On Thu, Aug 2, 2018 at 3:35 AM,  <travis.gilb...@dell.com> wrote:
>> -----Original Message-----
>> From: Sant Y [mailto:satish.va...@gmail.com]
>> Sent: Monday, July 30, 2018 07:41
>> To: Gilbert, Travis
>> Cc: tboot-devel@lists.sourceforge.net
>> Subject: Re: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control
>> policy
>>
>> On Sat, Jul 21, 2018 at 6:54 PM, Sant Y <satish.va...@gmail.com> wrote:
>> > On Fri, Jul 20, 2018 at 6:06 PM, <travis.gilb...@dell.com> wrote:
>> >>
>> >> >From: Sant Y [mailto:satish.va...@gmail.com]
>> >> >Sent: Friday, July 20, 2018 05:03
>> >> >To: tboot-devel@lists.sourceforge.net
>> >> >Subject: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control
>> >> >policy
>> >> >
>> >> >Hello tboot devs!
>> >> >
>> >> >I wish to revive this old discussion, on generating LCP for TPM2.
>> There were at least 2 threads I found in this list, however none of them
>> seem to have anything conclusive.
>> >> >
>> >> >A tboot with the default policies are working, however, for a policy
>> with MLE it fails.
>> >> >
>> >> >For writing to the NV index I use the tpm2-tss tools.
>> >> >As for tboot, I use the current sources from the development
>> branch,
>> >> >compiled and installed. I follow the steps mostly like in this
>> >> >discussion :
>> >> >https://sourceforge.net/p/tboot/mailman/message/35942299/
>> >>
>> >> Please post the exact commands you're using.
>> >>
>> >
>> > # Done once
>> > nv_index="0x1400001"
>> > tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x
>> $nv_index -a
>> > 0x40000001 -s 70 -t 0x204000A -P new
>> >
>> > # Policy creation
>> > lcp2_mlehash --verbose --create --alg sha256 --cmdline
>> > "logging=serial,memory,vga extpol=sha256" /boot/tboot.gz >mle_hash
>> > lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl 0x00
>> > --minver 0 --out tbootmle.elt mle_hash lcp2_crtpollist --verbose
>> > --create --out list_unsig.lst tbootmle.elt # The sign command "--out"
>> > option is a bit confusing, as it expects a policy list file here,
>> > which must be more like --in file.
>> > # and should output the signed file as a newly created file.
>> > lcp2_crtpollist --sign --sigalg rsa --pub pubkey.pem --priv
>> > privkey.pem --out list_unsig.lst lcp2_crtpol --verbose --create --type
>> > list --pol list.pol --alg sha256  --data list.data --sign 0x8
>> > list_unsig.lst
>> >
>> > tpm2_nvwrite -x $nv_index -a 0x40000001 -P new list.pol cp -f
>> > list.data /boot grub2-mkconfig -o /boot/grub2/grub.cfg
>> >
>> > With both policy and data supplied, the show output now looks like
>> > this. Note that I had attempted both signed and unsigned policy
>> > before, the tboot behaved the same (read failed) # lcp2_crtpol --show
>> > list.pol list.data policy file: list.pol
>> >      version: 0x300
>> >      hash_alg: sha256
>> >      policy_type: list
>> >      sinit_min_version: 0x0
>> >      data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0,
>> >      policy_control: 0x0
>> >      max_sinit_min_ver: 0x0
>> >      max_biosac_min_ver: 0x0
>> >      lcp_hash_alg_mask: 0x8
>> >      lcp_sign_alg_mask: 0x8
>> >      aux_hash_alg_mask: 0x8
>> >      policy_hash: 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85
>> > 6a 97 34 ad 96 b8 a1 ef b5 86 67 7a f4 ac 19
>> >
>> > policy data file: list.data
>> >      file_signature: Intel(R) TXT LCP_POLICY_DATA
>> >      num_lists: 1
>> >      list 0:
>> >          version: 0x200
>> >          sig_alg: rsa
>> >          policy_elements_size: 0x32 (50)
>> >          policy_element[0]:
>> >              size: 0x32 (50)
>> >              type: 'mle' (16)
>> >              policy_elt_control: 0x00000000
>> >              data:
>> >                  sinit_min_version: 0x0
>> >                  hash_alg: sha256
>> >                  num_hashes: 1
>> >                  hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a 0d
>> > c6 4a 03 32 3c 13
>> > 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3
>> >          signature:
>> >              revocation_counter: 0x0 (0)
>> >              pubkey_size: 0x100 (256)
>> >              pubkey_value:
>> >                 37 72 de dd ca 4e cd f8 65 14 ab 21 2d b1 2b 36 8f e5 4a d1
>> >                 b7 e7 89 76 ab a2 75 c4 ce 32 29 f6 5e a6 47 33 02 0b 2f 73
>> >                 d0 12 34 3a ff c3 7f 65 f4 16 27 c1 cb 64 9a 4d 4b d9 10 5e
>> >                 18 1a 23 09 18 44 b0 08 6d 97 96 cd 41 2e 13 e9 7f 32 4a 0a
>> >                 54 73 79 9a 85 d1 15 73 5f 0f 9e 97 3f 37 41 0d 1b 36 16 8c
>> >                 b2 e4 e1 7c 67 c8 61 39 5b d9 5d b7 b3 f2 6b 42 3a 9b 7c 8c
>> >                 52 01 57 d2 4c 6a 9d db c0 48 29 8b 5f 62 9d c5 88 4e 54 40
>> >                 88 26 cc 9b 51 57 7f 7a 86 ae 3b d7 cc 1f 4f a5 b5 aa 12 70
>> >                 09 d8 f0 0a 5e 35 e8 d9 5f 81 5e b2 b6 2e 90 a7 81 ca 73 81
>> >                 47 67 2f ce c2 2b d1 a9 4e d6 6e 05 d9 17 41 8a 92 d6 a6 5e
>> >                 99 50 82 14 92 f1 ef c6 c7 02 2f bc eb bb 3f 75 ce 5d 76 5a
>> >                 09 52 c6 73 ce 98 24 48 1f f0 9b 8e aa 54 2c 96 9e 98 6d bb
>> >                 ad e0 a5 ed 7e 84 12 b8 41 c8 77 3b 48 62 f1 d2
>> >              sig_block:
>> >                 b2 a2 0b b8 69 9e 55 d1 b7 48 bd e0 2d 98 f9 f3 06 05 74 70
>> >                 7e 29 49 de 9c 99 7c b1 64 4b 94 81 90 0e 32 5e 9c 20 13 d6
>> >                 1b 7f b9 3d 55 70 39 f0 f4 5a 66 24 c4 4b f3 ed e2 7d 17 49
>> >                 35 8e 93 f6 e9 09 c1 98 91 37 88 3c b8 d3 80 8c b5 ce 06 3e
>> >                 4e 91 6a e0 a9 d7 fc 0e 6f 93 bc e1 2e af 68 82 9b 11 79 3d
>> >                 08 f4 fe 75 ce 2c 2e 71 5d 85 d3 e7 3b d3 ca c6 20 8e 07 61
>> >                 b8 53 e8 43 1a d2 e1 b7 d6 92 09 f0 27 fb 77 f7 05 60 84 5a
>> >                 c9 91 a8 c1 1d 86 16 e2 b0 43 3f f5 64 2c 30 1a 91 02 03 40
>> >                 73 49 b9 83 2f 22 36 b5 33 b2 3a 43 35 69 dc 08 f6 78 05 ba
>> >                 c2 b2 d7 a9 56 34 7b b0 58 2c 16 9c 0d ce 3f e1 cb 21 95 6c
>> >                 31 d7 71 54 fe b3 f8 5d c0 7d 50 36 7d 28 16 55 11 61 ec db
>> >                 f0 d2 db 9c 77 ed f2 93 8a 58 d9 66 88 9f 62 c7 2f b3 78 10
>> >                 db e0 de a9 93 54 a7 e1 48 af b5 e7 97 ed 40 b5
>> >          signature verifies
>> > 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 6a 97 34 ad 96 b8
>> > a1 ef b5 86 67 7a f4 ac 19
>> >
>> > policy data hash matches policy hash
>> >
>> >
>> >> Are you in a UEFI environment?
>> > No.
>> >
>> >>
>> >> You'll have to do something like the following:
>> >> #echo GRUB_TBOOT_POLICY_DATA="list.data" > /etc/default/grub-
>> tboot
>> >>
>> >> In order to have grub actually verify the LCP. You also need to modify
>> your grub-mkconfig file for the GRUB_CMDLINE_TBOOT option to add
>> "extpol=sha256". Then you have to run "grub2-mkconfig -o
>> /boot/grub2/grub.cfg" to re-generate your grub.cfg file with the
>> changes.
>> >>
>> >> My relevant line is the following:
>> >> # Command line for tboot itself
>> >> : ${GRUB_CMDLINE_TBOOT='logging=serial,memory extpol=sha256'}
>> >>
>> >
>> > Already have necessary grub configuration.
>> >
>> >> The vga/video logging option didn't work for me, but is sometimes in
>> the default options. The grub-mkconfig that I have will strip that option
>> out of a UEFI boot if it's there.
>> >>
>> >> >The current lcp2_crtpol requires the signing algorithm, for which I
>> >> >supply 0x8 (RSA 2048, SHA256). I get the following for listing the
>> >> >created policy file
>> >> >
>> >> ># lcp2_crtpol --show list.pol
>> >> >policy file: list.pol
>> >> >     version: 0x300
>> >> >     hash_alg: sha256
>> >> >     policy_type: list
>> >> >     sinit_min_version: 0x0
>> >> >     data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0,
>> >> >     policy_control: 0x0
>> >> >     max_sinit_min_ver: 0x0
>> >> >     max_biosac_min_ver: 0x0
>> >> >     lcp_hash_alg_mask: 0x8
>> >> >     lcp_sign_alg_mask: 0x8
>> >> >     aux_hash_alg_mask: 0x8
>> >> >     policy_hash: ff 0d 04 10 6d 45 3e e0 98 01 44 b3 65 f2 51 7e 1b
>> >> >41 1c 50 2c e3 9e d9 64 c4 8b 22 ff 66 fd c0
>> >> >
>> >> >However, the parse of policy data file itself fails as seen below
>> >> >
>> >> ># lcp2_crtpol --show list.data
>> >> >Error: invalid policy version: 0x6e49
>> >> >
>> >> >policy data file: list.data
>> >> >     file_signature: Intel(R) TXT LCP_POLICY_DATA
>> >> >     num_lists: 1
>> >> >     list 0:
>> >> >         version: 0x200
>> >> >         sig_alg: unknown (16)
>> >> >         policy_elements_size: 0x32 (50)
>> >> >         policy_element[0]:
>> >> >             size: 0x32 (50)
>> >> >             type: 'mle' (16)
>> >> >             policy_elt_control: 0x00000000
>> >> >             data:
>> >> >                 sinit_min_version: 0x0
>> >> >                 hash_alg: sha256
>> >> >                 num_hashes: 1
>> >> >                 hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a
>> >> >0d c6 4a 03 32 3c 13 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 I also did
>> >> >the signing with a 2048 bit RSA key, however the lcp2_crtpol always
>> shows an invalid policy version.
>> >>
>> >> I've never used the --show option, but it appears it has user-
>> unfriendly output. You can pass a policy and policy data or just policy
>> data. If you pass just policy data, it can't distinguish between the two and
>> tries to process it as a policy first. This fails and gives your error. It 
>> then
>> processes the file as policy data because processing it as a policy failed.
>> So your "invalid policy version" is a red herring. Try passing your policy 
>> file
>> and your data file and see what the output is.
>> >>
>> >> If you can post at least the data file or both data and policy files, that
>> will help us troubleshoot. The main reason is the sig_alg output. The fact
>> that it's unknown type isn't surprising (see below about changes
>> needed), but that it's printed as decimal 16. That corresponds to
>> TPM_ALG_NULL (0x0010). This makes me suspect that you followed the
>> steps in the other thread exactly. That was an example of an unsigned
>> policy. This is the reason we need you to post the full list of commands
>> you're running to generate everything.
>> >
>> > Yes, I had tried both signed and unsigned policies. The results were
>> > the same. In txt-stat it complains about "read failed" and later
>> > "write TPM error: 0x18b" and "no policy in TPM NV".
>> > The current lcp data and policy are in attachment.
>> > I have the full txt-stat output here : https://pastebin.com/daVzY6VF
>> >
>> >>
>> >> Either way I wouldn't necessarily trust the --show option since I didn't
>> touch that code when I updated the lcptools-v2 code and it looks like
>> that whole code flow needs updating based on the LCPv3 changes.
>> >>
>> >> >The txt-stat results in this :
>> >> >
>> >> >TBOOT:   timeout values: A: 750, B: 2000, C: 75000, D: 750
>> >> >TBOOT: SGX:verify_IA32_se_svn_status is called
>> >> >TBOOT: SGX is not enabled, cpuid.ebx: 0x21cbfbb
>> >> >TBOOT: reading Verified Launch Policy from TPM NV...
>> >> >TBOOT:  :70 bytes read
>> >> >TBOOT:  :reading failed
>> >> >TBOOT: reading Launch Control Policy from TPM NV...
>> >> >TBOOT:  :70 bytes read
>> >> >TBOOT: in unwrap_lcp_policy
>> >> >TBOOT: v2 LCP policy data found
>> >> >TBOOT:  :reading failed
>> >> >TBOOT: failed to read policy from TPM NV, using default
>> >> >TBOOT: TPM: write NV 01200002, offset 00000000, 00000004 bytes,
>> >> >return value = 0000018B
>> >> >TBOOT: Error: write TPM error: 0x18b.
>> >> >The ':reading failed' is coming from tboot/common/policy.c where it
>> does a verify_policy() and it fails. So the problem is indeed with the
>> policy creation. I cannot troubleshoot it further, as the verify_policy()
>> logs itself are not available from txt-stat.
>> >> >
>> >> >Finally, I also tried the lcp-gen2 python tool to generate the policy
>> files. However, it's a bit confusing to use, the file pickup dialogs doesn't
>> work and there is no option to specify commandline for MLE hash etc.
>> >> >
>> >> >Can someone please help with the topic? I'm okay to experiment if
>> anyone has patches to deal with this.
>> >> > Some details on my TPM 2.0 is pasted here :
>> >> >https://pastebin.com/FEdf3ZTQ
>> >> >
>> >> >Regards,
>> >> >Sant
>> >> >
>>
>> Could someone help with this? If anyone has patches, I'll be happy to
>> experiment with.
>
> Have you verified that the NV index is written as you expect? I have only 
> used 0x01c10106. I wrote a parser to look at LCPs and LCP data and your files 
> look fine. You'll have to put some debug prints in txt-stat or look at the 
> code for what's going wrong. I used the tools with my patches that were 
> merged and was able to get good results. I'll run the same scripts again with 
> the current code and see what happens. I vaguely recall something wonky with 
> the messages from txt-stat. I'll see if I can dig up my notes.

Indeed, I can read it back without any issues.

# tpm2_nvread -x 0x1400001 -a 0x40000001 -P new -s 70 -f tpm2_read.pol
# sha256sum list.pol tpm2_read.pol
69fdad479077bf197373831db7f36adad1dffeddd80da7eb501958ff294fb26d  list.pol
69fdad479077bf197373831db7f36adad1dffeddd80da7eb501958ff294fb26d  tpm2_read.pol

I'm not sure about the NV index. From the tpm capabilities, only the
following index handles are available.
0x01200001
0x01400001
0x01c00002
0x01c0000a
0x01c10102
0x01c10103

>
> I may have a patch I could generate with my own txt-stat debug messages. I 
> know I did patch it just to figure out what was going on.

I believe the problem is  ':reading failed' - which comes from
tboot/common/policy.c
I cannot do a printk() here, or can I ?
If you have a patch, that would be great.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to