On Tue, 2020-01-14 at 11:47 -0500, Paul Moore wrote: > On Tue, Jan 14, 2020 at 10:31 AM Lukasz Hawrylko > < > lukasz.hawry...@linux.intel.com > > wrote: > > On Tue, 2020-01-14 at 00:18 +0000, Paul Moore (pmoore2) wrote: > > > On Mon, 2020-01-13 at 20:33 +0000, Paul Moore (pmoore2) via tboot-devel > > > wrote: > > > > On Thu, 2020-01-09 at 14:59 +0000, Hawrylko, Lukasz wrote: > > > > > On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) via > > > > > tboot-devel > > > > > wrote: > > > > > > Lukasz, is there a way to generate PCR hashes for all supported > > > > > > algorithms like tboot does for PCR17/18? > > > > > > > > > > > > -Paul > > > > > > > > > > > > > > > > Hello Paul > > > > > > > > > > I looks like you can't create policy with different hash algorithms, > > > > > look at tb_policy_t structure in tb_policy.h There is one field for > > > > > setting hash algorithm that is common to all policy entries. > > > > > > > > Have you been able to create a VLP which causes tboot to extend the > > > > TPM's sha256 PCR bank? > > > > > > > > > > After digging through the code some more, it looks like the key to > > > making this work is to specify the correct "extpol=" parameter on the > > > tboot command line. It appears to be TPM and ACM dependent (?) so I'm > > > not sure this will work for everyone, but on my system > > > "extpol=embedded" caused tboot to extend all of the TPM PCR banks; > > > "extpol=agile" on my system caused the ACM to reset the system. > > > > > > -Paul > > > > > > > As far as I remember I was able to extend SHA256 PCRs, because this is > > the only way to test my changes in tb_polgen. I am not sure, but I think > > that you have to pass "extpol=sha256" in command line and than you can > > work with SHA256 policies. Did you try to do that? I will try tomorrow > > how agile and embedded options work on my platform. > > Yes, "extpol=sha256" did work to extend the sha256 PCR bank, but it > didn't extend the sha1 bank; ideally I would be able to do both and > that is what "extpol=embedded" did for my system. > > I have a suspicion that instead of defaulting to sha1, we may be able > to query the ACM to get the TPM2 extpol setting, but I haven't done > any serious investigation of that yet. > >
On my platform both "agile" and "embedded" options extends sha1 and sha256 banks. When using "agile" whole process is much longer because hash computation is done on TPM. In "embedded" hashes are computed locally and result is sent to TPM to extend PCRs. The easiest way to find out how that mechanism work is to look at hash_module() function in policy.c file. Interesting thing is that on your platform you can't use "agile" method. If reset is invoked by SINIT ACM there should be error code value in TXT.ERRORCODE register, can you check what is there? TBOOT prints its value during each boot, so just allow platform to boot once again after that reset and you will find TXT.ERRORCODE somewhere in logs. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
