I am testing this now and I've hit something odd I created the VL policy with type "nonfatal" first. With pcr_map=da, PCR-18 was the same with different kernels/modules, as expected. (btw it would be nice if a policy violation was visible in some PCR, even with "nonfatal")
Then I changed the VL policy to "halt", and now PCR-18 is different from before - but I have not even touched NVRAM, so the authorities measurement in PCR-18 should be the same, am I right? Jan > On 09 May 2016, at 11:01, martin.wi...@ts.fujitsu.com wrote: > > Hi Jan, > >> So I want to use a signed policy, and use multiple policy data files for >> lifecycle management (e.g. when I need to upgrade to MLE but want to be able >> to "rollback" to a previous version if needed). >> Using a signed policy means I don't have to touch the NVRAM (which might >> break something, making rollback impossible). >> >> Sounds right? > > Yes. > >>> There are two ways to install the VLP - either in NVRAM (in which case >>> you're right) or by simply adding it to the LCP as a "custom" element. >>> If you do the latter, and use signed LCP, you don't need to update the >>> NVRAM after a kernel update. You would just update the VLP element >>> integrated in the LCP, and sign the updated LCP. >> >> Is it simply something like: >> >> lcp_crtpolelt --create --type custom --uuid tboot --out vlp.elt vlp.dat >> and then add it vlp.elt to lcp_crtpollist when creating the LCP? > > Assuming that you created vlp.dat with tb_polgen before, yes. > > Regards > Martin > ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
