The platform using Q45_Q43_SINIT_51.BIN only supports LCP v1. You should not try lcp v2 on it.
You should try to follow docs/policy_v1.txt to create the LCP v1 policy and have a further try. Thanks Jimmy Charles Bushong wrote on 2013-04-11: > So while I wait for a miracle on my other system, I have tried configuring tboot > on a different platform using a similar config. I'm hoping to find out if the > problem is configuration based or hardware based. > > > The result is: > TBOOT: TXT.ERRORCODE: 0xc0000901 > TBOOT: AC module error : acm_type=0x1, progress=0x10, error=0x2 > > > Which, according to the Q45_Q43_SINIT_51.BIN sinit_errors.txt file, is "10h > Processing Launch Control Policy", "unsupported policy version" > > > I have tried this configuration in any way I can think of, from using > LCPv1, LCPv2/unsigned/no MLE, LCPv2/signed/no MLE, LCPv2/signed/"custom" > elt/no nvram, and then finally LCPv2 signed, custom element fully > defined and written to NVRAM. I'm not really sure what it means by > "unsupported policy version", as I've tried every version of LCP I know > of. Any suggestions would be greatly appreciated. > > > -Charles > > > FULL OUTPUT PASTE: > http://pastebin.com/hq6vQRFH > > > SCRIPT: > > ## Set TPM_PASS var export TPM_PASS=<the_pass> ## Start tcsd service > tcsd ## Release old indicies to clear status > tpmnv_relindex -i owner -p $TPM_PASS > tpmnv_relindex -i 0x20000001 -p $TPM_PASS > tpmnv_relindex -i 0x20000002 -p $TPM_PASS > ## Define indices for owner, error, and TBOOT > tpmnv_defindex -i owner -p $TPM_PASS > tpmnv_defindex -i 0x20000001 -s 256 -pv 0x02 -p $TPM_PASS > tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p $TPM_PASS > ## Create MLE Policy tb_polgen --create --type nonfatal vl_ver1.pol ## > Hash vmlinuz, add to policy file > tb_polgen --add --num 0 --pcr none --hash image --cmdline "ro > root=/dev/mapper/vg_rd8uxr84163g-lv_root > rd_LVM_LV=vg_rd8uxr84163g/lv_swap rd_NO_LUKS LANG=en_US.UTF-8 > rd_LVM_LV=vg_rd8uxr84163g/lv_root rd_NO_MD quiet > SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto KEYBOARDTYPE=pc > KEYTABLE=us rd_NO_DM intel_iommu=on" --image > /boot/vmlinuz-2.6.32-220.el6.x86_64 vl_ver1.pol > ## Hash initramfs, add to policy file > tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image > /boot/initramfs-2.6.32-220.el6.x86_64.img vl_ver1.pol > ## Create TBOOT hash > lcp_mlehash c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz > > tboot_hash > ## Create Policy Element with tboot_hash lcp_crtpolelt --create --type > mle --ctrl 0x00 --out mle.elt tboot_hash ## Create the list of > elements, yet to be signed lcp_crtpollist --create --out > list_unsig.lst mle.elt ## Generate private key openssl genrsa -out > privkey.pem 2048 ## Generate public key openssl rsa -pubout -in > privkey.pem -out pubkey.pem ## Create the signed list > cp list_unsig.lst list_sig.lst > lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst > ## Create the actual policy using the unsigned and signed element > lists lcp_crtpol2 --create --type list --pol list.pol --data list.data > list_{unsig,sig}.lst ## Write the policies to NVRAM > lcp_writepol -i owner -f list.pol -p $TPM_PASS > lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS > ## Copy list.data to boot directory cp list.data /boot ## validate > grub.conf has /list.data module and reboot > > -Charles
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
