[tboot-devel] verifying module against policy failed

Mon, 25 Mar 2013 08:52:45 -0700 

Hi all,

I'm trying to get tboot up and running for my first time, and this list has
been a great help.  However it seems I'm running into some problems when
actually validating the modules.  I was hoping someone might have some
insight as to what I'm doing wrong.  I'm using tboot 1.7.3 and legacy grub
if it makes a difference.

I get ownership and define the nvram indicies without much issue
(finally).  Then I create and write the v1 policy with this:

tb_polgen --create --type nonfatal vl_ver1.pol
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline
"logging=vga,serial,memory loglvl=all" --image /boot/tboot.gz vl_ver1.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$kernel_cmdline"
--image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image
/boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS

There are a few red flags that are sticking out to me.

1) Does this post-GETSEC[SENTER] error code mean anything?
TBOOT: TXT.ERRORCODE: 0xc0000001
TBOOT: AC module error : acm_type=0x1, progress=0x00, error=0x0

2) Modules failing.
TBOOT: verifying module "
/vmlinuz-2.6.32-279.5.1.el6.x86_64 (kernel command line)"...
TBOOT:   verification failed
TBOOT: verifying module against policy failed.
TBOOT: verifying module "
/initramfs-2.6.32-279.5.1.el6.x86_64.img"...
TBOOT:   verification failed
TBOOT: verifying module against policy failed.
TBOOT: all modules are verified

I can't figure out why it's reading the policy without issue, getting into
GETSEC[SENTER], and then still failing the policy check.  Any help or
points in the right direction would be appreciated.  Thanks!

-Charles

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to