All,
There is a problem with tb_polgen. When it is parsing the kernel
cmdline, it uses the first 256 characters of the cmdline, and discards
the rest. Tboot itself, uses the first 1024 characters of the command
line received from grub2. This means that the hash generated by
tb_polgen will NOT match the hash generated by tboot/policy.c and
verification will fail.
The following patch needs to be applied.
diff -up tboot-1.7.0/tb_polgen/tb_polgen.h.orig
tboot-1.7.0/tb_polgen/tb_polgen.h
--- tboot-1.7.0/tb_polgen/tb_polgen.h.orig 2012-04-24
09:22:09.549172000 -0700
+++ tboot-1.7.0/tb_polgen/tb_polgen.h 2012-04-24 09:22:29.716011000
-0700
@@ -56,7 +56,7 @@ typedef struct {
int pcr;
int hash_type;
int pos;
- char cmdline[256];
+ char cmdline[1024];
char image_file[FILENAME_MAX];
char elt_file[FILENAME_MAX];
char policy_file[FILENAME_MAX];
I suppose that actually, the cmdline size should be defined in
include/config.h, and the same value used by tb_polgen and tboot, but
this worked on our system with a 284 character kernel cmdline.
Charles
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
