On Wed, 2019-11-13 at 17:17 +0000, travis.gilb...@dell.com wrote: > > -----Original Message----- > > From: Paul Moore (pmoore2) <pmoo...@cisco.com> > > Sent: Wednesday, November 13, 2019 09:51 > > To: lukasz.hawry...@linux.intel.com; Gilbert, Travis > > Cc: tboot-devel@lists.sourceforge.net > > Subject: Re: [tboot-devel] Creating a TXT/tboot policy suitable for > > a modern system with TXT+TPM2
... > > I'm a bit farther down the patch of sorting out the policy patches > > for the > > TXT/sig work, and as it currently stands it looks like the changes > > for lcptools- > > v2 is going to be very minor. Essentially it looks like the only > > changes I will > > need to make is to add a predefined custom ELT UUID for a > > certificate > > payload, and even then that is optional (one can specify the UUID on > > the > > command line if necessary). > > Are you adding the ELT UUID as a policy element plugin similar to > mle_elt, sbios_elt, & stm_elt? That is the current approach, yes, but I consider it very much up for discussion/review. Essentially you dump a bundle of DER encoded certificates into a policy element and mark it with the newly specified UUID and after tboot has entered into the TXT protected state it imports those certificates into the cert DB as "trusted" which allows them to act as a root of trust for the PECOFF signature verification. This is actually working now, but I want to sort out the VLP details before updating the GitHub repo. The VLP changes are still a work in progress, but my current approach is to introduce a new hash type (e.g. TB_HTYPE_PECOFF) which would be an indication to tboot to perform PECOFF signature verification (using the previously imported trusted certificate payload) instead of the traditional digest verification. Not only does this preserve the VLP format, but it allows us to integrate with the rest of the VLP and leverage all of the existing policy functionality such as configurable PCR extension. Similar to the certificate ELT payload, it *should* result in minimal changes to the tooling, most of the changes will be in tboot itself. As soon as I have the VLP changes working I'll update my GH repo and post an update to the list, but comments on the above approach are always welcome. -Paul _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
