[tboot-devel] Intel TXT + TBOOT + TPM 2.0: can't get LCP_ANY policy working on Supermicro X11SPM-TF

Tue, 04 Feb 2020 06:03:54 -0800 

Hi,

I am trying to get a simple LCP_ANY launch control policy to work on a 
Supermicro X11SPM-TF server with AOM-TPM-9670V TPM 2.0 module, without success. 
I get the "read error" from SINIT ACM each time.

I am using tboot version 1.9.9.

The LCP_ANY policy was created using two different ways:

1/ with lcp-gen2 python tools available in tboot sources,

2/ using a ready-made binary file, which is known to work, that is provided by 
Dr. G.W. Wettstein, and was contributed on this mailing list: 
(https://sourceforge.net/p/tboot/mailman/message/36477790/)
Dump of the platform owner NVram definition with functional LCP_ANY policy:

00000016: 00 03 0b 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00000032: 00 00 00 00 00 00 02 00 00 00 00 00 c8 00 08 30 ...............0
00000048: 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000064: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00                               ................

Attributes: 0x224000a
    OWNERWRITE
    POLICYWRITE
    AUTHREAD
    NO_DA
    WRITTEN
and NVram index to 0x1c10106 for my Cascade Lake Intel Xeon Silver 4216 CPU 
based chipset.

These two policies fail with following tboot error:
TBOOT: no SINIT provided by bootloader; using BIOS SINIT
...
TBOOT: reading Verified Launch Policy from TPM NV...
TBOOT: TPM: fail to get public data of 0x01C10131 in TPM NV
TBOOT:     :reading failed
TBOOT: reading Launch Control Policy from TPM NV...
TBOOT:     :70 bytes read
TBOOT:     :reading failed
TBOOT: failed to read policy from TPM NV, using default
TBOOT: policy:


The point is the SINIT ACM reads my LCP_ANY policy from TPM2 NVram but doesn't 
seem to understand it.

There are no reason indicated in the TBOOT log.

One reason I think of could be that the NVram index 0x01C10106 wasn't defined 
with proper attributes.
I define it with:

tpm2_nvdefine -x 0x01c10106 -a 0x40000001 -s 70 -t 0x0204000a -P password

Hoping someone will help me solve this problem,



Cordialement / regards,

Olivier le Roy (contractor)

HW – SW development engineer
Thales LAS France
Tel.: +33 1 64 91 66 43
Mobile : +33 6 26 56 44 99

_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel






















					Reply via email to