> -----Original Message----- > From: Sant Y [mailto:satish.va...@gmail.com] > Sent: Thursday, August 2, 2018 10:59 > To: Gilbert, Travis > Cc: tboot-devel@lists.sourceforge.net > Subject: Re: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch control > policy > > On Thu, Aug 2, 2018 at 3:35 AM, <travis.gilb...@dell.com> wrote: > >> -----Original Message----- > >> From: Sant Y [mailto:satish.va...@gmail.com] > >> Sent: Monday, July 30, 2018 07:41 > >> To: Gilbert, Travis > >> Cc: tboot-devel@lists.sourceforge.net > >> Subject: Re: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch > control > >> policy > >> > >> On Sat, Jul 21, 2018 at 6:54 PM, Sant Y <satish.va...@gmail.com> > wrote: > >> > On Fri, Jul 20, 2018 at 6:06 PM, <travis.gilb...@dell.com> wrote: > >> >> > >> >> >From: Sant Y [mailto:satish.va...@gmail.com] > >> >> >Sent: Friday, July 20, 2018 05:03 > >> >> >To: tboot-devel@lists.sourceforge.net > >> >> >Subject: [tboot-devel] Fwd: TXT/TPM 2.0 and tboot Launch > control > >> >> >policy > >> >> > > >> >> >Hello tboot devs! > >> >> > > >> >> >I wish to revive this old discussion, on generating LCP for TPM2. > >> There were at least 2 threads I found in this list, however none of > >> them seem to have anything conclusive. > >> >> > > >> >> >A tboot with the default policies are working, however, for a > >> >> >policy > >> with MLE it fails. > >> >> > > >> >> >For writing to the NV index I use the tpm2-tss tools. > >> >> >As for tboot, I use the current sources from the development > >> branch, > >> >> >compiled and installed. I follow the steps mostly like in this > >> >> >discussion : > >> >> >https://sourceforge.net/p/tboot/mailman/message/35942299/ > >> >> > >> >> Please post the exact commands you're using. > >> >> > >> > > >> > # Done once > >> > nv_index="0x1400001" > >> > tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x > >> $nv_index -a > >> > 0x40000001 -s 70 -t 0x204000A -P new > >> > > >> > # Policy creation > >> > lcp2_mlehash --verbose --create --alg sha256 --cmdline > >> > "logging=serial,memory,vga extpol=sha256" /boot/tboot.gz > >mle_hash > >> > lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl > >> > 0x00 --minver 0 --out tbootmle.elt mle_hash lcp2_crtpollist > >> > --verbose --create --out list_unsig.lst tbootmle.elt # The sign > command "--out" > >> > option is a bit confusing, as it expects a policy list file here, > >> > which must be more like --in file. > >> > # and should output the signed file as a newly created file. > >> > lcp2_crtpollist --sign --sigalg rsa --pub pubkey.pem --priv > >> > privkey.pem --out list_unsig.lst lcp2_crtpol --verbose --create > >> > --type list --pol list.pol --alg sha256 --data list.data --sign > >> > 0x8 list_unsig.lst > >> > > >> > tpm2_nvwrite -x $nv_index -a 0x40000001 -P new list.pol cp -f > >> > list.data /boot grub2-mkconfig -o /boot/grub2/grub.cfg > >> > > >> > With both policy and data supplied, the show output now looks like > >> > this. Note that I had attempted both signed and unsigned policy > >> > before, the tboot behaved the same (read failed) # lcp2_crtpol > >> > --show list.pol list.data policy file: list.pol > >> > version: 0x300 > >> > hash_alg: sha256 > >> > policy_type: list > >> > sinit_min_version: 0x0 > >> > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, > >> > policy_control: 0x0 > >> > max_sinit_min_ver: 0x0 > >> > max_biosac_min_ver: 0x0 > >> > lcp_hash_alg_mask: 0x8 > >> > lcp_sign_alg_mask: 0x8 > >> > aux_hash_alg_mask: 0x8 > >> > policy_hash: 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 > >> > 85 6a 97 34 ad 96 b8 a1 ef b5 86 67 7a f4 ac 19 > >> > > >> > policy data file: list.data > >> > file_signature: Intel(R) TXT LCP_POLICY_DATA > >> > num_lists: 1 > >> > list 0: > >> > version: 0x200 > >> > sig_alg: rsa > >> > policy_elements_size: 0x32 (50) > >> > policy_element[0]: > >> > size: 0x32 (50) > >> > type: 'mle' (16) > >> > policy_elt_control: 0x00000000 > >> > data: > >> > sinit_min_version: 0x0 > >> > hash_alg: sha256 > >> > num_hashes: 1 > >> > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 3a > >> > 0d > >> > c6 4a 03 32 3c 13 > >> > 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 > >> > signature: > >> > revocation_counter: 0x0 (0) > >> > pubkey_size: 0x100 (256) > >> > pubkey_value: > >> > 37 72 de dd ca 4e cd f8 65 14 ab 21 2d b1 2b 36 8f e5 4a > >> > d1 > >> > b7 e7 89 76 ab a2 75 c4 ce 32 29 f6 5e a6 47 33 02 0b 2f > >> > 73 > >> > d0 12 34 3a ff c3 7f 65 f4 16 27 c1 cb 64 9a 4d 4b d9 10 > >> > 5e > >> > 18 1a 23 09 18 44 b0 08 6d 97 96 cd 41 2e 13 e9 7f 32 4a > >> > 0a > >> > 54 73 79 9a 85 d1 15 73 5f 0f 9e 97 3f 37 41 0d 1b 36 16 > >> > 8c > >> > b2 e4 e1 7c 67 c8 61 39 5b d9 5d b7 b3 f2 6b 42 3a 9b 7c > >> > 8c > >> > 52 01 57 d2 4c 6a 9d db c0 48 29 8b 5f 62 9d c5 88 4e 54 > >> > 40 > >> > 88 26 cc 9b 51 57 7f 7a 86 ae 3b d7 cc 1f 4f a5 b5 aa 12 > >> > 70 > >> > 09 d8 f0 0a 5e 35 e8 d9 5f 81 5e b2 b6 2e 90 a7 81 ca 73 > >> > 81 > >> > 47 67 2f ce c2 2b d1 a9 4e d6 6e 05 d9 17 41 8a 92 d6 a6 > >> > 5e > >> > 99 50 82 14 92 f1 ef c6 c7 02 2f bc eb bb 3f 75 ce 5d 76 > >> > 5a > >> > 09 52 c6 73 ce 98 24 48 1f f0 9b 8e aa 54 2c 96 9e 98 6d > >> > bb > >> > ad e0 a5 ed 7e 84 12 b8 41 c8 77 3b 48 62 f1 d2 > >> > sig_block: > >> > b2 a2 0b b8 69 9e 55 d1 b7 48 bd e0 2d 98 f9 f3 06 05 74 > >> > 70 > >> > 7e 29 49 de 9c 99 7c b1 64 4b 94 81 90 0e 32 5e 9c 20 13 > >> > d6 > >> > 1b 7f b9 3d 55 70 39 f0 f4 5a 66 24 c4 4b f3 ed e2 7d 17 > >> > 49 > >> > 35 8e 93 f6 e9 09 c1 98 91 37 88 3c b8 d3 80 8c b5 ce 06 > >> > 3e > >> > 4e 91 6a e0 a9 d7 fc 0e 6f 93 bc e1 2e af 68 82 9b 11 79 > >> > 3d > >> > 08 f4 fe 75 ce 2c 2e 71 5d 85 d3 e7 3b d3 ca c6 20 8e 07 > >> > 61 > >> > b8 53 e8 43 1a d2 e1 b7 d6 92 09 f0 27 fb 77 f7 05 60 84 > >> > 5a > >> > c9 91 a8 c1 1d 86 16 e2 b0 43 3f f5 64 2c 30 1a 91 02 03 > >> > 40 > >> > 73 49 b9 83 2f 22 36 b5 33 b2 3a 43 35 69 dc 08 f6 78 05 > >> > ba > >> > c2 b2 d7 a9 56 34 7b b0 58 2c 16 9c 0d ce 3f e1 cb 21 95 > >> > 6c > >> > 31 d7 71 54 fe b3 f8 5d c0 7d 50 36 7d 28 16 55 11 61 ec > >> > db > >> > f0 d2 db 9c 77 ed f2 93 8a 58 d9 66 88 9f 62 c7 2f b3 78 > >> > 10 > >> > db e0 de a9 93 54 a7 e1 48 af b5 e7 97 ed 40 b5 > >> > signature verifies > >> > 56 d3 f7 95 14 3d 3b 6b 3a 63 f7 43 70 b1 f8 c5 85 6a 97 34 ad 96 > >> > b8 > >> > a1 ef b5 86 67 7a f4 ac 19 > >> > > >> > policy data hash matches policy hash > >> > > >> > > >> >> Are you in a UEFI environment? > >> > No. > >> > > >> >> > >> >> You'll have to do something like the following: > >> >> #echo GRUB_TBOOT_POLICY_DATA="list.data" > > /etc/default/grub- > >> tboot > >> >> > >> >> In order to have grub actually verify the LCP. You also need to > >> >> modify > >> your grub-mkconfig file for the GRUB_CMDLINE_TBOOT option to add > >> "extpol=sha256". Then you have to run "grub2-mkconfig -o > >> /boot/grub2/grub.cfg" to re-generate your grub.cfg file with the > >> changes. > >> >> > >> >> My relevant line is the following: > >> >> # Command line for tboot itself > >> >> : ${GRUB_CMDLINE_TBOOT='logging=serial,memory > extpol=sha256'} > >> >> > >> > > >> > Already have necessary grub configuration. > >> > > >> >> The vga/video logging option didn't work for me, but is sometimes > >> >> in > >> the default options. The grub-mkconfig that I have will strip that > >> option out of a UEFI boot if it's there. > >> >> > >> >> >The current lcp2_crtpol requires the signing algorithm, for which > >> >> >I supply 0x8 (RSA 2048, SHA256). I get the following for listing > >> >> >the created policy file > >> >> > > >> >> ># lcp2_crtpol --show list.pol > >> >> >policy file: list.pol > >> >> > version: 0x300 > >> >> > hash_alg: sha256 > >> >> > policy_type: list > >> >> > sinit_min_version: 0x0 > >> >> > data_revocation_counters: 0, 0, 0, 0, 0, 0, 0, 0, > >> >> > policy_control: 0x0 > >> >> > max_sinit_min_ver: 0x0 > >> >> > max_biosac_min_ver: 0x0 > >> >> > lcp_hash_alg_mask: 0x8 > >> >> > lcp_sign_alg_mask: 0x8 > >> >> > aux_hash_alg_mask: 0x8 > >> >> > policy_hash: ff 0d 04 10 6d 45 3e e0 98 01 44 b3 65 f2 51 7e > >> >> >1b > >> >> >41 1c 50 2c e3 9e d9 64 c4 8b 22 ff 66 fd c0 > >> >> > > >> >> >However, the parse of policy data file itself fails as seen below > >> >> > > >> >> ># lcp2_crtpol --show list.data > >> >> >Error: invalid policy version: 0x6e49 > >> >> > > >> >> >policy data file: list.data > >> >> > file_signature: Intel(R) TXT LCP_POLICY_DATA > >> >> > num_lists: 1 > >> >> > list 0: > >> >> > version: 0x200 > >> >> > sig_alg: unknown (16) > >> >> > policy_elements_size: 0x32 (50) > >> >> > policy_element[0]: > >> >> > size: 0x32 (50) > >> >> > type: 'mle' (16) > >> >> > policy_elt_control: 0x00000000 > >> >> > data: > >> >> > sinit_min_version: 0x0 > >> >> > hash_alg: sha256 > >> >> > num_hashes: 1 > >> >> > hashes[0]: f8 c0 05 ec 6c 32 53 48 54 52 47 25 > >> >> >3a 0d c6 4a 03 32 3c 13 0e c1 86 ca 33 3b c1 f6 9d 48 04 b3 I > >> >> >also did the signing with a 2048 bit RSA key, however the > >> >> >lcp2_crtpol always > >> shows an invalid policy version. > >> >> > >> >> I've never used the --show option, but it appears it has user- > >> unfriendly output. You can pass a policy and policy data or just > >> policy data. If you pass just policy data, it can't distinguish > >> between the two and tries to process it as a policy first. This fails > >> and gives your error. It then processes the file as policy data because > processing it as a policy failed. > >> So your "invalid policy version" is a red herring. Try passing your > >> policy file and your data file and see what the output is. > >> >> > >> >> If you can post at least the data file or both data and policy > >> >> files, that > >> will help us troubleshoot. The main reason is the sig_alg output. The > >> fact that it's unknown type isn't surprising (see below about changes > >> needed), but that it's printed as decimal 16. That corresponds to > >> TPM_ALG_NULL (0x0010). This makes me suspect that you followed > the > >> steps in the other thread exactly. That was an example of an unsigned > >> policy. This is the reason we need you to post the full list of > >> commands you're running to generate everything. > >> > > >> > Yes, I had tried both signed and unsigned policies. The results > >> > were the same. In txt-stat it complains about "read failed" and > >> > later "write TPM error: 0x18b" and "no policy in TPM NV". > >> > The current lcp data and policy are in attachment. > >> > I have the full txt-stat output here : > >> > https://pastebin.com/daVzY6VF > >> > > >> >> > >> >> Either way I wouldn't necessarily trust the --show option since I > >> >> didn't > >> touch that code when I updated the lcptools-v2 code and it looks like > >> that whole code flow needs updating based on the LCPv3 changes. > >> >> > >> >> >The txt-stat results in this : > >> >> > > >> >> >TBOOT: timeout values: A: 750, B: 2000, C: 75000, D: 750 > >> >> >TBOOT: SGX:verify_IA32_se_svn_status is called > >> >> >TBOOT: SGX is not enabled, cpuid.ebx: 0x21cbfbb > >> >> >TBOOT: reading Verified Launch Policy from TPM NV... > >> >> >TBOOT: :70 bytes read > >> >> >TBOOT: :reading failed > >> >> >TBOOT: reading Launch Control Policy from TPM NV... > >> >> >TBOOT: :70 bytes read > >> >> >TBOOT: in unwrap_lcp_policy > >> >> >TBOOT: v2 LCP policy data found > >> >> >TBOOT: :reading failed > >> >> >TBOOT: failed to read policy from TPM NV, using default > >> >> >TBOOT: TPM: write NV 01200002, offset 00000000, 00000004 > bytes, > >> >> >return value = 0000018B > >> >> >TBOOT: Error: write TPM error: 0x18b. > >> >> >The ':reading failed' is coming from tboot/common/policy.c > where > >> >> >it > >> does a verify_policy() and it fails. So the problem is indeed with > >> the policy creation. I cannot troubleshoot it further, as the > >> verify_policy() logs itself are not available from txt-stat. > >> >> > > >> >> >Finally, I also tried the lcp-gen2 python tool to generate the > >> >> >policy > >> files. However, it's a bit confusing to use, the file pickup dialogs > >> doesn't work and there is no option to specify commandline for MLE > hash etc. > >> >> > > >> >> >Can someone please help with the topic? I'm okay to experiment > if > >> anyone has patches to deal with this. > >> >> > Some details on my TPM 2.0 is pasted here : > >> >> >https://pastebin.com/FEdf3ZTQ > >> >> > > >> >> >Regards, > >> >> >Sant > >> >> > > >> > >> Could someone help with this? If anyone has patches, I'll be happy to > >> experiment with. > > > > Have you verified that the NV index is written as you expect? I have > only used 0x01c10106. I wrote a parser to look at LCPs and LCP data and > your files look fine. You'll have to put some debug prints in txt-stat or > look at the code for what's going wrong. I used the tools with my patches > that were merged and was able to get good results. I'll run the same > scripts again with the current code and see what happens. I vaguely > recall something wonky with the messages from txt-stat. I'll see if I can > dig up my notes. > > Indeed, I can read it back without any issues. > > # tpm2_nvread -x 0x1400001 -a 0x40000001 -P new -s 70 -f > tpm2_read.pol # sha256sum list.pol tpm2_read.pol > 69fdad479077bf197373831db7f36adad1dffeddd80da7eb501958ff294fb26 > d list.pol > 69fdad479077bf197373831db7f36adad1dffeddd80da7eb501958ff294fb26 > d tpm2_read.pol > > I'm not sure about the NV index. From the tpm capabilities, only the > following index handles are available. > 0x01200001 > 0x01400001 > 0x01c00002 > 0x01c0000a > 0x01c10102 > 0x01c10103 > > > > > I may have a patch I could generate with my own txt-stat debug > messages. I know I did patch it just to figure out what was going on. > > I believe the problem is ':reading failed' - which comes from > tboot/common/policy.c I cannot do a printk() here, or can I ? > If you have a patch, that would be great.
According to the latest spec (https://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html) from Intel (and at least since version 013 from August 2016), you have to use 0x01C10106 for LCP Platform Owner. See Appendix J, the statement beginning with "TXT ACMs will support only 0x1C1_xxxx index set." You should be able to provision that index with tpm2_tools' tpm2_nvdefine command. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
