Any ideas on this, anybody?
-Charles
On Wed, Apr 10, 2013 at 2:22 PM, Charles Bushong <busho...@gmail.com> wrote:
> So while I wait for a miracle on my other system, I have tried configuring
> tboot on a different platform using a similar config. I'm hoping to find
> out if the problem is configuration based or hardware based.
>
> The result is:
> TBOOT: TXT.ERRORCODE: 0xc0000901
> TBOOT: AC module error : acm_type=0x1, progress=0x10, error=0x2
>
> Which, according to the Q45_Q43_SINIT_51.BIN sinit_errors.txt file, is
> "10h Processing Launch Control Policy", "unsupported
> policy version"
>
> I have tried this configuration in any way I can think of, from using
> LCPv1, LCPv2/unsigned/no MLE, LCPv2/signed/no MLE, LCPv2/signed/"custom"
> elt/no nvram, and then finally LCPv2 signed, custom element fully defined
> and written to NVRAM. I'm not really sure what it means by "unsupported
> policy version", as I've tried every version of LCP I know of. Any
> suggestions would be greatly appreciated.
>
> -Charles
>
> FULL OUTPUT PASTE:
> http://pastebin.com/hq6vQRFH
>
> SCRIPT:
> ## Set TPM_PASS var
> export TPM_PASS=<the_pass>
> ## Start tcsd service
> tcsd
> ## Release old indicies to clear status
> tpmnv_relindex -i owner -p $TPM_PASS
> tpmnv_relindex -i 0x20000001 -p $TPM_PASS
> tpmnv_relindex -i 0x20000002 -p $TPM_PASS
> ## Define indices for owner, error, and TBOOT
> tpmnv_defindex -i owner -p $TPM_PASS
> tpmnv_defindex -i 0x20000001 -s 256 -pv 0x02 -p $TPM_PASS
> tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p $TPM_PASS
> ## Create MLE Policy
> tb_polgen --create --type nonfatal vl_ver1.pol
> ## Hash vmlinuz, add to policy file
> tb_polgen --add --num 0 --pcr none --hash image --cmdline "ro
> root=/dev/mapper/vg_rd8uxr84163g-lv_root rd_LVM_LV=vg_rd8uxr84163g/lv_swap
> rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_rd8uxr84163g/lv_root rd_NO_MD
> quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto KEYBOARDTYPE=pc
> KEYTABLE=us rd_NO_DM intel_iommu=on" --image
> /boot/vmlinuz-2.6.32-220.el6.x86_64 vl_ver1.pol
> ## Hash initramfs, add to policy file
> tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image
> /boot/initramfs-2.6.32-220.el6.x86_64.img vl_ver1.pol
> ## Create TBOOT hash
> lcp_mlehash –c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz >
> tboot_hash
> ## Create Policy Element with tboot_hash
> lcp_crtpolelt --create --type mle --ctrl 0x00 --out mle.elt tboot_hash
> ## Create the list of elements, yet to be signed
> lcp_crtpollist --create --out list_unsig.lst mle.elt
> ## Generate private key
> openssl genrsa -out privkey.pem 2048
> ## Generate public key
> openssl rsa -pubout -in privkey.pem -out pubkey.pem
> ## Create the signed list
> cp list_unsig.lst list_sig.lst
> lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out
> list_sig.lst
> ## Create the actual policy using the unsigned and signed element lists
> lcp_crtpol2 --create --type list --pol list.pol --data list.data
> list_{unsig,sig}.lst
> ## Write the policies to NVRAM
> lcp_writepol -i owner -f list.pol -p $TPM_PASS
> lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
> ## Copy list.data to boot directory
> cp list.data /boot
> ## validate grub.conf has /list.data module and reboot
>
> -Charles
>
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
