Charles F,
You're right. I haven't written anything to the owner index. It seems in
my shuffling of various configurations, that part was lost. The problem
is, now that I'm writing this, it's stopping on SENTER and rebooting the
system. I have tried with the following configurations:
###Attempt 1
###VLP
tb_polgen --create --type nonfatal vl_ver1.pol
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "ro
root=/dev/mapper/vg_penguin-lv_root intel_iommu=on rd_NO_LUKS
rd_LVM_LV=vg_penguin/lv_swap rd_LVM_LV=vg_penguin/lv_root rd_NO_MD quiet
SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto LANG=en_US.UTF-8
KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet reboot=pci max_loop=255"
--image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image
/boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
#### Create and write Launch Control Policy (LCPv1)
lcp_mlehash -c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz >
mle_hash
lcp_crtpol -t hashonly -m mle_hash -o lcp_v1.pol
lcp_writepol -i owner -f lcp_v1.pol -p $TPM_PASS
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
#### Result: Instant system reset once it hit SENTER
####Attempt 2
###VLP
tb_polgen --create --type nonfatal vl_ver1.pol
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "ro
root=/dev/mapper/vg_penguin-lv_root intel_iommu=on rd_NO_LUKS
rd_LVM_LV=vg_penguin/lv_swap rd_LVM_LV=vg_penguin/lv_root rd_NO_MD quiet
SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto LANG=en_US.UTF-8
KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet reboot=pci max_loop=255"
--image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image
/boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
###LCPv2
lcp_mlehash –c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz >
tboot_hash
lcp_crtpolelt --create --type mle --ctrl 0x00 --out mle.elt tboot_hash
lcp_crtpollist --create --out list_unsig.lst mle.elt
lcp_crtpol2 --create --type list --pol list.pol --data list.data
list_unsig.lst
cp list.data /boot
tcsd
lcp_writepol -i owner -f list.pol -p $TPM_PASS
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
###Add /list.data to /boot/grub/grub.conf
#### Result: Instant system reset once it hit SENTER
The processor is a Xeon X5675. I'll keep playing around with the LCP,
because it seems like this might be the root of my problems. Any insight
you can offer would be a big help.
-Charles B.
On Mon, Mar 25, 2013 at 9:14 PM, <charles.fis...@gdc4s.com> wrote:
> There appear to be a couple of things that I don’t understand. It appears
> that while you have written you VL policy, you haven’t written a Launch
> Control Policy (which goes in the owner NV index). What your LCP will be
> depends on the processor, which you didn’t mention in you post. That is the
> place the tboot is validated by the SINIT module, and then when it returns
> tboot validates the remainder of the modules in grub.****
>
> ** **
>
> It may be possible to do what you tried, but I have always had to have a
> LCP, which is where tboot and it command line are validated, so the first
> tb_polgen line is the one for vmlinuz-2.6.32-279…****
>
> ** **
>
> Charles****
>
> ** **
>
> *From:* Charles Bushong [mailto:busho...@gmail.com]
> *Sent:* Monday, March 25, 2013 8:52 AM
> *To:* tboot-devel@lists.sourceforge.net
> *Subject:* [tboot-devel] verifying module against policy failed****
>
> ** **
>
> Hi all,****
>
> I'm trying to get tboot up and running for my first time, and this list
> has been a great help. However it seems I'm running into some problems
> when actually validating the modules. I was hoping someone might have some
> insight as to what I'm doing wrong. I'm using tboot 1.7.3 and legacy grub
> if it makes a difference.****
>
> I get ownership and define the nvram indicies without much issue
> (finally). Then I create and write the v1 policy with this:
>
> tb_polgen --create --type nonfatal vl_ver1.pol
> tb_polgen --add --num 0 --pcr 18 --hash image --cmdline
> "logging=vga,serial,memory loglvl=all" --image /boot/tboot.gz vl_ver1.pol
> tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$kernel_cmdline"
> --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
> tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image
> /boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
> lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS****
>
> There are a few red flags that are sticking out to me.****
>
> 1) Does this post-GETSEC[SENTER] error code mean anything?****
>
> TBOOT: TXT.ERRORCODE: 0xc0000001
> TBOOT: AC module error : acm_type=0x1, progress=0x00, error=0x0****
>
> ** **
>
> 2) Modules failing.
> TBOOT: verifying module "
> /vmlinuz-2.6.32-279.5.1.el6.x86_64 (kernel command line)"...
> TBOOT: verification failed
> TBOOT: verifying module against policy failed.
> TBOOT: verifying module "
> /initramfs-2.6.32-279.5.1.el6.x86_64.img"...
> TBOOT: verification failed
> TBOOT: verifying module against policy failed.
> TBOOT: all modules are verified****
>
> I can't figure out why it's reading the policy without issue, getting into
> GETSEC[SENTER], and then still failing the policy check. Any help or
> points in the right direction would be appreciated. Thanks!****
>
>
> ****
>
> -Charles****
>
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
