Hi Ning,
Thank you for your answer.
1) I can't read the index, I believe it's because of the attributes (I
would need owner_read flag) I'm doing:
# tpm2_nvread -x 0x1400001 -a 0x40000001 -s 10
Failed to read NVRAM area at index 0x1400001 (20971521).Error:0x149
# tpm2_rc_decode 0x149
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 0 error code
hex: 0x49
name: TPM_RC_NV_AUTHORIZATION
description: NV access authorization fails in command actions (this
failure does not affect lockout.action)
This issue occurs in an Intel NUC NUC5i5MYHE, with "5th_gen_i5_i7_SINIT_79.BIN"
(downloaded from the Intel website). The bios is up to date.
I was able to test this on a different server and it doesn't give me the
error (same policy).
2) Ok. Thanks! I was trying to see whether I could see things changing with
a POLTYPE_ANY. I couldn't find anything on the Intel TXT Guide saying that
the capabilities won't be extended on TPM 2.0 (I might have missed it too
:)).
Thank you for your reply!
Best Regards,
Marco
On Thu, May 25, 2017 at 6:58 AM, Sun, Ning <ning....@intel.com> wrote:
> For question1: PO NV Index attribute definition is correct, did you see
> this issue when reading from the index? What was the platform and SINIT ACM
> used in finding this issue?
>
>
>
> For question2: this is correct by design, OsSinitData_Capabilities bit in
> PolicyControl works only with TPM1.2 and legacy PCR mapping.
>
> For details/authorities PCR mapping, OsSinitData.Capabilities are always
> extended into PCR17 and have special event for it.
>
>
>
> -Ning
>
>
>
>
>
> *From:* Marco Vanotti [mailto:mvano...@google.com]
> *Sent:* Tuesday, May 23, 2017 10:15 PM
> *To:* Sun, Ning <ning....@intel.com>
> *Cc:* tboot-devel@lists.sourceforge.net
>
> *Subject:* Re: [tboot-devel] Questions about Launch Control Policies
>
>
>
> Thanks for your answer, Ning.
>
>
>
> I have been using tpm2.0-tools and tpm2.0-TSS to work with the TPM. They
> have been very useful so far :).
>
>
>
> I have a couple more questions regarding the Intel TXT Guide:
>
>
>
> The Intel TXT Guide (Appendix J "TPM NV") says that the NVRAM PO Index
> should have the following attributes:
>
> - TPMA_NV_OWNERWRITE
>
> - TPMA_NV_POLICYWRITE
>
> - TPMA_NV_AUTHREAD
>
> - TPMA_NV_NO_DA
>
>
>
> That sets of attributes translate to 0x204000A, but that results in a
> 0xc0081c41 TXT Error (ERR_TPM_NV_INDEX_INVALID_PO_ATTR). I removed the
> TPMA_NV_NO_DA flag and it ended up working. What would the correct solution
> for this issue be?
>
>
>
> The Policy Control field in the LCP has a field that specifies whether
> the OS INIT DATA Capabilities should be extended or not. I tried changing
> that field in my PO LCP, but that didn't make a difference: the capabilites
> are always extended, regardless of the value in the field. I can see that
> my Policy is being read by checking the TPM Event log (type 0x414 tells me
> that my index is being read, and type 0x40c shows that my policy control is
> being loaded). I was playing with this to see the effect of changing things
> in the policy.
>
>
>
> These are minor issues that I are not blocking me, but I would like to get
> an answer to better understand how TXT works.
>
>
>
> Best Regards,
> Marco
>
>
>
> On Tue, May 23, 2017 at 5:12 PM, Sun, Ning <ning....@intel.com> wrote:
>
> Hi Marco,
>
>
>
> Thanks for the write-up, you got most of the answers correct for your
> questions.
>
>
>
> Both lcptools and lcptools-v2 folders (in tboot source package) are for
> LCP V2 on TPM 1.2 platforms
>
>
>
> Folder lcp-gen2 is for LCP V3 creation on TPM 2.0 platform, so far tboot
> does not provide tpm 2.0 tools to write the LCP to TPM nv index, there are
> TPM 2.0 TSS and tools from Intel as well, see below.
>
>
>
> For tboot VLP, there is a default VLP in tboot source code, if there is no
> VLP found from TPM NV index, tboot will apply the default VLCP.
>
>
>
> For TPM 2.0 TSS and tools, here are the website for your reference:
>
>
>
> https://github.com/01org/TPM2.0-TSS
>
>
>
> https://github.com/01org/tpm2.0-tools
>
>
>
> -Ning
>
>
>
> *From:* Marco Vanotti [mailto:mvano...@google.com]
> *Sent:* Tuesday, May 23, 2017 1:32 PM
> *To:* tboot-devel@lists.sourceforge.net
> *Subject:* Re: [tboot-devel] Questions about Launch Control Policies
>
>
>
> Hi All!
>
>
>
> After reading a lot of documentation [*], I think I figured out the
> answers to some of the questions. I would like to confirm if what I think
> is correct.
>
>
>
> TBOOT sets up an environment and executes GETSEC[SENTER], which handles
> control over to the SINIT ACM. The SINIT ACM will measure the MLE and
> execute the policy engine, which validates the LCPs. The ACM will extend
> the MLE hash to PCR17 among other things. After that, the ACM will handle
> control back to TBOOT, which will execute the post_launch mechanism. There,
> it will look for VLCPs, first in a special NV Index (0x01200001 or
> 0x01c10131), or as a LCP_CUSTOM_ELEMENT in the policy data file, and then
> validates it.
>
>
>
> For remote attestation, you would want to get PCR17 and PCR18, maybe PCR0
> to make sure that BIOS is still the same? What I find unclear is how one
> should handle updates, BIOS, Kernel and TBOOT. It seems like the best way
> is to have a replicated setup for testing the updates and do all the
> measurements there.
>
>
>
> ---------------------------
>
>
>
> The problem with the NV Indices that I had (index 0x1400001 was being
> deleted on every reboot) was a BIOS issue. I contacted the platform
> supplier and asked for a BIOS update.
>
>
>
> The way to check which set of indices are used by your ACM is by checking
> the *tpm_nv_index_set* under the TPM capabilities in the loaded SINIT ACM
> (tables A-8 and A-9 from the intel txt guide, in Appendix A). The NVRAM
> Indices and attributes can be found in the Table J-2 (Appendix J TPM NV).
> For example, it says that the LCP PO index is 0x1400001 or 0x1c10106
> (depending on the tpm_nv_index_set).
>
>
>
> I have more questions, but I will try to write another email for them, as
> they are not related to this problem.
>
>
>
> Thank you all for your time :)
>
>
>
> Best Regards,
> Marco
>
>
>
> [*]:
>
> Intel TXT Software Development Guide: http://www.intel.com/
> content/www/us/en/software-developers/intel-txt-software-
> development-guide.html
>
> TPM 2.0 Spec: https://trustedcomputinggroup.org/tpm-library-specification/
>
> A practical guide to TPM 2.0: http://www.apress.com/us/book/9781430265832
>
> Intel Trusted Execution for Server Platforms: http://www.apress.
> com/us/book/9781430261483
>
> TPM 2.0 registry of reserved handles: https://trustedcomputinggroup.org/
> registry-reserved-tpm-2-0-handles-localities/
>
>
>
> On Thu, May 4, 2017 at 7:19 PM, Marco Vanotti <mvano...@google.com> wrote:
>
> Hi All!
>
>
>
> I hope you are having a wonderful day today :). I am trying to get tboot
> to work in my machine. My computer has a TPM 2.0 and I am trying to
> understand some of the available features.
>
>
>
> The Intel TXT Software Development Guide defines Launch Control Policies.
> Given that I have TPM 2.0, I believe I should use version 3.0 or 3.1, there
> seem to be some utilities to write these files in the lcp-gen2 folder.
>
>
>
> Looking at the source code, I found that there's also TBOOT Control
> Policies, which seem to be referred as Verified Launch Control Policies.
> What is the difference between them? When should I use each of them? Are
> they also executed by the ACM? if not, when?
>
>
>
> It seems that VLCPs don't support policy data files, is that so?
>
>
>
> Regarding LCPs, where should I define them in NVRAM? I've tried using
> 0x1400001, but that index gets deleted every time I reboot the system,
> regardless of using TXT. I'm defining the space with attr 0xF00F, and size
> 102 bytes, which is the size of the lcp_policy_2 struct. There's another
> index to use that doesn't get deleted: 0x01c10106, but I am not sure how to
> tell TXT to use it.
>
>
>
> My original goal was to install a policy with POLTYPE_ANY, just to test,
> but I can't see anything related to it in txt-stat, should it be logged
> somehow?
>
>
>
> Any help with these issues would be really appreciated :)
>
>
>
> Best Regards,
> Marco
>
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
