Re: [tboot-devel] tboot setup with Ubuntu Server 12.10and20_linux_tboot

Wed, 06 Mar 2013 00:58:55 -0800 

Jay Schwichtenberg wrote onĀ 2013-03-06:
> Here's the error code from the second boot attempt.
> 
> Thanks
> Jay S.
> 
> 
> TBOOT: TXT chipset and all needed capabilities present
> TBOOT: TXT.ERRORCODE: 0xc00008c1
> TBOOT: AC module error : acm_type=0x1, progress=0x0c, error=0x2
> TBOOT: TXT.ESTS: 0x0
> TBOOT: TXT.E2STS: 0x8
> TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07

It is a LCP error: LCP MLE Mismatch.

Please try to remove the owner nv index (0x40000001) first to make sure you
can boot without LCP. You can do it with tpmnv_relindex. And remember to
remove the list.data module line.

Then let's try LCP. What you need to do is:

Create an MLE element:
1. lcp_mlehash -c "logging=serial,vga,memory" /boot/tboot.gz > mle_hash 
2. lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt
mle_hash 

Combine the elements into an unsigned list:
1. lcp_crtpollist --create --out list_unsig.lst mle.elt

Use lcp_crtpollist to sign the list:
1. openssl genrsa -out privkey.pem 2048 
2. openssl rsa -pubout -in privkey.pem -out pubkey.pem 
3. cp list_unsig.lst list_sig.lst 
4. lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out
list_sig.lst 

Create policy and policy data files:
1. lcp_crtpol2 --create --type list --pol list.pol --data list.data
list_sig.lst 

Write LCP and Verified Launch policies to TPM:
(modprobe tpm_tis; tcsd;) 
1. lcp_writepol -i owner -f list.pol -p <TPM-password>

Then add list.data into boot.cfg like what you have done.

Wish above could help.

Jimmy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to