On Wed, 2020-01-15 at 15:25 +0100, Lukasz Hawrylko wrote: > On Tue, 2020-01-14 at 11:47 -0500, Paul Moore wrote: > > On Tue, Jan 14, 2020 at 10:31 AM Lukasz Hawrylko > > < > > lukasz.hawry...@linux.intel.com > > > wrote: > > > On Tue, 2020-01-14 at 00:18 +0000, Paul Moore (pmoore2) wrote: > > > > On Mon, 2020-01-13 at 20:33 +0000, Paul Moore (pmoore2) via > > > > tboot-devel wrote: > > > > > On Thu, 2020-01-09 at 14:59 +0000, Hawrylko, Lukasz wrote: > > > > > > On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) via > > > > > > tboot-devel > > > > > > wrote: > > > > > > > Lukasz, is there a way to generate PCR hashes for all > > > > > > > supported > > > > > > > algorithms like tboot does for PCR17/18? > > > > > > > > > > > > > > -Paul > > > > > > > > > > > > > > > > > > > Hello Paul > > > > > > > > > > > > I looks like you can't create policy with different hash > > > > > > algorithms, > > > > > > look at tb_policy_t structure in tb_policy.h There is one > > > > > > field for > > > > > > setting hash algorithm that is common to all policy entries. > > > > > > > > > > Have you been able to create a VLP which causes tboot to > > > > > extend the > > > > > TPM's sha256 PCR bank? > > > > > > > > > > > > > After digging through the code some more, it looks like the key > > > > to > > > > making this work is to specify the correct "extpol=" parameter > > > > on the > > > > tboot command line. It appears to be TPM and ACM dependent (?) > > > > so I'm > > > > not sure this will work for everyone, but on my system > > > > "extpol=embedded" caused tboot to extend all of the TPM PCR > > > > banks; > > > > "extpol=agile" on my system caused the ACM to reset the system. > > > > > > > > -Paul > > > > > > > > > > As far as I remember I was able to extend SHA256 PCRs, because > > > this is > > > the only way to test my changes in tb_polgen. I am not sure, but I > > > think > > > that you have to pass "extpol=sha256" in command line and than you > > > can > > > work with SHA256 policies. Did you try to do that? I will try > > > tomorrow > > > how agile and embedded options work on my platform. > > > > Yes, "extpol=sha256" did work to extend the sha256 PCR bank, but it > > didn't extend the sha1 bank; ideally I would be able to do both and > > that is what "extpol=embedded" did for my system. > > > > I have a suspicion that instead of defaulting to sha1, we may be > > able > > to query the ACM to get the TPM2 extpol setting, but I haven't done > > any serious investigation of that yet. > > > > > > On my platform both "agile" and "embedded" options extends sha1 and > sha256 banks. When using "agile" whole process is much longer because > hash computation is done on TPM. In "embedded" hashes are computed > locally and result is sent to TPM to extend PCRs. The easiest way to > find out how that mechanism work is to look at hash_module() function > in > policy.c file. > > Interesting thing is that on your platform you can't use "agile" > method. > If reset is invoked by SINIT ACM there should be error code value in > TXT.ERRORCODE register, can you check what is there? TBOOT prints its > value during each boot, so just allow platform to boot once again > after > that reset and you will find TXT.ERRORCODE somewhere in logs.
My TXT.ERRORCODE was set to 0xc0002081 when trying to boot with extpol=agile. I don't have the Type2 error code decoder spreadsheet/csv to decode the error (the TXT specification document doesn't seem to include the Type2 error codes anymore). In related news, I added a patch to my working-txtsig GH development branch which adds the "extpol=acm" option that cause tboot to query the ACM and and set the extpol based on the ACM header information; it gives the embedded policy priority when the ACM supports both embedded and agile policies. -Paul _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
