wrote:
> Hi,
>
> On Fri, 15 May 2020, Lukasz Hawrylko wrote:
> > Done.
>
> Thanks, I'll do some testing and ask for further feedback. Would it be
> possible to release a new version after some time with all these
>
On Thu, 2020-05-14 at 16:42 +0300, Timo Lindfors wrote:
> Hi,
>
> On Thu, 14 May 2020, Lukasz Hawrylko wrote:
> > Agree, this should be changed. I have also renamed acminfo to txt-
> > acminfo, now all these tools has 'txt-' prefix.
>
> Great. I guess you also upd
On Tue, 2020-05-12 at 12:26 +0300, Timo Lindfors wrote:
> Hi
>
> On Tue, 12 May 2020, Lukasz Hawrylko wrote:
> > The base TBOOT licence is BSD-3-clause, however some files that comes
> > from other projects have different licenses (but all of them are
> > compatible wit
On Sun, 2020-05-10 at 16:08 +0300, Timo Lindfors wrote:
> Hi,
>
> currently tboot installs man pages for the following commands that are not
> installed:
>
> lcp_crtpconf lcp_crtpol lcp_crtpol2 lcp_crtpolelt lcp_crtpollist
> lcp_mlehash
>
> These tools were removed in
>
> commit
On Sun, 2020-05-10 at 23:43 +0300, Timo Lindfors wrote:
> Hi,
>
> many commands installed by tboot don't seem to have man pages. I did some
> detective work based on --help output and source code and wrote the
> missing pages. Can you please take a look that they are accurate?
>
> You can find
Hi Olivier
On Fri, 2020-09-04 at 09:28 +, LE ROY Olivier - Contractor wrote:
> I tried to implement a LCP @ 0x0141 and a VLP @ 0x0121. These 2
> policies were known to work on same OS but different platform (Supermicro).
> For LCP, I have the following error:
>
> reading Launch
gt;
> TBOOT: :70 bytes read
>
> TBOOT: in unwrap_lcp_policy
>
> TBOOT: no LCP module found
>
> TBOOT: :reading failed
>
> TBOOT: failed to read policy from TPM NV, using default
>
> TBOOT: policy:
>
>
>
>
>
>
>
>
>
>
&g
Hi Timo
On Sat, 2020-08-15 at 11:42 +0300, Timo Lindfors wrote:
> Hi,
>
> changeset: 603:e73d11a8a2d6
> user:Mateusz Mowka
> date:Wed Jul 01 09:08:25 2020 +0200
> summary: Update lcptools-v2 to meet requirements from MLE DG rev16.
>
> seems to re-introduce spelling errors
disk. By changing the
> DHCP configuration I can alternate between PXE booting an initrd that
> writes an image to disk and booting from local disk.
>
>
> Anyways, with the help of this I was able to run git bisect. It tells me
> that the first bad commit is
>
> chan
On Sat, 2020-05-23 at 21:00 +0300, Timo Juhani Lindfors wrote:
> # HG changeset patch
> # User Timo Juhani Lindfors
> # Date 1590255168 -10800
> # Sat May 23 20:32:48 2020 +0300
> # Branch fix/acminfo-without-msr
> # Node ID d4591fde44c08fb5a0f1d1531b6df02c7223c67e
> # Parent
On Sat, 2020-05-23 at 21:01 +0300, Timo Juhani Lindfors wrote:
> # HG changeset patch
> # User Timo Juhani Lindfors
> # Date 1590255451 -10800
> # Sat May 23 20:37:31 2020 +0300
> # Branch fix/manpage-syntax1
> # Node ID 21e7be142605955977ea1e36b781f313058da8c9
> # Parent
Hi Timo
On Sun, 2020-05-24 at 19:15 +0300, Timo Lindfors wrote:
> Hi,
>
> On Sat, 23 May 2020, Timo Lindfors wrote:
> > boot on Lenovo T430s when I boot the latest code from mercurial. 1.9.12
> > seems
> > to boot ok. Commenting out "export CFLAGS" seems to help. How should
> > I debug this?
>
On Fri, 2020-05-29 at 12:36 +0300, Timo Lindfors wrote:
> On Thu, 28 May 2020, Timo Lindfors wrote:
> > > If you don't see this dump in failing scenario please add
> > > "set debug=mmap" to grub.cfg, now GRUB should print that.
> >
> > I added this after the serial console setup but this does not
On Mon, 2020-06-01 at 01:27 +0300, Timo Lindfors wrote:
> On Mon, 1 Jun 2020, Timo Lindfors wrote:
> > printk(TBOOT_INFO"start=%p tag_type=%d start->type=%d start->size=%d\n",
> > start,
> > tag_type,
> > start->type,
> > start->size);
>
> On warm boot this prints just
>
On Wed, 2020-06-17 at 08:54 -0400, Tony Camuso wrote:
> Sorry for the noise, if this has already been reported or corrected.
>
> tboot is built with the -Wextra Cflag, which is an alias for a
> collection of warning flags. tboot's make interprets warnings as errors.
>
> From GCC 7 forward, the
On Sat, 2020-06-06 at 23:02 +0300, Timo Lindfors wrote:
> Hi,
>
> when I boot current mercurial tip with TPM 1.2 I get the following output:
>
> TBOOT: verifying policy
> TBOOT: verifying module "root=UUID=bc701bae-ee9c-4151-a85b-0f5a68212975 ro
> quiet net.ifnames=0 intel_iommu=on"...
>
On Sat, 2021-01-02 at 19:31 +0200, Timo Lindfors wrote:
> Hi,
>
> changeset: 620:805285ab8469
> user: Lukasz Hawrylko
> date:Fri Nov 13 16:09:33 2020 +0100
> summary: Move old lcptool to deprecated folder and exclude from build
>
> seems to add so
Hi Tony
On Tue, 2020-10-20 at 12:48 -0400, tony camuso wrote:
> I'm applying the following patches from the hg repo.
>
> 0001-Fix-CFLAGS-passing-to-recursive-makefiles.patch
> 0002-Install-man-pages-only-for-tools-that-are-installed.patch
> 0003-Add-man-pages-for-all-installed-commands.patch
>
Hi Jason
On Sat, 2021-01-16 at 09:02 -0500, Jason Andryuk wrote:
> On Mon, Jan 4, 2021 at 2:57 PM Jason Andryuk <
> jandr...@gmail.com
> > wrote:
> > Hi,
> >
> > Are SINIT ACMs available for 10th Gen processors, specifically 10th Gen
> > 10810U?
> >
> > The intel page
> >
Hi Tony
On Thu, 2021-06-24 at 10:32 -0400, Tony Camuso wrote:
> While SSL3 will provide backward compliance for deprecated
> functions for a while, there are a number of them in tboot
> that must be updated before backwards compliance is dropped
> in SSL3.
>
> Is there an ETA for SSL3
On Thu, 2021-03-25 at 00:16 +, Oliver, Dario N wrote:
> Hi Lukasz,
>
> I am having some problems to get that custom grub running with Secure Boot.
> I am using an Hyper-V VM with Fedora 33 to test this, after having to
> reinstall the OS twice in my NUC.
> I guess the end result will be the
I would like to announce that TrenchBoot Developers Forum will take
place on March 24th at 16:00 GMT
For more details and agenda please refer to
https://trenchboot.org/tdf-schedule.html
Lukasz
___
tboot-devel mailing list
On Fri, 2021-03-19 at 17:51 +, Oliver, Dario N wrote:
> I could not find any docs on what to do after installing 2.x as regards
> Secure Boot.
> Should I sign that with my own key and perform Secure Boot customization?
> Can I use the Machine Owner Keys (MOK) feature of the Linux Shim to get
Hi Oliver
On Thu, 2021-03-18 at 22:29 +, Oliver, Dario N wrote:
> So, I need to run with Secure Boot disabled.
TBOOT will not work with Secure Boot, when Secure Boot is enabled, GRUB
has to verify signature of all components that are going to be launched.
As tboot.gz file does not support
Hi Timo
On Tue, 2021-08-24 at 12:19 +0300, Timo Lindfors wrote:
> [replying to an old email thread]
>
> On Tue, 7 Apr 2020, Lukasz Hawrylko wrote:
> > Unfortunately, this bug is not reported anywhere. In real life scenarios
> > I don't see any benefits of loading multiple
On Wed, 2021-08-25 at 09:28 +0300, Timo Lindfors wrote:
> On Tue, 24 Aug 2021, Lukasz Hawrylko wrote:
> > Patch with fix is already prepared, I am waiting for GRUB team to merge
> > new multiboot2 module tag to publish it.
> >
> > In meantime, if you have a system whe
On Thu, 2021-08-26 at 11:05 +0300, Timo Lindfors wrote:
> On Thu, 26 Aug 2021, Lukasz Hawrylko wrote:
> > You can check if txt-stat dumps TBOOT log correctly. Nothing else comes
> > into my mind.
>
> Looks normal to me. I've attached a compressed version to this mail.
On Wed, 2021-08-25 at 12:05 +0300, Timo Juhani Lindfors wrote:
> From: Timo Lindfors
>
> Signed-off-by: Timo Juhani Lindfors
Thank you for the patches, I have pushed them upstream.
Lukasz
___
tboot-devel mailing list
On Wed, 2021-08-25 at 11:58 +0300, Timo Juhani Lindfors wrote:
> From: Timo Lindfors
>
> Testing done: Boot tboot with a 2560x1440 monitor. Verify that no
> output is visible without this patch, and that output is correct with
> this patch. This was tested on an HP EliteDesk 800 G2 with BIOS
>
On Wed, 2021-09-22 at 08:18 +, Loris Wilbert wrote:
> Hi Lukasz,
>
> I've attached full TBOOT logs to this mail.
>
> Thank you for you assistance.
This looks like an issue with TPM. Is it possible to replace TPM module
on the system? Did you try to run TBOOT on another system with the same
Hi Loris
I have no idea how can I help you here. Can you ask Getac if they have
tested X500 with Intel TXT and if it is officially supported?
Thanks,
Lukasz
-Original Message-
From: Loris Wilbert
To: Lukasz Hawrylko , tboot-
de...@lists.sourceforge.net
Subject: RE: [tboot-devel] Issue
Hi Loris
On Tue, 2021-09-21 at 08:53 +, Loris Wilbert wrote:
> Hello,
>
> I'm having a problem about warm reboot and I don't have this issue
> with a cold reboot.
>
> TBOOT: TPM: write cmd timeout
> TBOOT: TPM: Create return value = 0101
> TBOOT: failed to seal data
>
> Has anyone
61 matches
Mail list logo