On Sat, Jul 21, 2018 at 6:54 PM, Sant Y <satish.va...@gmail.com> wrote: > On Fri, Jul 20, 2018 at 6:06 PM, <travis.gilb...@dell.com> wrote: >> >> >From: Sant Y [mailto:satish.va...@gmail.com] >> >Sent: Friday, July 20, 2018 05:03 >> >To: tboot-devel@lists.sourceforge.net >> >Subject: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control policy >> > >> >Hello tboot devs! >> > >> >I wish to revive this old discussion, on generating LCP for TPM2. There >> >were at least 2 threads I found in this list, however none of them seem to >> >have anything conclusive. >> > >> >A tboot with the default policies are working, however, for a policy with >> >MLE it fails. >> > >> >For writing to the NV index I use the tpm2-tss tools. >> >As for tboot, I use the current sources from the development branch, >> >compiled and installed. I follow the steps mostly like in this discussion : >> >https://sourceforge.net/p/tboot/mailman/message/35942299/ >> >> Please post the exact commands you're using. >> > > # Done once > nv_index="0x1400001" > tpm2_takeownership -o new -e new -l new > tpm2_nvdefine -x $nv_index -a 0x40000001 -s 70 -t 0x204000A -P new > > # Policy creation > lcp2_mlehash --verbose --create --alg sha256 --cmdline > "logging=serial,memory,vga extpol=sha256" /boot/tboot.gz >mle_hash > lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl 0x00 > --minver 0 --out tbootmle.elt mle_hash > lcp2_crtpollist --verbose --create --out list_unsig.lst tbootmle.elt > # The sign command "--out" option is a bit confusing, as it expects a > policy list file here, which must be more like --in file. > # and should output the signed file as a newly created file. > lcp2_crtpollist --sign --sigalg rsa --pub pubkey.pem --priv > privkey.pem --out list_unsig.lst > lcp2_crtpol --verbose --create --type list --pol list.pol --alg sha256 > --data list.data --sign 0x8 list_unsig.lst > > tpm2_nvwrite -x $nv_index -a 0x40000001 -P new list.pol > cp -f list.data /boot > grub2-mkconfig -o /boot/grub2/grub.cfg > > With both policy and data supplied, the show output now looks like > this. Note that I had attempted both signed and unsigned policy > before, the tboot behaved the same (read failed) > # lcp2_crtpol --show list.pol list.data > policy file: list.pol > version: 0x300 > hash_alg: sha256 > policy_type: list > sinit_min_version: 0x0 > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, > policy_control: 0x0 > max_sinit_min_ver: 0x0 > max_biosac_min_ver: 0x0 > lcp_hash_alg_mask: 0x8 > lcp_sign_alg_mask: 0x8 > aux_hash_alg_mask: 0x8 > policy_hash: 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 6a 97 34 > ad 96 b8 a1 ef b5 86 67 7a f4 ac 19 > > policy data file: list.data > file_signature: Intel(R) TXT LCP_POLICY_DATA > num_lists: 1 > list 0: > version: 0x200 > sig_alg: rsa > policy_elements_size: 0x32 (50) > policy_element[0]: > size: 0x32 (50) > type: 'mle' (16) > policy_elt_control: 0x00000000 > data: > sinit_min_version: 0x0 > hash_alg: sha256 > num_hashes: 1 > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a 0d > c6 4a 03 32 3c 13 > 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 > signature: > revocation_counter: 0x0 (0) > pubkey_size: 0x100 (256) > pubkey_value: > 37 72 de dd ca 4e cd f8 65 14 ab 21 2d b1 2b 36 8f e5 4a d1 > b7 e7 89 76 ab a2 75 c4 ce 32 29 f6 5e a6 47 33 02 0b 2f 73 > d0 12 34 3a ff c3 7f 65 f4 16 27 c1 cb 64 9a 4d 4b d9 10 5e > 18 1a 23 09 18 44 b0 08 6d 97 96 cd 41 2e 13 e9 7f 32 4a 0a > 54 73 79 9a 85 d1 15 73 5f 0f 9e 97 3f 37 41 0d 1b 36 16 8c > b2 e4 e1 7c 67 c8 61 39 5b d9 5d b7 b3 f2 6b 42 3a 9b 7c 8c > 52 01 57 d2 4c 6a 9d db c0 48 29 8b 5f 62 9d c5 88 4e 54 40 > 88 26 cc 9b 51 57 7f 7a 86 ae 3b d7 cc 1f 4f a5 b5 aa 12 70 > 09 d8 f0 0a 5e 35 e8 d9 5f 81 5e b2 b6 2e 90 a7 81 ca 73 81 > 47 67 2f ce c2 2b d1 a9 4e d6 6e 05 d9 17 41 8a 92 d6 a6 5e > 99 50 82 14 92 f1 ef c6 c7 02 2f bc eb bb 3f 75 ce 5d 76 5a > 09 52 c6 73 ce 98 24 48 1f f0 9b 8e aa 54 2c 96 9e 98 6d bb > ad e0 a5 ed 7e 84 12 b8 41 c8 77 3b 48 62 f1 d2 > sig_block: > b2 a2 0b b8 69 9e 55 d1 b7 48 bd e0 2d 98 f9 f3 06 05 74 70 > 7e 29 49 de 9c 99 7c b1 64 4b 94 81 90 0e 32 5e 9c 20 13 d6 > 1b 7f b9 3d 55 70 39 f0 f4 5a 66 24 c4 4b f3 ed e2 7d 17 49 > 35 8e 93 f6 e9 09 c1 98 91 37 88 3c b8 d3 80 8c b5 ce 06 3e > 4e 91 6a e0 a9 d7 fc 0e 6f 93 bc e1 2e af 68 82 9b 11 79 3d > 08 f4 fe 75 ce 2c 2e 71 5d 85 d3 e7 3b d3 ca c6 20 8e 07 61 > b8 53 e8 43 1a d2 e1 b7 d6 92 09 f0 27 fb 77 f7 05 60 84 5a > c9 91 a8 c1 1d 86 16 e2 b0 43 3f f5 64 2c 30 1a 91 02 03 40 > 73 49 b9 83 2f 22 36 b5 33 b2 3a 43 35 69 dc 08 f6 78 05 ba > c2 b2 d7 a9 56 34 7b b0 58 2c 16 9c 0d ce 3f e1 cb 21 95 6c > 31 d7 71 54 fe b3 f8 5d c0 7d 50 36 7d 28 16 55 11 61 ec db > f0 d2 db 9c 77 ed f2 93 8a 58 d9 66 88 9f 62 c7 2f b3 78 10 > db e0 de a9 93 54 a7 e1 48 af b5 e7 97 ed 40 b5 > signature verifies > 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 6a 97 34 > ad 96 b8 a1 ef b5 86 67 7a f4 ac 19 > > policy data hash matches policy hash > > >> Are you in a UEFI environment? > No. > >> >> You'll have to do something like the following: >> #echo GRUB_TBOOT_POLICY_DATA="list.data" > /etc/default/grub-tboot >> >> In order to have grub actually verify the LCP. You also need to modify your >> grub-mkconfig file for the GRUB_CMDLINE_TBOOT option to add "extpol=sha256". >> Then you have to run "grub2-mkconfig -o /boot/grub2/grub.cfg" to re-generate >> your grub.cfg file with the changes. >> >> My relevant line is the following: >> # Command line for tboot itself >> : ${GRUB_CMDLINE_TBOOT='logging=serial,memory extpol=sha256'} >> > > Already have necessary grub configuration. > >> The vga/video logging option didn't work for me, but is sometimes in the >> default options. The grub-mkconfig that I have will strip that option out of >> a UEFI boot if it's there. >> >> >The current lcp2_crtpol requires the signing algorithm, for which I supply >> >0x8 (RSA 2048, SHA256). I get the following for listing the created policy >> >file >> > >> ># lcp2_crtpol --show list.pol >> >policy file: list.pol >> > version: 0x300 >> > hash_alg: sha256 >> > policy_type: list >> > sinit_min_version: 0x0 >> > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, >> > policy_control: 0x0 >> > max_sinit_min_ver: 0x0 >> > max_biosac_min_ver: 0x0 >> > lcp_hash_alg_mask: 0x8 >> > lcp_sign_alg_mask: 0x8 >> > aux_hash_alg_mask: 0x8 >> > policy_hash: ff 0d 04 10 6d 45 3e e0 98 01 44 b3 65 f2 51 7e 1b 41 1c >> > 50 >> >2c e3 9e d9 64 c4 8b 22 ff 66 fd c0 >> > >> >However, the parse of policy data file itself fails as seen below >> > >> ># lcp2_crtpol --show list.data >> >Error: invalid policy version: 0x6e49 >> > >> >policy data file: list.data >> > file_signature: Intel(R) TXT LCP_POLICY_DATA >> > num_lists: 1 >> > list 0: >> > version: 0x200 >> > sig_alg: unknown (16) >> > policy_elements_size: 0x32 (50) >> > policy_element[0]: >> > size: 0x32 (50) >> > type: 'mle' (16) >> > policy_elt_control: 0x00000000 >> > data: >> > sinit_min_version: 0x0 >> > hash_alg: sha256 >> > num_hashes: 1 >> > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a 0d c6 4a >> > 03 32 3c 13 >> >0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 >> >I also did the signing with a 2048 bit RSA key, however the lcp2_crtpol >> >always shows an invalid policy version. >> >> I've never used the --show option, but it appears it has user-unfriendly >> output. You can pass a policy and policy data or just policy data. If you >> pass just policy data, it can't distinguish between the two and tries to >> process it as a policy first. This fails and gives your error. It then >> processes the file as policy data because processing it as a policy failed. >> So your "invalid policy version" is a red herring. Try passing your policy >> file and your data file and see what the output is. >> >> If you can post at least the data file or both data and policy files, that >> will help us troubleshoot. The main reason is the sig_alg output. The fact >> that it's unknown type isn't surprising (see below about changes needed), >> but that it's printed as decimal 16. That corresponds to TPM_ALG_NULL >> (0x0010). This makes me suspect that you followed the steps in the other >> thread exactly. That was an example of an unsigned policy. This is the >> reason we need you to post the full list of commands you're running to >> generate everything. > > Yes, I had tried both signed and unsigned policies. The results were > the same. In txt-stat it complains about "read failed" and later > "write TPM error: 0x18b" and "no policy in TPM NV". > The current lcp data and policy are in attachment. > I have the full txt-stat output here : https://pastebin.com/daVzY6VF > >> >> Either way I wouldn't necessarily trust the --show option since I didn't >> touch that code when I updated the lcptools-v2 code and it looks like that >> whole code flow needs updating based on the LCPv3 changes. >> >> >The txt-stat results in this : >> > >> >TBOOT: timeout values: A: 750, B: 2000, C: 75000, D: 750 >> >TBOOT: SGX:verify_IA32_se_svn_status is called >> >TBOOT: SGX is not enabled, cpuid.ebx: 0x21cbfbb >> >TBOOT: reading Verified Launch Policy from TPM NV... >> >TBOOT: :70 bytes read >> >TBOOT: :reading failed >> >TBOOT: reading Launch Control Policy from TPM NV... >> >TBOOT: :70 bytes read >> >TBOOT: in unwrap_lcp_policy >> >TBOOT: v2 LCP policy data found >> >TBOOT: :reading failed >> >TBOOT: failed to read policy from TPM NV, using default >> >TBOOT: TPM: write NV 01200002, offset 00000000, 00000004 bytes, return >> >value = 0000018B >> >TBOOT: Error: write TPM error: 0x18b. >> >The ':reading failed' is coming from tboot/common/policy.c where it does a >> >verify_policy() and it fails. So the problem is indeed with the policy >> >creation. I cannot troubleshoot it further, as the verify_policy() logs >> >itself are not available from txt-stat. >> > >> >Finally, I also tried the lcp-gen2 python tool to generate the policy >> >files. However, it's a bit confusing to use, the file pickup dialogs >> >doesn't work and there is no option to specify commandline for MLE hash etc. >> > >> >Can someone please help with the topic? I'm okay to experiment if anyone >> >has patches to deal with this. >> > Some details on my TPM 2.0 is pasted here : https://pastebin.com/FEdf3ZTQ >> > >> >Regards, >> >Sant >> >
Could someone help with this? If anyone has patches, I'll be happy to experiment with. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
