Hi Travis,
Thanks for the patch! I got distracted in the past few days and didn't got
chance to pick my tpm2 with tboot experiments until today.
I have applied the patch and tried to setup LCP with verification of MLE.
Got a couple basic questions that I think I'm unclear about when trying to
create a policy structure:
* --mask specifies policy hash algorithm, does it mean the hash towards MLE
(like cmdline) or the policy itself?
* --sign specifies the signing algorithm means the signing algorithm for
the policy itself? (say if I use lcp_crtpollist to create a list policy and
sign it with a pub key generated with openssl genrsa -out signing_key.pem
2048, then I should specify SIGN_ALG_MASK_RSASSA_2048_SHA256?)
After failed a couple of times I remembered Greg and Marco mentioned about
that I need to use gen2 to setup MLE (instead of lcp2_mlehash,
lcp2_crtpolelt)... I guess I'm wondering what would be the capability of
patched version of lcp2_crtpol? Will it be able to handle the payloads
created for MLE with lcp2_* tools or should I switch to use gen2 tools
altogether?
I was also trying to modify the default VLCP manually for tpm2 but didn't
how to... I have been thinking if it means I could manually change the code
snippet
<source>
/* default policy */
static const tb_policy_t _def_policy = {
version : 2,
policy_type : TB_POLTYPE_CONT_NON_FATAL,
hash_alg : TB_HALG_SHA1,
policy_control : TB_POLCTL_EXTEND_PCR17,
num_entries : 3,
entries : {
{ /* mod 0 is extended to PCR 18 by default, so don't re-extend
it */
mod_num : 0,
pcr : TB_POL_PCR_NONE,
hash_type : TB_HTYPE_ANY,
num_hashes : 0
},
{ /* all other modules are extended to PCR 19 */
mod_num : TB_POL_MOD_NUM_ANY,
pcr : 19,
hash_type : TB_HTYPE_ANY,
num_hashes : 0
},
{ /* NV index for geo-tagging will be extended to PCR 22 */
mod_num : TB_POL_MOD_NUM_NV_RAW,
pcr : 22,
hash_type : TB_HTYPE_ANY,
nv_index : 0x40000010,
num_hashes : 0
}
}
};
</source>
to hardcode any cmdline/image hashes and change the policy type to HALT?
Thanks in advance and wish everyone had a nice weekend :)
Best,
Xiao
On Wed, Jul 19, 2017 at 10:16 AM, <travis.gilb...@dell.com> wrote:
> > -----Original Message-----
> > From: Gilbert, Travis
> > Sent: Wednesday, July 19, 2017 12:02
> > To: tboot-devel@lists.sourceforge.net
> > Subject: [tboot-devel] [patch] TPM2.0 LCPv2 Tool Patch
> >
> > This is a significant patch that corrects omissions I found in the
> lcptools-v2
> > utilities. It adds definitions based on the Intel TXT Software
> Development
> > Guide (https://www.intel.com/content/www/us/en/software-
> > developers/intel-txt-software-development-guide.html). I used Revision
> > 013. Looking at Section 4.6 of Revision 014, it seems my patch still
> applies.
> > Appendix E has a couple changes, notably the removal of ECDSA as an
> > approved signing algorithm. This could be changed from what I'm
> providing if
> > we want to update the tools to match Revision 014.
> >
> > I've added the following:
> > -Ability to define the allowed policy hashing algorithms (stored in a
> mask) -
> > Ability to define the signing algorithm -Ability to define the AUX
> hashing
> > algorithm -constants for hashing and signing algorithms -Ability to
> define LCP
> > version
> >
> > I also changed some of the options as well as some of my added options to
> > required based on my experience of ACMs rejecting LCPs without those
> > fields and common sense. For example, the policy hash could be defined
> > without defining the allowed policy hashing algorithms. Now, since you
> have
> > to define the policy hash, you must also define the policy hashing
> "allowed
> > algorithms" mask.
> >
> > Signed-off-by: Travis Gilbert <travis.gilb...@dell.com>
>
> Please ignore the "Confidential" tag. Outlook "helpfully" adds that to any
> email that it's not explicitly excluded from. I've edited my above message
> to reflect that.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> tboot-devel mailing list
> tboot-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
