On Thu, Aug 2, 2018 at 3:35 AM, <travis.gilb...@dell.com> wrote: >> -----Original Message----- >> From: Sant Y [mailto:satish.va...@gmail.com] >> Sent: Monday, July 30, 2018 07:41 >> To: Gilbert, Travis >> Cc: tboot-devel@lists.sourceforge.net >> Subject: Re: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control >> policy >> >> On Sat, Jul 21, 2018 at 6:54 PM, Sant Y <satish.va...@gmail.com> wrote: >> > On Fri, Jul 20, 2018 at 6:06 PM, <travis.gilb...@dell.com> wrote: >> >> >> >> >From: Sant Y [mailto:satish.va...@gmail.com] >> >> >Sent: Friday, July 20, 2018 05:03 >> >> >To: tboot-devel@lists.sourceforge.net >> >> >Subject: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control >> >> >policy >> >> > >> >> >Hello tboot devs! >> >> > >> >> >I wish to revive this old discussion, on generating LCP for TPM2. >> There were at least 2 threads I found in this list, however none of them >> seem to have anything conclusive. >> >> > >> >> >A tboot with the default policies are working, however, for a policy >> with MLE it fails. >> >> > >> >> >For writing to the NV index I use the tpm2-tss tools. >> >> >As for tboot, I use the current sources from the development >> branch, >> >> >compiled and installed. I follow the steps mostly like in this >> >> >discussion : >> >> >https://sourceforge.net/p/tboot/mailman/message/35942299/ >> >> >> >> Please post the exact commands you're using. >> >> >> > >> > # Done once >> > nv_index="0x1400001" >> > tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x >> $nv_index -a >> > 0x40000001 -s 70 -t 0x204000A -P new >> > >> > # Policy creation >> > lcp2_mlehash --verbose --create --alg sha256 --cmdline >> > "logging=serial,memory,vga extpol=sha256" /boot/tboot.gz >mle_hash >> > lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl 0x00 >> > --minver 0 --out tbootmle.elt mle_hash lcp2_crtpollist --verbose >> > --create --out list_unsig.lst tbootmle.elt # The sign command "--out" >> > option is a bit confusing, as it expects a policy list file here, >> > which must be more like --in file. >> > # and should output the signed file as a newly created file. >> > lcp2_crtpollist --sign --sigalg rsa --pub pubkey.pem --priv >> > privkey.pem --out list_unsig.lst lcp2_crtpol --verbose --create --type >> > list --pol list.pol --alg sha256 --data list.data --sign 0x8 >> > list_unsig.lst >> > >> > tpm2_nvwrite -x $nv_index -a 0x40000001 -P new list.pol cp -f >> > list.data /boot grub2-mkconfig -o /boot/grub2/grub.cfg >> > >> > With both policy and data supplied, the show output now looks like >> > this. Note that I had attempted both signed and unsigned policy >> > before, the tboot behaved the same (read failed) # lcp2_crtpol --show >> > list.pol list.data policy file: list.pol >> > version: 0x300 >> > hash_alg: sha256 >> > policy_type: list >> > sinit_min_version: 0x0 >> > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, >> > policy_control: 0x0 >> > max_sinit_min_ver: 0x0 >> > max_biosac_min_ver: 0x0 >> > lcp_hash_alg_mask: 0x8 >> > lcp_sign_alg_mask: 0x8 >> > aux_hash_alg_mask: 0x8 >> > policy_hash: 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 >> > 6a 97 34 ad 96 b8 a1 ef b5 86 67 7a f4 ac 19 >> > >> > policy data file: list.data >> > file_signature: Intel(R) TXT LCP_POLICY_DATA >> > num_lists: 1 >> > list 0: >> > version: 0x200 >> > sig_alg: rsa >> > policy_elements_size: 0x32 (50) >> > policy_element[0]: >> > size: 0x32 (50) >> > type: 'mle' (16) >> > policy_elt_control: 0x00000000 >> > data: >> > sinit_min_version: 0x0 >> > hash_alg: sha256 >> > num_hashes: 1 >> > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a 0d >> > c6 4a 03 32 3c 13 >> > 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 >> > signature: >> > revocation_counter: 0x0 (0) >> > pubkey_size: 0x100 (256) >> > pubkey_value: >> > 37 72 de dd ca 4e cd f8 65 14 ab 21 2d b1 2b 36 8f e5 4a d1 >> > b7 e7 89 76 ab a2 75 c4 ce 32 29 f6 5e a6 47 33 02 0b 2f 73 >> > d0 12 34 3a ff c3 7f 65 f4 16 27 c1 cb 64 9a 4d 4b d9 10 5e >> > 18 1a 23 09 18 44 b0 08 6d 97 96 cd 41 2e 13 e9 7f 32 4a 0a >> > 54 73 79 9a 85 d1 15 73 5f 0f 9e 97 3f 37 41 0d 1b 36 16 8c >> > b2 e4 e1 7c 67 c8 61 39 5b d9 5d b7 b3 f2 6b 42 3a 9b 7c 8c >> > 52 01 57 d2 4c 6a 9d db c0 48 29 8b 5f 62 9d c5 88 4e 54 40 >> > 88 26 cc 9b 51 57 7f 7a 86 ae 3b d7 cc 1f 4f a5 b5 aa 12 70 >> > 09 d8 f0 0a 5e 35 e8 d9 5f 81 5e b2 b6 2e 90 a7 81 ca 73 81 >> > 47 67 2f ce c2 2b d1 a9 4e d6 6e 05 d9 17 41 8a 92 d6 a6 5e >> > 99 50 82 14 92 f1 ef c6 c7 02 2f bc eb bb 3f 75 ce 5d 76 5a >> > 09 52 c6 73 ce 98 24 48 1f f0 9b 8e aa 54 2c 96 9e 98 6d bb >> > ad e0 a5 ed 7e 84 12 b8 41 c8 77 3b 48 62 f1 d2 >> > sig_block: >> > b2 a2 0b b8 69 9e 55 d1 b7 48 bd e0 2d 98 f9 f3 06 05 74 70 >> > 7e 29 49 de 9c 99 7c b1 64 4b 94 81 90 0e 32 5e 9c 20 13 d6 >> > 1b 7f b9 3d 55 70 39 f0 f4 5a 66 24 c4 4b f3 ed e2 7d 17 49 >> > 35 8e 93 f6 e9 09 c1 98 91 37 88 3c b8 d3 80 8c b5 ce 06 3e >> > 4e 91 6a e0 a9 d7 fc 0e 6f 93 bc e1 2e af 68 82 9b 11 79 3d >> > 08 f4 fe 75 ce 2c 2e 71 5d 85 d3 e7 3b d3 ca c6 20 8e 07 61 >> > b8 53 e8 43 1a d2 e1 b7 d6 92 09 f0 27 fb 77 f7 05 60 84 5a >> > c9 91 a8 c1 1d 86 16 e2 b0 43 3f f5 64 2c 30 1a 91 02 03 40 >> > 73 49 b9 83 2f 22 36 b5 33 b2 3a 43 35 69 dc 08 f6 78 05 ba >> > c2 b2 d7 a9 56 34 7b b0 58 2c 16 9c 0d ce 3f e1 cb 21 95 6c >> > 31 d7 71 54 fe b3 f8 5d c0 7d 50 36 7d 28 16 55 11 61 ec db >> > f0 d2 db 9c 77 ed f2 93 8a 58 d9 66 88 9f 62 c7 2f b3 78 10 >> > db e0 de a9 93 54 a7 e1 48 af b5 e7 97 ed 40 b5 >> > signature verifies >> > 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 6a 97 34 ad 96 b8 >> > a1 ef b5 86 67 7a f4 ac 19 >> > >> > policy data hash matches policy hash >> > >> > >> >> Are you in a UEFI environment? >> > No. >> > >> >> >> >> You'll have to do something like the following: >> >> #echo GRUB_TBOOT_POLICY_DATA="list.data" > /etc/default/grub- >> tboot >> >> >> >> In order to have grub actually verify the LCP. You also need to modify >> your grub-mkconfig file for the GRUB_CMDLINE_TBOOT option to add >> "extpol=sha256". Then you have to run "grub2-mkconfig -o >> /boot/grub2/grub.cfg" to re-generate your grub.cfg file with the >> changes. >> >> >> >> My relevant line is the following: >> >> # Command line for tboot itself >> >> : ${GRUB_CMDLINE_TBOOT='logging=serial,memory extpol=sha256'} >> >> >> > >> > Already have necessary grub configuration. >> > >> >> The vga/video logging option didn't work for me, but is sometimes in >> the default options. The grub-mkconfig that I have will strip that option >> out of a UEFI boot if it's there. >> >> >> >> >The current lcp2_crtpol requires the signing algorithm, for which I >> >> >supply 0x8 (RSA 2048, SHA256). I get the following for listing the >> >> >created policy file >> >> > >> >> ># lcp2_crtpol --show list.pol >> >> >policy file: list.pol >> >> > version: 0x300 >> >> > hash_alg: sha256 >> >> > policy_type: list >> >> > sinit_min_version: 0x0 >> >> > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, >> >> > policy_control: 0x0 >> >> > max_sinit_min_ver: 0x0 >> >> > max_biosac_min_ver: 0x0 >> >> > lcp_hash_alg_mask: 0x8 >> >> > lcp_sign_alg_mask: 0x8 >> >> > aux_hash_alg_mask: 0x8 >> >> > policy_hash: ff 0d 04 10 6d 45 3e e0 98 01 44 b3 65 f2 51 7e 1b >> >> >41 1c 50 2c e3 9e d9 64 c4 8b 22 ff 66 fd c0 >> >> > >> >> >However, the parse of policy data file itself fails as seen below >> >> > >> >> ># lcp2_crtpol --show list.data >> >> >Error: invalid policy version: 0x6e49 >> >> > >> >> >policy data file: list.data >> >> > file_signature: Intel(R) TXT LCP_POLICY_DATA >> >> > num_lists: 1 >> >> > list 0: >> >> > version: 0x200 >> >> > sig_alg: unknown (16) >> >> > policy_elements_size: 0x32 (50) >> >> > policy_element[0]: >> >> > size: 0x32 (50) >> >> > type: 'mle' (16) >> >> > policy_elt_control: 0x00000000 >> >> > data: >> >> > sinit_min_version: 0x0 >> >> > hash_alg: sha256 >> >> > num_hashes: 1 >> >> > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a >> >> >0d c6 4a 03 32 3c 13 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 I also did >> >> >the signing with a 2048 bit RSA key, however the lcp2_crtpol always >> shows an invalid policy version. >> >> >> >> I've never used the --show option, but it appears it has user- >> unfriendly output. You can pass a policy and policy data or just policy >> data. If you pass just policy data, it can't distinguish between the two and >> tries to process it as a policy first. This fails and gives your error. It >> then >> processes the file as policy data because processing it as a policy failed. >> So your "invalid policy version" is a red herring. Try passing your policy >> file >> and your data file and see what the output is. >> >> >> >> If you can post at least the data file or both data and policy files, that >> will help us troubleshoot. The main reason is the sig_alg output. The fact >> that it's unknown type isn't surprising (see below about changes >> needed), but that it's printed as decimal 16. That corresponds to >> TPM_ALG_NULL (0x0010). This makes me suspect that you followed the >> steps in the other thread exactly. That was an example of an unsigned >> policy. This is the reason we need you to post the full list of commands >> you're running to generate everything. >> > >> > Yes, I had tried both signed and unsigned policies. The results were >> > the same. In txt-stat it complains about "read failed" and later >> > "write TPM error: 0x18b" and "no policy in TPM NV". >> > The current lcp data and policy are in attachment. >> > I have the full txt-stat output here : https://pastebin.com/daVzY6VF >> > >> >> >> >> Either way I wouldn't necessarily trust the --show option since I didn't >> touch that code when I updated the lcptools-v2 code and it looks like >> that whole code flow needs updating based on the LCPv3 changes. >> >> >> >> >The txt-stat results in this : >> >> > >> >> >TBOOT: timeout values: A: 750, B: 2000, C: 75000, D: 750 >> >> >TBOOT: SGX:verify_IA32_se_svn_status is called >> >> >TBOOT: SGX is not enabled, cpuid.ebx: 0x21cbfbb >> >> >TBOOT: reading Verified Launch Policy from TPM NV... >> >> >TBOOT: :70 bytes read >> >> >TBOOT: :reading failed >> >> >TBOOT: reading Launch Control Policy from TPM NV... >> >> >TBOOT: :70 bytes read >> >> >TBOOT: in unwrap_lcp_policy >> >> >TBOOT: v2 LCP policy data found >> >> >TBOOT: :reading failed >> >> >TBOOT: failed to read policy from TPM NV, using default >> >> >TBOOT: TPM: write NV 01200002, offset 00000000, 00000004 bytes, >> >> >return value = 0000018B >> >> >TBOOT: Error: write TPM error: 0x18b. >> >> >The ':reading failed' is coming from tboot/common/policy.c where it >> does a verify_policy() and it fails. So the problem is indeed with the >> policy creation. I cannot troubleshoot it further, as the verify_policy() >> logs itself are not available from txt-stat. >> >> > >> >> >Finally, I also tried the lcp-gen2 python tool to generate the policy >> files. However, it's a bit confusing to use, the file pickup dialogs doesn't >> work and there is no option to specify commandline for MLE hash etc. >> >> > >> >> >Can someone please help with the topic? I'm okay to experiment if >> anyone has patches to deal with this. >> >> > Some details on my TPM 2.0 is pasted here : >> >> >https://pastebin.com/FEdf3ZTQ >> >> > >> >> >Regards, >> >> >Sant >> >> > >> >> Could someone help with this? If anyone has patches, I'll be happy to >> experiment with. > > Have you verified that the NV index is written as you expect? I have only > used 0x01c10106. I wrote a parser to look at LCPs and LCP data and your files > look fine. You'll have to put some debug prints in txt-stat or look at the > code for what's going wrong. I used the tools with my patches that were > merged and was able to get good results. I'll run the same scripts again with > the current code and see what happens. I vaguely recall something wonky with > the messages from txt-stat. I'll see if I can dig up my notes.
Indeed, I can read it back without any issues. # tpm2_nvread -x 0x1400001 -a 0x40000001 -P new -s 70 -f tpm2_read.pol # sha256sum list.pol tpm2_read.pol 69fdad479077bf197373831db7f36adad1dffeddd80da7eb501958ff294fb26d list.pol 69fdad479077bf197373831db7f36adad1dffeddd80da7eb501958ff294fb26d tpm2_read.pol I'm not sure about the NV index. From the tpm capabilities, only the following index handles are available. 0x01200001 0x01400001 0x01c00002 0x01c0000a 0x01c10102 0x01c10103 > > I may have a patch I could generate with my own txt-stat debug messages. I > know I did patch it just to figure out what was going on. I believe the problem is ':reading failed' - which comes from tboot/common/policy.c I cannot do a printk() here, or can I ? If you have a patch, that would be great. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel