So while I wait for a miracle on my other system, I have tried configuring
tboot on a different platform using a similar config. I'm hoping to find
out if the problem is configuration based or hardware based.
The result is:
TBOOT: TXT.ERRORCODE: 0xc0000901
TBOOT: AC module error : acm_type=0x1, progress=0x10, error=0x2
Which, according to the Q45_Q43_SINIT_51.BIN sinit_errors.txt file, is
"10h Processing Launch Control Policy", "unsupported
policy version"
I have tried this configuration in any way I can think of, from using
LCPv1, LCPv2/unsigned/no MLE, LCPv2/signed/no MLE, LCPv2/signed/"custom"
elt/no nvram, and then finally LCPv2 signed, custom element fully defined
and written to NVRAM. I'm not really sure what it means by "unsupported
policy version", as I've tried every version of LCP I know of. Any
suggestions would be greatly appreciated.
-Charles
FULL OUTPUT PASTE:
http://pastebin.com/hq6vQRFH
SCRIPT:
## Set TPM_PASS var
export TPM_PASS=<the_pass>
## Start tcsd service
tcsd
## Release old indicies to clear status
tpmnv_relindex -i owner -p $TPM_PASS
tpmnv_relindex -i 0x20000001 -p $TPM_PASS
tpmnv_relindex -i 0x20000002 -p $TPM_PASS
## Define indices for owner, error, and TBOOT
tpmnv_defindex -i owner -p $TPM_PASS
tpmnv_defindex -i 0x20000001 -s 256 -pv 0x02 -p $TPM_PASS
tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p $TPM_PASS
## Create MLE Policy
tb_polgen --create --type nonfatal vl_ver1.pol
## Hash vmlinuz, add to policy file
tb_polgen --add --num 0 --pcr none --hash image --cmdline "ro
root=/dev/mapper/vg_rd8uxr84163g-lv_root rd_LVM_LV=vg_rd8uxr84163g/lv_swap
rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_rd8uxr84163g/lv_root rd_NO_MD
quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto KEYBOARDTYPE=pc
KEYTABLE=us rd_NO_DM intel_iommu=on" --image
/boot/vmlinuz-2.6.32-220.el6.x86_64 vl_ver1.pol
## Hash initramfs, add to policy file
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image
/boot/initramfs-2.6.32-220.el6.x86_64.img vl_ver1.pol
## Create TBOOT hash
lcp_mlehash –c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz >
tboot_hash
## Create Policy Element with tboot_hash
lcp_crtpolelt --create --type mle --ctrl 0x00 --out mle.elt tboot_hash
## Create the list of elements, yet to be signed
lcp_crtpollist --create --out list_unsig.lst mle.elt
## Generate private key
openssl genrsa -out privkey.pem 2048
## Generate public key
openssl rsa -pubout -in privkey.pem -out pubkey.pem
## Create the signed list
cp list_unsig.lst list_sig.lst
lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst
## Create the actual policy using the unsigned and signed element lists
lcp_crtpol2 --create --type list --pol list.pol --data list.data
list_{unsig,sig}.lst
## Write the policies to NVRAM
lcp_writepol -i owner -f list.pol -p $TPM_PASS
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
## Copy list.data to boot directory
cp list.data /boot
## validate grub.conf has /list.data module and reboot
-Charles
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
