Good comments. Thanks.
Jimmy
From: charles.fis...@gdc4s.com [mailto:charles.fis...@gdc4s.com]
Sent: Wednesday, April 25, 2012 3:26 AM
To: tboot-devel@lists.sourceforge.net
Subject: Re: [tboot-devel] Wrong ELD size error
All,
I have found the problem - If you forget to include the list.data file in the
grub.cfg file, this is the result. A rather silly error true, but the error
code was somewhat less than helpful. Perhaps this might be improved in the next
version of the error list.
Charles
From: Fisher, Charles-p99463
Sent: Friday, April 20, 2012 2:44 PM
To: tboot-devel@lists.sourceforge.net<mailto:tboot-devel@lists.sourceforge.net>
Subject: Wrong ELD size error
All,
I am trying to use tboot on a DELL 64020 laptop, running FC16. This is a Sandy
Bridge machine, so it takes a v2 LCP.
I am taking an error during the SINIT processing that results in error code
0xc00041d01, which is translated to
AC module error : acm_type=0x1, progress=0x10, error=0x7
LCP2 error: minor error = 0x3f, index = 399
Referring to my list of error codes, I find that process code 0x10, error 7 is
an LCP PO Policy Integrity Failed
Minor error 0xf is ELD has wrong size (there is no listing for 0x3f so this may
be wrong)
The following script was used to generate the LCP policy:
#!/bin/bash
DATA=/usr/sbin/lcp
/usr/sbin/lcp_mlehash -c "logging=serial,vga" /boot/tboot.gz >$DATA/mle_hash
if [ $? != 0 ]; then
exit 1
fi
/usr/sbin/lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out
$DATA/mle.elt $DATA/mle_hash
if [ $? != 0 ]; then
exit 1
fi
/usr/sbin/lcp_crtpollist --create --out $DATA/list_unsig.lst $DATA/mle.elt
if [ $? != 0 ]; then
exit 1
fi
/usr/bin/openssl genrsa -out $DATA/privkey.pem 2048
if [ $? != 0 ]; then
exit 1
fi
/usr/bin/openssl rsa -pubout -in $DATA/privkey.pem -out $DATA/pubkey.pem
if [ $? != 0 ]; then
exit 1
fi
/bin/cp $DATA/list_unsig.lst $DATA/list_1_sig.lst
if [ $? != 0 ]; then
exit 1
fi
/usr/sbin/lcp_crtpollist --sign --pub $DATA/pubkey.pem --priv $DATA/privkey.pem
--out $DATA/list_1_sig.lst
if [ $? != 0 ]; then
exit 1
fi
/usr/sbin/lcp_crtpol2 --create --type list --pol $DATA/lcp.pol --data
$DATA/lcp_list.data $DATA/list_unsig.lst $DATA/list_1_sig.lst
if [ $? != 0 ]; then
exit 1
fi
/bin/cp $DATA/lcp_list.data /boot/lcp_list.data
if [ $? != 0 ]; then
exit 1
fi
# followed by a manual write to the appropriate indexes using tpmnv_writepol
for both the lcp and vl policies.
The relevant lines from the grub.cfg file are:
multiboot /tboot.gz /tboot.gz logging=serial,vga
module /vmlinux-3.2.5-3.tve.x86_64 /vmlinux-3.2.5-3.tve.x86_64
"lots of stuff that is irrelevant here"
module /initramfs-3.2.5-3.tve.x86_64.img
/initramfs-3.2.5-3.tve.x86_64.img
module /lcp_list.data /lcp_list.data
dumping the lcp.pol file yields
000000 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000020 00 00 51 8e b3 48 a7 b0 43 b5 0b cb 8f 6f a5 e3
000030 4a 68 25 63 86 37
000036
This gives a version of 2.2, everything else zero and a hash of the policy data
file
Dumping the lcp_list.data file yields
000000 49 6e 74 65 6c 28 52 29 20 54 58 54 20 4c 43 50
000010 5f 50 4f 4c 49 43 59 5f 44 41 54 41 00 00 00 00
000020 00 00 00 02 00 01 00 00 24 00 00 00 24 00 00 00
000030 00 00 00 00 00 00 00 00 11 00 01 00 cd 66 bf a7
000040 17 ef eb f4 89 b1 04 ad 2a 89 59 07 dd 77 e9 be
000050 00 01 00 01 24 00 00 00 24 00 00 00 00 00 00 00
000060 00 00 00 00 11 00 01 00 cd 66 bf a7 17 ef eb f4
000070 89 b1 04 ad 2a 89 59 07 dd 77 e9 be 00 00 00 01
000080 73 de 48 5f 59 a3 9f b5 da c3 6f 19 87 bc b9 8b
000090 17 47 98 cf 00 84 61 e4 6f e4 d5 89 19 08 48 66
0000a0 a4 7d 9b 8d a6 ee 55 dc 8a 3e d8 a6 10 73 1e bb
0000b0 af f9 27 f3 20 99 ca 2c 94 d3 9c be 4c 46 ed 95
0000c0 9c 48 e3 7c 4e 4d 87 7f 82 01 b7 b4 e5 97 31 7a
0000d0 25 fd 1e f6 70 a6 de 7c b8 5e 50 b3 36 18 3d 95
0000e0 9b 3a 92 0b 70 65 58 45 c8 33 94 fa d5 43 6b 34
0000f0 f9 89 4e a1 93 4d 3e aa 33 3c b1 c9 0b a3 89 f3
000100 a2 fe 30 da a0 2f 52 c0 56 f0 56 c1 c1 3d e3 fb
000110 5c 49 9b 8d 40 d1 d5 03 5f 7d cd 47 43 ea 5a e6
000120 13 07 04 9a c3 bb 25 b6 01 75 12 30 f6 a0 b3 91
000130 f8 ae dd 0e 32 51 69 82 56 28 46 2f 42 cd ab 58
000140 0f 61 78 a0 cc 36 d6 2e 0e 1c dd 47 81 7e ec 17
000150 ec b8 c9 6d ee d4 dd 63 99 9c c3 90 bc a1 42 1d
000160 9b 25 66 e4 a9 e1 0e de 30 27 fd b6 ff c8 df fb
000170 7e f4 c9 e7 6a ed d7 68 40 41 47 aa f0 16 18 ef
000180 23 07 4c 12 be 27 6a 28 66 ca a0 4c 4a 40 c5 7e
000190 b6 cb 16 bd 6d 8f a7 81 b7 73 f3 30 f6 fc 55 19
0001a0 e0 cc ba 4f 01 46 5b 88 3a 7f b2 29 26 2e be 8e
0001b0 63 e4 88 b2 c5 09 11 3d a4 24 83 33 45 5e ee 6c
0001c0 85 bb 65 07 76 7e 60 57 85 cf cf 21 05 ed cd 20
0001d0 66 a6 17 99 d2 00 5e 9f f2 fe 0c 13 0b 5a e3 1d
0001e0 e0 6e f9 58 ae fa ba 9c 5b 6b a9 08 a3 ce c2 50
0001f0 50 87 9c 90 71 d7 d7 f0 ba 2e f0 96 26 e3 f1 1f
000200 13 4a 0f 2c 40 d1 e2 3b 36 3c 38 74 f2 9d 05 1a
000210 2c 46 5e ac ec 87 cb 3f 25 48 1e 2f c6 1c f9 fd
000220 e5 4c c3 e5 29 16 d4 bb 1c 48 95 98 49 bb 98 6b
000230 42 be d6 2a 4c 9c 82 45 5d ed 79 f3 fd 36 07 5f
000240 b7 94 9b 01 ce 94 12 59 c5 6c 59 f0 b1 08 40 f7
000250 12 ce 47 97 b5 e6 8c 10 82 84 0a 74 5e 59 df 5d
000260 27 df b7 61 24 04 6e d9 fb 5b ae 38 3d b3 71 44
000270 6b a4 83 41 f1 36 9f 6d f2 d3 a8 92 27 8b cc 05
000280
All of these appear to be good, and match the structure definitions in the MLE
Developer's Manual.
Is there a version problem here, as there was for the v1 lcp, wherin you have
to specifiy a version number of 1 to the lcp_crtpol tool, or your lcp policy is
rejected as revoked.
Here is the relevant output from the boot - the full listing can be sent if
required:
TBOOT: TXT.ERRORCODE: 0xc0041d01
TBOOT: AC module error : acm_type=0x1, progress=0x10, error=0x7
TBOOT: LCP2 error: minor error = 0x3f, index = 399
TBOOT: TXT.ESTS: 0x0
TBOOT: TXT.E2STS: 0x0
Thanks,
Charles
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
