Thanks for share the scripts to the list. Jimmy
Jay Schwichtenberg wrote on 2013-03-07:
> Jimmy,
>
> THANKS!
>
> Your suggestions got me going in the right direction and I seem to have
things
> booting correctly.
>
> I had to add a couple of things to get things working.
>
> 1) Had to add tpm_takeownership -z to the process.
> 2) Added the TPM error index setup (0x20000002) to the process.
>
> I've added the script that I used below for reference. It might help
someone
> else out.
>
> Thanks to all for the help!
> Jay S.
>
> ###
> ### Provide passwork on command line.
> ###
> if [ -z $1 ]; then
> echo ""
> echo "ERROR: Forgot password!"
> echo ""
>
> exit 1
> fi
> mypw=$1
>
> ###
> ### Pause / wait for key
> ###
> function pause(){
> read -p "==>> Hit Key!"
> }
>
> ###
> ### Set verbose setting to show executed commands.
> ###
> set -v
>
> ### ### Create MLE element ### lcp_mlehash -c
> "logging=serial,vga,memory" /boot/tboot.gz > mle_hash lcp_crtpolelt
> --create --type mle --ctrl 0x00 --minver 17 --out mle.elt mle_hash pause
>
> ###
> ### Combine elements
> ###
> lcp_crtpollist --create --out list_unsig.lst mle.elt
>
> ###
> ### Sign list - signing and software on same platform
> ###
> openssl genrsa -out privkey.pem 2048
> openssl rsa -pubout -in privkey.pem -out pubkey.pem
> cp list_unsig.lst list_sig.lst
> lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out
list_sig.lst
>
> ### ### Create policy and policy data files ### lcp_crtpol2 --create
> --type list --pol list.pol --data list.data list_sig.lst pause
>
> ### ### Take ownership of TPM, tpm_takeownership will prompt you for
> passwords ### tcsd tpm_takeownership -z
>
> ###
> ### Define tboot error TPM NV index
> ###
> tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p $mypw
>
> ###
> ### Define owner in NV space.
> ###
> tpmnv_defindex -i owner -p $mypw
>
> ###
> ### Write LCP and launch policy to TPM
> ###
> lcp_writepol -i owner -f list.pol -p $mypw
> pause
>
> ###
> ### Copy list.data to /boot.
> ### Modify /boot/grub/grub.cfg to use list.data:
> ### module /list.data /list.data
> ###
> set +v
>
>
>
> --- On Wed, 3/6/13, Wei, Gang <[email protected]> wrote:
>
>> From: Wei, Gang <[email protected]> Subject: RE: [tboot-devel] tboot
>> setup with Ubuntu Server 12.10and20_linux_tboot To: "Jay
>> Schwichtenberg" <[email protected]>,
>> "[email protected]" <[email protected]>
>> Cc: "Wei, Gang" <[email protected]> Date: Wednesday, March 6, 2013,
>> 12:58 AM Jay Schwichtenberg wrote on 2013-03-06:
>>> Here's the error code from the second boot attempt.
>>>
>>> Thanks
>>> Jay S.
>>>
>>>
>>> TBOOT: TXT chipset and all needed capabilities present TBOOT:
>>> TXT.ERRORCODE: 0xc00008c1 TBOOT: AC module error : acm_type=0x1,
>>> progress=0x0c, error=0x2 TBOOT: TXT.ESTS: 0x0 TBOOT: TXT.E2STS: 0x8
>>> TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07
>>
>> It is a LCP error: LCP MLE Mismatch.
>>
>> Please try to remove the owner nv index (0x40000001) first
>> to make sure you
>> can boot without LCP. You can do it with tpmnv_relindex. And
>> remember to
>> remove the list.data module line.
>>
>> Then let's try LCP. What you need to do is:
>>
>> Create an MLE element:
>> 1. lcp_mlehash -c "logging=serial,vga,memory" /boot/tboot.gz
>>> mle_hash
>> 2. lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17
>> --out mle.elt
>> mle_hash
>>
>> Combine the elements into an unsigned list:
>> 1. lcp_crtpollist --create --out list_unsig.lst mle.elt
>>
>> Use lcp_crtpollist to sign the list:
>> 1. openssl genrsa -out privkey.pem 2048
>> 2. openssl rsa -pubout -in privkey.pem -out pubkey.pem
>> 3. cp list_unsig.lst list_sig.lst
>> 4. lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem
>> --out
>> list_sig.lst
>>
>> Create policy and policy data files:
>> 1. lcp_crtpol2 --create --type list --pol list.pol --data
>> list.data
>> list_sig.lst
>>
>> Write LCP and Verified Launch policies to TPM:
>> (modprobe tpm_tis; tcsd;)
>> 1. lcp_writepol -i owner -f list.pol -p
>> <TPM-password>
>>
>> Then add list.data into boot.cfg like what you have done.
>>
>> Wish above could help.
>>
>> Jimmy
>>
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ tboot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tboot-devel
