Re: [tboot-devel] Intel TXT + TBOOT + TPM 2.0: can't get LCP_ANY policy working on Supermicro X11SPM-TF

Thu, 06 Feb 2020 01:23:19 -0800 

On Wed, 2020-02-05 at 14:41 +0000, LE ROY Olivier - Contractor wrote:
> Hi Lukasz,
> 
> > What exactly did you add to that policy in lcp-gen2 tool? LCP is a
> policy dedicated for SINIT, not for TBOOT. 
> > The another approach is to create separate index for VLP (0x01C10131)
> and put VLP there. 
> 
> I understand better why there weren't any log for the LCP_ANY policy and why 
> tboot expects a VLP.
> Thanks for the comprehensive answer.
> I am still learning to implement policies in TPM2.0, trying to transpose what 
> was done in a previous TPM1.2 based project.
> 
> > What do mean "doesn't seem to understand it"? With LCP_ANY SINIT will
> allow any MLE to be executed.
> 
> I was following the recommendation to start with something simple, i.e. 
> LCP_ANY.
> Presently, I am trying a list policy, with an MLE element which hash is the 
> tboot.gz hash, to implement a VLP at 0x01c10131.
> 
> TBOOT logs are as follows:
> TBOOT: reading Verified Launch Policy from TPM NV...
> TBOOT:     :70 bytes read
> TBOOT: policy:
> TBOOT: unsupported version (1)
> TBOOT:     :reading failed
> TBOOT: reading Launch Control Policy from TPM NV...
> TBOOT:     :70 bytes read
> TBOOT:     :reading failed
> TBOOT: failed to read policy from TPM NV, using default
> TBOOT: policy:
> TBOOT:      version: 2
> 
> The policy was created using lcp-gen2 from tboot-1.9.9 python tools 
> (tboot-1.9.11 has the same results).
> Do you have a hint why the generated policy has "version (1)" while tboot 
> expects a version: 2?
> 
> Regards,
> 
> Olivier
> 

MLE element goes to LCP and is consumed by SINIT, not TBOOT. You can't
provision VLP index with LCP.

To create VLP you have to use tb_polgen tool. Here is an example:

  # create policy
  tb_polgen --create --ctrl 0x00 --type continue vl.pol

  # add kernel and its cmdline hash, extend PCR19
  tb_polgen --add --num 0 --pcr 19 --hash image --cmdline "..." \
            --image bzImage

  # add initrd hash, extend PCR20
  tb_polgen --add --num 1 --pcr 20 --hash image --cmdline "" \
            --image initrd.img

If you want to create policy with MLE element you have to use lcp-gen2
tool and provision it to LCP index. But as I said, TBOOT has nothing to
do with it, you should not expect that TBOOT will measure itself :)

Thanks,
Lukasz
  



_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to