Charles, That's right there isn't a SINIT file specified. I'm using an Intel Grizzly Pass server with E5-2680 processors. All the info that I have says that SINIT is built into the BIOS. From what I've read if tboot doesn't find an appropriate SINIT file specified then it will look at the BIOS for one. Looking at the TBOOT log I think it found it:
*** TBOOT: checking if module /list.data is an SINIT for this platform... TBOOT: ACM size is too small: acmod_size=2d0, sizeof(acm_hdr)=4 TBOOT: checking if module /initrd.img-3.5.0-17-generic is an SINIT for this platform... TBOOT: ACM size is too small: acmod_size=2a39000, acm_hdr->size*4=c0c0c0c0 TBOOT: no SINIT AC module found TBOOT: TXT.SINIT.BASE: 0xbdf00000 TBOOT: TXT.SINIT.SIZE: 0x20000 (131072) TBOOT: BIOS has already loaded an SINIT module TBOOT: chipset production fused: 1 TBOOT: chipset ids: vendor: 0x8086, device: 0xb001, revision: 0x1 TBOOT: processor family/model/stepping: 0x206d7 TBOOT: platform id: 0x0 TBOOT: 1 ACM chipset id entries: TBOOT: vendor: 0x8086, device: 0xb001, flags: 0x1, revision: 0x3f, extended: 0x0 TBOOT: 1 ACM processor id entries: TBOOT: fms: 0x206d0, fms_mask: 0xfff0ff0, platform_id: 0x0, platform_mask: 0x0 TBOOT: no SINIT provided by bootloader; using BIOS SINIT TBOOT: AC mod base alignment OK TBOOT: AC mod size OK TBOOT: AC module header dump for SINIT: *** Thanks Jay S. --- On Tue, 3/5/13, charles.fis...@gdc4s.com <charles.fis...@gdc4s.com> wrote: > From: charles.fis...@gdc4s.com <charles.fis...@gdc4s.com> > Subject: RE: [tboot-devel] tboot setup with Ubuntu Server > 12.10and20_linux_tboot > To: emma...@yahoo.com, tboot-devel@lists.sourceforge.net > Date: Tuesday, March 5, 2013, 2:33 PM > It appears that you do not have an > SINIT module in the grub.cfg file. As I understand it, the > BIOS ACM is handling things like measuring the BIOS stuff > and extending PCRs 0-5. I believe that tboot is unhappy > because there is no SINIT module in the grub file. Determine > which SINIT module you need, and add it to the grub.cfg (or > 20_linux_tboot file). I can't tell you which SINIT module > you require, as you haven't mentioned what processor you are > using (Sandy Bridge, Ivy Bridge, Haswell, whatever). Once > you know that you can add the appropriate one, or just load > them all and let tboot sort them out - it will find the one > appropriate for your processor. This SINIT module is what is > going to check the LCP and verify that your tboot hasn't > been tampered with - once it does that, it will return from > the SENTER instruction, running through tboot again, which > will now verify your VL policy. > > Hope this helps, > > Charles > > > -----Original Message----- > > From: Jay Schwichtenberg [mailto:emma...@yahoo.com] > > Sent: Tuesday, March 05, 2013 2:27 PM > > To: tboot-devel@lists.sourceforge.net > > Subject: Re: [tboot-devel] tboot setup with Ubuntu > Server > > 12.10and20_linux_tboot > > > > First off, thanks for the help. > > > > Got my serial cable hooked up and captured a TBOOT > session. > > > > I checked the fstab file for an EFI segment and didn't > see one so I > > assume that the system is doing a legacy boot. > > > > For the SINIT file that is suppose to be in the BIOS. > From what I've > > read if it doesn't find a valid one in the grub scripts > it looks for > > one in the BIOS. Looking at the TBOOT output I think I > see that it > > found it > > > > The problem I have is it goes through the boot process > and after TBOOT > > calls GETSEC[SENTER] it reboots and goes through the > splash screen and > > grub menus again. > > > > I've inserted the TBOOT log, section of grub.cfg and > the script I setup > > the LCP, VL and NV with. Question? Is it better to > attach files or put > > them inline? > > > > TBOOT Log: > > > *********************************************************************** > > ** > > TBOOT: ******************* TBOOT ******************* > > TBOOT: 2012-04-27 23:30 +0800 1.7.1 > > TBOOT: ********************************************* > > TBOOT: command line: logging=serial,vga,memory > > TBOOT: BSP is cpu 0 > > TBOOT: original e820 map: > > TBOOT: 0000000000000000 - 000000000008f400 > (1) > > TBOOT: 000000000008f400 - 00000000000a0000 > (2) > > TBOOT: 00000000000e0000 - 0000000000100000 > (2) > > TBOOT: 0000000000100000 - 00000000ba84d000 > (1) > > TBOOT: 00000000ba84d000 - 00000000ba85e000 > (2) > > TBOOT: 00000000ba85e000 - 00000000ba88f000 > (1) > > TBOOT: 00000000ba88f000 - 00000000ba898000 > (2) > > TBOOT: 00000000ba898000 - 00000000ba8bb000 > (1) > > TBOOT: 00000000ba8bb000 - 00000000ba8be000 > (2) > > TBOOT: 00000000ba8be000 - 00000000ba8f4000 > (1) > > TBOOT: 00000000ba8f4000 - 00000000ba8f6000 > (2) > > TBOOT: 00000000ba8f6000 - 00000000ba929000 > (1) > > TBOOT: 00000000ba929000 - 00000000ba932000 > (2) > > TBOOT: 00000000ba932000 - 00000000ba936000 > (1) > > TBOOT: 00000000ba936000 - 00000000ba93a000 > (2) > > TBOOT: 00000000ba93a000 - 00000000ba972000 > (1) > > TBOOT: 00000000ba972000 - 00000000ba976000 > (2) > > TBOOT: 00000000ba976000 - 00000000baa24000 > (1) > > TBOOT: 00000000baa24000 - 00000000baa2b000 > (2) > > TBOOT: 00000000baa2b000 - 00000000baa84000 > (1) > > TBOOT: 00000000baa84000 - 00000000baa93000 > (2) > > TBOOT: 00000000baa93000 - 00000000baa98000 > (1) > > TBOOT: 00000000baa98000 - 00000000baa9a000 > (2) > > TBOOT: 00000000baa9a000 - 00000000baabc000 > (1) > > TBOOT: 00000000baabc000 - 00000000baabf000 > (2) > > TBOOT: 00000000baabf000 - 00000000baad0000 > (1) > > TBOOT: 00000000baad0000 - 00000000baadf000 > (2) > > TBOOT: 00000000baadf000 - 00000000bab44000 > (1) > > TBOOT: 00000000bab44000 - 00000000bae7c000 > (2) > > TBOOT: 00000000bae7c000 - 00000000bae7f000 > (1) > > TBOOT: 00000000bae7f000 - 00000000bae82000 > (2) > > TBOOT: 00000000bae82000 - 00000000baed8000 > (1) > > TBOOT: 00000000baed8000 - 00000000baeda000 > (2) > > TBOOT: 00000000baeda000 - 00000000baef5000 > (1) > > TBOOT: 00000000baef5000 - 00000000baef7000 > (2) > > TBOOT: 00000000baef7000 - 00000000bd5fb000 > (1) > > TBOOT: 00000000bd5fb000 - 00000000bd7fb000 > (2) > > TBOOT: 00000000bd7fb000 - 00000000bd8dd000 > (1) > > TBOOT: 00000000bd8dd000 - 00000000bd9e7000 > (2) > > TBOOT: 00000000bd9e7000 - 00000000bda75000 > (4) > > TBOOT: 00000000bda75000 - 00000000bda77000 > (3) > > TBOOT: 00000000bda77000 - 00000000bda7c000 > (4) > > TBOOT: 00000000bda7c000 - 00000000bdaf7000 > (3) > > TBOOT: 00000000bdaf7000 - 00000000bdaf8000 > (4) > > TBOOT: 00000000bdaf8000 - 00000000bdb13000 > (3) > > TBOOT: 00000000bdb13000 - 00000000bdbb0000 > (4) > > TBOOT: 00000000bdbb0000 - 00000000bdc00000 > (1) > > TBOOT: 00000000bdc00000 - 00000000d0000000 > (2) > > TBOOT: 00000000fec00000 - 00000000fec01000 > (2) > > TBOOT: 00000000fed19000 - 00000000fed1a000 > (2) > > TBOOT: 00000000fed1c000 - 00000000fed90000 > (2) > > TBOOT: 00000000fee00000 - 00000000fee01000 > (2) > > TBOOT: 00000000ffa20000 - 0000000100000000 > (2) > > TBOOT: 0000000100000000 - 0000002040000000 > (1) > > TBOOT: TPM is ready > > TBOOT: TPM nv_locked: TRUE > > TBOOT: TPM timeout values: A: 750, B: 750, C: 750, D: > 750 > > TBOOT: Wrong timeout B, fallback to 2000 > > TBOOT: reading Verified Launch Policy from TPM NV... > > TBOOT: :256 bytes read > > TBOOT: policy: > > TBOOT: version: 2 > > TBOOT: policy_type: > TB_POLTYPE_CONT_NON_FATAL > > TBOOT: hash_alg: TB_HALG_SHA1 > > TBOOT: policy_control: 00000001 > (EXTEND_PCR17) > > TBOOT: num_entries: 3 > > TBOOT: policy entry[0]: > > TBOOT: > mod_num: 0 > > TBOOT: > pcr: none > > TBOOT: > hash_type: TB_HTYPE_IMAGE > > TBOOT: > num_hashes: 1 > > TBOOT: > hashes[0]: e5 a5 d9 1b 7e 60 83 4c 82 a7 > fc 4f ad fa > > 3d 32 ab 83 53 c0 > > TBOOT: policy entry[1]: > > TBOOT: > mod_num: 1 > > TBOOT: > pcr: 19 > > TBOOT: > hash_type: TB_HTYPE_IMAGE > > TBOOT: > num_hashes: 1 > > TBOOT: > hashes[0]: 65 13 0c de 2d 21 5b f0 b5 4a > af 11 7d ac > > a8 eb 8a a1 e6 b5 > > TBOOT: policy entry[2]: > > TBOOT: > mod_num: 2 > > TBOOT: > pcr: 19 > > TBOOT: > hash_type: TB_HTYPE_IMAGE > > TBOOT: > num_hashes: 1 > > TBOOT: > hashes[0]: 97 24 9e 8f 89 b6 ab 2e 1c d1 > fe 39 37 cc > > f2 ae 41 30 f8 c7 > > TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07 > > TBOOT: CPU is SMX-capable > > TBOOT: CPU is VMX-capable > > TBOOT: SMX is enabled > > TBOOT: TXT chipset and all needed capabilities present > > TBOOT: TXT.ERRORCODE: 0x0 > > TBOOT: TXT.ESTS: 0x0 > > TBOOT: TXT.E2STS: 0x8 > > TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07 > > TBOOT: CPU is SMX-capable > > TBOOT: CPU is VMX-capable > > TBOOT: SMX is enabled > > TBOOT: TXT chipset and all needed capabilities present > > TBOOT: TXT.HEAP.BASE: 0xbdf20000 > > TBOOT: TXT.HEAP.SIZE: 0xe0000 (917504) > > TBOOT: bios_data (@0xbdf20008, 0x2c): > > TBOOT: version: 3 > > TBOOT: bios_sinit_size: 0xb000 > (45056) > > TBOOT: lcp_pd_base: 0x0 > > TBOOT: lcp_pd_size: 0x0 (0) > > TBOOT: num_logical_procs: 32 > > TBOOT: flags: 0x400000000 > > TBOOT: CR0 and EFLAGS OK > > TBOOT: supports preserving machine check errors > > TBOOT: CPU support processor-based S-CRTM > > TBOOT: CPU is ready for SENTER > > TBOOT: checking previous errors on the last boot. > > last boot has > error. > > TBOOT: checking if module /list.data is an SINIT for > this platform... > > TBOOT: ACM size is too small: > acmod_size=2d0, sizeof(acm_hdr)=4 > > TBOOT: checking if module /initrd.img-3.5.0-17-generic > is an SINIT for > > this platform... > > TBOOT: ACM size is too small: > acmod_size=2a39000, acm_hdr- > > >size*4=c0c0c0c0 > > TBOOT: no SINIT AC module found > > TBOOT: TXT.SINIT.BASE: 0xbdf00000 > > TBOOT: TXT.SINIT.SIZE: 0x20000 (131072) > > TBOOT: BIOS has already loaded an SINIT module > > TBOOT: chipset production fused: 1 > > TBOOT: chipset ids: vendor: 0x8086, device: 0xb001, > revision: 0x1 > > TBOOT: processor family/model/stepping: 0x206d7 > > TBOOT: platform id: 0x0 > > TBOOT: 1 ACM chipset id entries: > > TBOOT: vendor: 0x8086, > device: 0xb001, flags: 0x1, revision: > > 0x3f, extended: 0x0 > > TBOOT: 1 ACM processor id entries: > > TBOOT: fms: 0x206d0, > fms_mask: 0xfff0ff0, platform_id: 0x0, > > platform_mask: 0x0 > > TBOOT: no SINIT provided by bootloader; using BIOS > SINIT > > TBOOT: AC mod base alignment OK > > TBOOT: AC mod size OK > > TBOOT: AC module header dump for SINIT: > > TBOOT: type: 0x2 (ACM_TYPE_CHIPSET) > > TBOOT: subtype: 0x0 > > TBOOT: length: 0xa1 (161) > > TBOOT: version: 0 > > TBOOT: chipset_id: 0x1d00 > > TBOOT: flags: 0x0 > > TBOOT: > pre_production: 0 > > TBOOT: > debug_signed: 0 > > TBOOT: vendor: 0x8086 > > TBOOT: date: 0x20120411 > > TBOOT: size*4: 0xb000 (45056) > > TBOOT: code_control: 0x0 > > TBOOT: entry point: > 0x00000008:000040a4 > > TBOOT: scratch_size: 0x8f (143) > > TBOOT: info_table: > > TBOOT: > uuid: {0x7fc03aaa, 0x46a7, 0x18db, > 0xac2e, > > > {0x69, 0x8f, 0x8d, 0x41, 0x7f, 0x5a}} > > TBOOT: > ACM_UUID_V3 > > TBOOT: > chipset_acm_type: 0x1 (SINIT) > > TBOOT: > version: 4 > > TBOOT: > length: 0x2c (44) > > TBOOT: > chipset_id_list: 0x4ec > > TBOOT: > os_sinit_data_ver: 0x5 > > TBOOT: > min_mle_hdr_ver: 0x00020000 > > TBOOT: > capabilities: 0x0000000d > > TBOOT: > rlp_wake_getsec: 1 > > TBOOT: > rlp_wake_monitor: 0 > > TBOOT: > ecx_pgtbl: 1 > > TBOOT: > pcr_map_no_legacy: 0 > > TBOOT: > pcr_map_da: 0 > > TBOOT: > acm_ver: 55 > > TBOOT: chipset list: > > TBOOT: > count: 1 > > TBOOT: > entry 0: > > TBOOT: > flags: 0x1 > > TBOOT: > vendor_id: 0x8086 > > TBOOT: > device_id: 0xb001 > > TBOOT: > revision_id: 0x3f > > TBOOT: > extended_id: 0x0 > > TBOOT: processor list: > > TBOOT: > count: 1 > > TBOOT: > entry 0: > > TBOOT: > fms: 0x206d0 > > TBOOT: > fms_mask: 0xfff0ff0 > > TBOOT: > platform_id: 0x0 > > TBOOT: > platform_mask: 0x0 > > TBOOT: file addresses: > > TBOOT: &_start=0x804000 > > TBOOT: &_end=0x972ec8 > > TBOOT: &_mle_start=0x804000 > > TBOOT: &_mle_end=0x827000 > > > TBOOT: &_post_launch_entry=0x804010 > > TBOOT: &_txt_wakeup=0x8041e0 > > TBOOT: &g_mle_hdr=0x81a320 > > TBOOT: MLE header: > > TBOOT: uuid={0x9082ac5a, 0x476f, > 0x74a7, 0x5c0f, > > > {0x55, 0xa2, 0xcb, 0x51, 0xb6, 0x42}} > > TBOOT: length=34 > > TBOOT: version=00020001 > > TBOOT: entry_point=00000010 > > TBOOT: first_valid_page=00000000 > > TBOOT: mle_start_off=4000 > > TBOOT: mle_end_off=27000 > > TBOOT: capabilities: 0x00000027 > > TBOOT: rlp_wake_getsec: > 1 > > TBOOT: rlp_wake_monitor: > 1 > > TBOOT: ecx_pgtbl: 1 > > TBOOT: > pcr_map_no_legacy: 0 > > TBOOT: pcr_map_da: 1 > > TBOOT: MLE start=804000, end=827000, size=23000 > > TBOOT: ptab_size=3000, ptab_base=0x801000 > > TBOOT: TXT.HEAP.BASE: 0xbdf20000 > > TBOOT: TXT.HEAP.SIZE: 0xe0000 (917504) > > TBOOT: bios_data (@0xbdf20008, 0x2c): > > TBOOT: version: 3 > > TBOOT: bios_sinit_size: 0xb000 > (45056) > > TBOOT: lcp_pd_base: 0x0 > > TBOOT: lcp_pd_size: 0x0 (0) > > TBOOT: num_logical_procs: 32 > > TBOOT: flags: 0x400000000 > > TBOOT: discarding RAM above reserved regions: > 0xba85e000 - 0xba88f000 > > TBOOT: discarding RAM above reserved regions: > 0xba898000 - 0xba8bb000 > > TBOOT: discarding RAM above reserved regions: > 0xba8be000 - 0xba8f4000 > > TBOOT: discarding RAM above reserved regions: > 0xba8f6000 - 0xba929000 > > TBOOT: discarding RAM above reserved regions: > 0xba932000 - 0xba936000 > > TBOOT: discarding RAM above reserved regions: > 0xba93a000 - 0xba972000 > > TBOOT: discarding RAM above reserved regions: > 0xba976000 - 0xbaa24000 > > TBOOT: discarding RAM above reserved regions: > 0xbaa2b000 - 0xbaa84000 > > TBOOT: discarding RAM above reserved regions: > 0xbaa93000 - 0xbaa98000 > > TBOOT: discarding RAM above reserved regions: > 0xbaa9a000 - 0xbaabc000 > > TBOOT: discarding RAM above reserved regions: > 0xbaabf000 - 0xbaad0000 > > TBOOT: discarding RAM above reserved regions: > 0xbaadf000 - 0xbab44000 > > TBOOT: discarding RAM above reserved regions: > 0xbae7c000 - 0xbae7f000 > > TBOOT: discarding RAM above reserved regions: > 0xbae82000 - 0xbaed8000 > > TBOOT: discarding RAM above reserved regions: > 0xbaeda000 - 0xbaef5000 > > TBOOT: discarding RAM above reserved regions: > 0xbaef7000 - 0xbd5fb000 > > TBOOT: discarding RAM above reserved regions: > 0xbd7fb000 - 0xbd8dd000 > > TBOOT: discarding RAM above reserved regions: > 0xbdbb0000 - 0xbdc00000 > > TBOOT: min_lo_ram: 0x0, max_lo_ram: 0xba84d000 > > TBOOT: min_hi_ram: 0x100000000, max_hi_ram: > 0x2040000000 > > TBOOT: v2 LCP policy data found > > TBOOT: os_sinit_data (@0xbdf31154, 0x64): > > TBOOT: version: 5 > > TBOOT: mle_ptab: 0x801000 > > TBOOT: mle_size: 0x23000 (143360) > > TBOOT: mle_hdr_base: 0x16320 > > TBOOT: vtd_pmr_lo_base: 0x0 > > TBOOT: vtd_pmr_lo_size: 0xba800000 > > TBOOT: vtd_pmr_hi_base: 0x100000000 > > TBOOT: vtd_pmr_hi_size: 0x1f40000000 > > TBOOT: lcp_po_base: 0xbdf2014c > > TBOOT: lcp_po_size: 0x2d0 (720) > > TBOOT: capabilities: 0x00000001 > > TBOOT: rlp_wake_getsec: > 1 > > TBOOT: rlp_wake_monitor: > 0 > > TBOOT: ecx_pgtbl: 0 > > TBOOT: > pcr_map_no_legacy: 0 > > TBOOT: pcr_map_da: 0 > > TBOOT: efi_rsdt_ptr: 0x0 > > TBOOT: setting MTRRs for acmod: base=0xbdf00000, > size=0xb000, > > num_pages=11 > > TBOOT: executing GETSEC[SENTER]... > > > > > > grub.cfg tboot section (copied list.data to /boot): > > > *********************************************************************** > > ** > > > > ### BEGIN /etc/grub.d/20_linux_tboot ### submenu "tboot > 1.7.0" { > > menuentry 'Ubuntu GNU/Linux, with tboot 1.7.0 and Linux > 3.5.0-17- > > generic' --class ubuntu --class gnu-linux --class gnu > --class os -- > > class tboot { > > insmod part_msdos > > insmod ext2 > > set root='hd0,msdos1' > > if [ x$feature_platform_search_hint > = xy ]; then > > search --no-floppy --fs-uuid > --set=root --hint-bios=hd0,msdos1 > > --hint-efi=hd0,msdos1 > --hint-baremetal=ahci0,msdos1 b53feb38-e892- > > 4cf6-8e79-8aeef8cf74af > > else > > search --no-floppy --fs-uuid > --set=root b53feb38-e892-4cf6- > > 8e79-8aeef8cf74af > > fi > > echo 'Loading > tboot 1.7.0 ...' > > multiboot > /tboot.gz /tboot.gz logging=serial,vga,memory > > echo 'Loading > Linux 3.5.0-17-generic ...' > > module > /vmlinuz-3.5.0-17-generic /vmlinuz-3.5.0-17-generic > > root=/dev/mapper/ubuntu--12--10-root > ro intel_iommu=on > > echo 'Loading > initial ramdisk ...' > > module > /initrd.img-3.5.0-17-generic /initrd.img-3.5.0-17- > > generic > > module /list.data /list.data > > } > > menuentry 'Ubuntu GNU/Linux, with tboot 1.7.0 and Linux > 3.5.0-17- > > generic (recovery mode)' --class ubuntu --class > gnu-linux --class gnu - > > -class os --class tboot { > > insmod part_msdos > > insmod ext2 > > set root='hd0,msdos1' > > if [ x$feature_platform_search_hint > = xy ]; then > > search --no-floppy --fs-uuid > --set=root --hint-bios=hd0,msdos1 > > --hint-efi=hd0,msdos1 > --hint-baremetal=ahci0,msdos1 b53feb38-e892- > > 4cf6-8e79-8aeef8cf74af > > else > > search --no-floppy --fs-uuid > --set=root b53feb38-e892-4cf6- > > 8e79-8aeef8cf74af > > fi > > echo 'Loading > tboot 1.7.0 ...' > > multiboot > /tboot.gz /tboot.gz logging=serial,vga,memory > > echo 'Loading > Linux 3.5.0-17-generic ...' > > module > /vmlinuz-3.5.0-17-generic /vmlinuz-3.5.0-17-generic > > root=/dev/mapper/ubuntu--12--10-root ro single > intel_iommu=on > > echo 'Loading > initial ramdisk ...' > > module > /initrd.img-3.5.0-17-generic /initrd.img-3.5.0-17- > > generic > > module /list.data /list.data > > } > > } > > ### END /etc/grub.d/20_linux_tboot ### > > > > > > setup script: > > > *********************************************************************** > > ** > > ### > > ### Provide passwork on command line. > > ### > > if [ -z $1 ]; then > > echo "" > > echo "ERROR: Forgot password!" > > echo "" > > > > exit 1 > > fi > > mypw=$1 > > > > ### > > ### Set verbose setting to show executed commands. > > ### > > set -v > > > > ### > > ### Create MLE element > > ### > > lcp_mlehash -c "logging=vga,serial,memory" > /boot/tboot.gz > mle_hash > > lcp_crtpolelt --create --type mle --ctrl 0x00 --minver > 17 --out mle.elt > > mle_hash > > > > ### > > ### Create PCONF element > > ### > > cat /sys/bus/pnp/devices/00\:0a/pcrs | grep -e PCR-00 > -e PCR-01 > pcrs > > lcp_crtpolelt --create --type pconf --out pconf.elt > pcrs > > > > ### > > ### Create CUSTOM element - use default UUID ### ### - > NA - > > lcp_crtpolelt --create --type custom --out custom.elt > --uuid tboot > > custom.pol > > > > ### > > ### Combine elements > > ### > > lcp_crtpollist --create --out list_unsig.lst mle.elt > pconf.elt > > > > ### > > ### Sign list - signing and software on same platform > ### openssl > > genrsa -out privkey.pem 2048 openssl rsa -pubout -in > privkey.pem -out > > pubkey.pem cp list_unsig.lst list_sig.lst > lcp_crtpollist --sign --pub > > pubkey.pem --priv privkey.pem --out list_sig.lst > > > > ### > > ### Create policy and policy data files > > ### > > lcp_crtpol2 --create --type list --pol list.pol --data > list.data > > list_{unsig,sig}.lst > > > > ### > > ### Create verified launch policy > > ### > > tb_polgen --create --type nonfatal vl.pol tb_polgen > --add --num 0 --pcr > > none --hash image --cmdline "your grub tboot" --image > /boot/tboot.gz > > vl.pol tb_polgen --add --num 1 --pcr 19 --hash image > --cmdline "your > > grub tboot vmlinuz" --image > /boot/vmlinuz-3.5.0-17-generic vl.pol > > tb_polgen --add --num 2 --pcr 19 --hash image --cmdline > "your grub > > tboot initrd.img" --image > /boot/initrd.img-3.5.0-17-generic vl.pol > > > > ### > > ### Take ownership of TPM > > ### > > tcsd > > tpm_takeownership -z > > > > ### > > ### Define tboot error TPM NV index > > ### > > tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl > 0x07 -p $mypw > > > > ### > > ### Define LCP and verified launch policies. > > ### > > tpmnv_defindex -i owner -p $mypw > > tpmnv_defindex -i 0x20000001 -s 256 -pv 0x02 -p $mypw > > > > ### > > ### Write LCP and verified launch polisies to TPM ### > lcp_writepol -i > > owner -f list.pol -p $mypw lcp_writepol -i 0x20000001 > -f vl.pol -p > > $mypw > > > > ### > > ### Copy list.data to /boot. > > ### Modify /boot/grub/grub.cfg to use list.data: > > ### module /list.data /list.data > > ### > > set +v > > > > > > > > --- On Tue, 3/5/13, charles.fis...@gdc4s.com > <charles.fis...@gdc4s.com> > > wrote: > > > > > From: charles.fis...@gdc4s.com > <charles.fis...@gdc4s.com> > > > Subject: RE: [tboot-devel] tboot setup with Ubuntu > Server 12.10 > > > and20_linux_tboot > > > To: emma...@yahoo.com, > tboot-devel@lists.sourceforge.net > > > Date: Tuesday, March 5, 2013, 7:44 AM > > > Jay, > > > > > > Basically the instructions for using the grub.conf > file appl. The > > > steps are pretty much as outlines in the > LCP_v2.txt document. > > > > > > 1) Create the LCP - this results in the list.data > file > > > 2) Create the VL > > > > > > 3) Take ownership of the TPM > > > 4) Define the error index (if not already done) > > > 5) Define the owner and VL indices (0x40000001 and > 0x20000001, > > > respectively) > > > > > > 6) write the policies to the TPM > > > > > > The Tricky part is next. When you modify the > 20_linux_grub_file, make > > > sure that you get the appropriate SINIT module, > and that your > > > list.data file is listed. Also - very important, > make sure that the > > > file names are doubled (Grub2 does some strange > things to the lines > > in > > > the grub.cfg file). > > > > > > Of course for testing purposes, you can just hack > on the grub.cfg > > file > > > (I know is says don't - but as long as you don't > run the grub- > > mkconfig > > > program, you'll be okay. Again, make sure the file > names are doubled, > > > e.g. > > > > > > kernel /tboot.gz > > > /tboot.gz logging=serial,vga > > > > > > Note that the tboot.gz name is doubled. > > > > > > Hope this helps, > > > > > > Charles > > > > > > > -----Original Message----- > > > > From: Jay Schwichtenberg [mailto:emma...@yahoo.com] > > > > Sent: Monday, March 04, 2013 11:53 AM > > > > To: tboot-devel@lists.sourceforge.net > > > > Subject: [tboot-devel] tboot setup with > Ubuntu Server > > > 12.10 > > > > and20_linux_tboot > > > > > > > > Hello, > > > > > > > > Don't know if this is a Ubuntu thing or tboot > but need > > > to start > > > > tracking it down somewhere. > > > > > > > > I'm trying to get tboot working with Ubuntu > Server > > > 12.10 on a dual > > > Xeon > > > > Intel server and have not been having any > success. I've > > > read the > > > > documents lcptools2 and policy_v2 and those > make sense > > > and I can > > > > generate a list.data file. But there is no > grub.conf or > > > menu.lst file > > > > to work with. > > > > > > > > With Ubuntu 12.10 Server they now use a file > called > > > boot.cfg that was > > > > generated by grub-mkconfig from scripts in > /etc/grub.d. > > > One of these > > > > scripts is 20_linux_tboot which generates the > tboot > > > section in the > > > > boot.cfg file. I can see that with the > procedures in > > > the documents > > > that > > > > you'd still need to generate something that > has the > > > private and public > > > > keys and also setup the NV indexes. But a lot > of the > > > other information > > > > seems to be generated by the 20_linux_tboot > script. > > > > > > > > Is there any information on how to setup > tboot using > > > this > > > 20_linux_boot > > > > boot script and the way they're using grub? > > > > > > > > I don't have a serial cable for this thing > yet (takes a > > > RJ45 to serial > > > > cable) so I don't have a tboot log. Should > have that > > > done by the end > > > of > > > > the day. > > > > > > > > Thanks in advance. > > > > Jay S. > > > > > > > > > > > > --------------------------------------------------------------------- > > - > > > - > > > > ------- > > > > Everyone hates slow websites. So do we. > > > > Make your web apps faster with AppDynamics > Download > > > AppDynamics Lite > > > > for free today: > > > > http://p.sf.net/sfu/appdyn_d2d_feb > > > > > _______________________________________________ > > > > tboot-devel mailing list > > > > tboot-devel@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > > > > > > > ----------------------------------------------------------------------- > > ------- > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics Download > AppDynamics Lite > > for free today: > > http://p.sf.net/sfu/appdyn_d2d_feb > > _______________________________________________ > > tboot-devel mailing list > > tboot-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/tboot-devel > ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
