Jimmy,
THANKS!
Your suggestions got me going in the right direction and I seem to have things
booting correctly.
I had to add a couple of things to get things working.
1) Had to add tpm_takeownership -z to the process.
2) Added the TPM error index setup (0x20000002) to the process.
I've added the script that I used below for reference. It might help someone
else out.
Thanks to all for the help!
Jay S.
###
### Provide passwork on command line.
###
if [ -z $1 ]; then
echo ""
echo "ERROR: Forgot password!"
echo ""
exit 1
fi
mypw=$1
###
### Pause / wait for key
###
function pause(){
read -p "==>> Hit Key!"
}
###
### Set verbose setting to show executed commands.
###
set -v
###
### Create MLE element
###
lcp_mlehash -c "logging=serial,vga,memory" /boot/tboot.gz > mle_hash
lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt mle_hash
pause
###
### Combine elements
###
lcp_crtpollist --create --out list_unsig.lst mle.elt
###
### Sign list - signing and software on same platform
###
openssl genrsa -out privkey.pem 2048
openssl rsa -pubout -in privkey.pem -out pubkey.pem
cp list_unsig.lst list_sig.lst
lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst
###
### Create policy and policy data files
###
lcp_crtpol2 --create --type list --pol list.pol --data list.data list_sig.lst
pause
###
### Take ownership of TPM, tpm_takeownership will prompt you for passwords
###
tcsd
tpm_takeownership -z
###
### Define tboot error TPM NV index
###
tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p $mypw
###
### Define owner in NV space.
###
tpmnv_defindex -i owner -p $mypw
###
### Write LCP and launch policy to TPM
###
lcp_writepol -i owner -f list.pol -p $mypw
pause
###
### Copy list.data to /boot.
### Modify /boot/grub/grub.cfg to use list.data:
### module /list.data /list.data
###
set +v
--- On Wed, 3/6/13, Wei, Gang <gang....@intel.com> wrote:
> From: Wei, Gang <gang....@intel.com>
> Subject: RE: [tboot-devel] tboot setup with Ubuntu Server
> 12.10and20_linux_tboot
> To: "Jay Schwichtenberg" <emma...@yahoo.com>,
> "tboot-devel@lists.sourceforge.net" <tboot-devel@lists.sourceforge.net>
> Cc: "Wei, Gang" <gang....@intel.com>
> Date: Wednesday, March 6, 2013, 12:58 AM
> Jay Schwichtenberg wrote
> onĀ 2013-03-06:
> > Here's the error code from the second boot attempt.
> >
> > Thanks
> > Jay S.
> >
> >
> > TBOOT: TXT chipset and all needed capabilities present
> > TBOOT: TXT.ERRORCODE: 0xc00008c1
> > TBOOT: AC module error : acm_type=0x1, progress=0x0c,
> error=0x2
> > TBOOT: TXT.ESTS: 0x0
> > TBOOT: TXT.E2STS: 0x8
> > TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07
>
> It is a LCP error: LCP MLE Mismatch.
>
> Please try to remove the owner nv index (0x40000001) first
> to make sure you
> can boot without LCP. You can do it with tpmnv_relindex. And
> remember to
> remove the list.data module line.
>
> Then let's try LCP. What you need to do is:
>
> Create an MLE element:
> 1. lcp_mlehash -c "logging=serial,vga,memory" /boot/tboot.gz
> > mle_hash
> 2. lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17
> --out mle.elt
> mle_hash
>
> Combine the elements into an unsigned list:
> 1. lcp_crtpollist --create --out list_unsig.lst mle.elt
>
> Use lcp_crtpollist to sign the list:
> 1. openssl genrsa -out privkey.pem 2048
> 2. openssl rsa -pubout -in privkey.pem -out pubkey.pem
> 3. cp list_unsig.lst list_sig.lst
> 4. lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem
> --out
> list_sig.lst
>
> Create policy and policy data files:
> 1. lcp_crtpol2 --create --type list --pol list.pol --data
> list.data
> list_sig.lst
>
> Write LCP and Verified Launch policies to TPM:
> (modprobe tpm_tis; tcsd;)
> 1. lcp_writepol -i owner -f list.pol -p
> <TPM-password>
>
> Then add list.data into boot.cfg like what you have done.
>
> Wish above could help.
>
> Jimmy
>
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
