Ning Qu wrote on 2012-10-17: > Already setup TPM trusted boot with Linux Kernel, seems whenever I > change the tboot binary/parameters or kernel binary/parameters, the boot > will fail as expected. > > However, I do see some logging information that indicates tboot might use > seal > operations, or try to write tpm nv ram, e.g. > > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = > 00000002^M TBOOT: Error: write TPM error: 0x2.
This indicates that the optional tboot error index was not defined, it is acceptable. > TBOOT: TPM: seal data, return value = 00000001^M > TBOOT: failed to seal data > > TBOOT: creation or verification of S3 measurements failed. As you can see in the last line, the seal operation is to prepare some secret for S3(suspend to memory) to protect memory integrity during S3. Tboot needs SRK auth to do sealing/unsealing, so it requires set the SRK auth to Well-Know-Value(20byte of 0s), this could be done with tpm tools cmd "tpm_takeownership -z". I guess you took ownership w/o -z. > Why tboot needs to seal something after/for verification? In that case, is > there > any other way to pass the TPM password to tboot instead of simply setting it > as all zero? The owner password is not needed in tboot, so it is still safe for user to give owner passwd as what he/she like. Jimmy
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
