Jimmy,
Sorry, I replied before but it was caught by the oversized message filter.
I've been working with Charles F. to refine my configuration. I think a
few of the kinks have been worked out (such as forgetting to define an
LCP...whoops), but Charles can no longer help me. My machine won't boot at
all, just restarts when it hits SENTER, and the next time it tries to boot,
it says TXT.ERRORCODE=0x0. Not sure why nothing is getting written into
it...
Since the machine won't boot, I can't get txt-stat output. I'm trying to
figure out a setup to get the serial output, but for now all I have is
screencaps of iDRAC. I put it in an album on my google plus page here:
https://plus.google.com/photos/104524032208184395446/albums/5860751449766674161
I'd attach it, but the photo set is around 100k and it would bounce the
email.
Here is my config as it stands:
#### Release NVRAM Indicies
#owner
tpmnv_relindex -i owner -p $TPM_PASS
#tboot
tpmnv_relindex -i 0x20000001 -p $TPM_PASS
#error
tpmnv_relindex -i 0x20000002 -p $TPM_PASS
#### Define NVRAM Indicies
#owner
tpmnv_defindex -i owner -p $TPM_PASS
#tboot
tpmnv_defindex -i 0x20000001 -s 256 -pv 0x02 -p $TPM_PASS
#error
tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p $TPM_PASS
###LCP v2
lcp_mlehash –c "logging=vga,serial,memory vga_delay=15 loglvl=all"
/boot/tboot.gz > tboot_hash
#Create the MLE Element
lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt
tboot_hash
#Create policy list
lcp_crtpollist --create --out list_unsig.lst mle.elt
#Sign the list
openssl genrsa -out privkey.pem 2048
openssl rsa -pubout -in privkey.pem -out pubkey.pem
cp list_unsig.lst list_sig.lst
lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst
lcp_crtpol2 --create --type list --pol list.pol --data list.data
list_{unsig,sig}.lst
#Write the policy to nvram
lcp_writepol -i owner -f list.pol -p $TPM_PASS
cp list.data /boot/list.data
#***Add /list.data to grub.conf***
###VLP
## Create the file
tb_polgen --create --type nonfatal vl_ver1.pol
## Add all the lines of your /boot/grub/menu.lst The file is the image,
everything after that is under "cmdline"
tb_polgen --add --num 0 --pcr none --hash image --cmdline "ro
root=/dev/mapper/vg_penguin-lv_root intel_iommu=on rd_NO_LUKS
rd_LVM_LV=vg_penguin/lv_swap rd_LVM_LV=vg_penguin/lv_root rd_NO_MD quiet
SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto LANG=en_US.UTF-8
KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet reboot=pci max_loop=255"
--image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image
/boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
## Write the policy
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
#####grub.conf:
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-279.5.1.el6.x86_64)
root (hd0,0)
kernel /tboot.gz logging=vga,serial,memory vga_delay=15 loglvl=all
module /vmlinuz-2.6.32-279.5.1.el6.x86_64 ro
root=/dev/mapper/vg_penguin-lv_root intel_iommu=on rd_NO_LUKS
rd_LVM_LV=vg_penguin/lv_swap rd_LVM_LV=vg_penguin/lv_root rd_NO_MD quiet
SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto LANG=en_US.UTF-8
KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet reboot=pci max_loop=255
module /initramfs-2.6.32-279.5.1.el6.x86_64.img
module /Xeon-5600-3500-SINIT-v1.1.BIN
module /list.data
-Charles
On Mon, Mar 25, 2013 at 7:22 PM, Wei, Gang <gang....@intel.com> wrote:
> Charles Bushong wrote on 2013-03-25:
> > Hi all,
> >
> >
> > I'm trying to get tboot up and running for my first time, and this list
> > has been a great help. However it seems I'm running into some problems
> > when actually validating the modules. I was hoping someone might have
> > some insight as to what I'm doing wrong. I'm using tboot 1.7.3 and
> > legacy grub if it makes a difference.
> >
> >
> > I get ownership and define the nvram indicies without much issue
> (finally).
> > Then I create and write the v1 policy with this:
> >
> > tb_polgen --create --type nonfatal vl_ver1.pol
> > tb_polgen --add --num 0 --pcr 18 --hash image --cmdline
> > "logging=vga,serial,memory loglvl=all" --image /boot/tboot.gz vl_ver1.pol
> > tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$kernel_cmdline"
> > --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
> > tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image
> > /boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
> > lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
> >
> >
> > There are a few red flags that are sticking out to me.
> >
> >
> > 1) Does this post-GETSEC[SENTER] error code mean anything?
> >
> > TBOOT: TXT.ERRORCODE: 0xc0000001
> > TBOOT: AC module error : acm_type=0x1, progress=0x00, error=0x0
>
> This just mean everything is ok, sinit executed successfully.
>
> >
> >
> > 2) Modules failing. TBOOT: verifying module "
> > /vmlinuz-2.6.32-279.5.1.el6.x86_64 (kernel command line)"... TBOOT:
> > verification failed TBOOT: verifying module against policy failed.
> > TBOOT: verifying module " /initramfs-2.6.32-279.5.1.el6.x86_64.img"...
> > TBOOT: verification failed TBOOT: verifying module against policy
> > failed. TBOOT: all modules are verified
>
> Please send the gruc.cfg & attach a serial port cable(or just use txt-stat
> if already booted up) to get an entire booting log for tboot and send it
> out.
>
> Jimmy
>
> >
> >
> > I can't figure out why it's reading the policy without issue, getting
> into
> > GETSEC[SENTER], and then still failing the policy check. Any help or
> points in
> > the right direction would be appreciated. Thanks!
> >
> >
> > -Charles
>
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
