I have run into a couple of issues trying to used the unsigned LCP type and
external policy list files. There are basically two things I wanted to ask
about and/or bring up.
1. I am trying to use lcp_crtpol to create a type unsigned policy but there
doesn't seem to be a way to specify more than one mle hash as input. Looking at
the code in crtpol.c for create_policy(), the count of mle hashes seems to
always be 1 though the routine lcp_create_unsigned_poldata() would load
multiple ones if there were any. It looks like only one entry in listdata[] is
ever initialized. Maybe I am missing something - any clarification would be
great.
2. I came across an odd hang in xen when I put the LCP data module at the end
of the list of modules in grub. If I move the LCP data module say in front of
the sinit module, the hang goes away. This only happens when tboot does an
un-trusted launch (since in the trusted case, it removes sinit and lcp modules
from mbi). It has something to do with the module moving code in __start_xen().
I am going to investigate it further to see if it is a bug in xen (I think it
might be related to the very small size of the LCP data module). Anyway, in
looking at the tboot code I was thinking it might make sense to pop any sinit
and lcp modules out of the mbi module list even in the case where tboot doesn't
to a trusted launch as is the case in a trusted launch. The next level kernel
modules do not need to see these modules whether it is a trusted boot or not.
If folks thinks this is a good idea, I can submit a patch.
Thanks
Ross
Ross Philipson
Senior Software Engineer
Citrix Systems, Inc
14 Crosby Drive
Bedford, MA 01730
781-301-7949
[email protected]<mailto:[email protected]>
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
tboot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tboot-devel
