Re: [tboot-devel] "no LCP module found" on Getac X500 G3

Mon, 07 Sep 2020 05:27:20 -0700 

Hi Olivier

On Fri, 2020-09-04 at 09:28 +0000, LE ROY Olivier - Contractor wrote:

> I tried to implement a LCP @ 0x01400001 and a VLP @ 0x01200001. These 2 
> policies were known to work on same OS but different platform (Supermicro).
> For LCP, I have the following error:
> 
> reading Launch Control Policy from TPM NV...
> TBOOT:     :70 bytes read
> TBOOT: in unwrap_lcp_policy
> TBOOT: no LCP module found
> TBOOT:     :reading failed
> TBOOT: failed to read policy from TPM NV, using default
> TBOOT: policy:

[snip]

> My LCP is created the following manner:
> 
>         tpm2_nvdefine -x 0x01400001 -a 0x40000001 -s 70 -t 0x204000a -P 
> $TPM_OWNER_PASSWORD
>         lcp2_mlehash --create --alg sha256 --cmdline "extpol=sha256 
> logging=serial,memory" /boot/tboot.gz > mle_hash
>         lcp2_crtpolelt --create --type mle --alg sha256 --ctrl 0x00 --minver 
> 0 --out mle.elt mle_hash
>         lcp2_crtpollist --create --out list_unsig.lst mle.elt
>         lcp2_crtpol --create --type list --pol list.pol --alg sha256 --sign 
> 0x0A --ctrl 0x00 --data list.data list_unsig.lst
>         tpm2_nvwrite -x 0x01400001 -a 0x40000001 -P $TPM_OWNER_PASSWORD 
> list.pol
>         cp -f list.data /boot/
> 
> Any idea why this LCP, which consists in just an mle element, could be 
> functional on a platform and not on another?

With these commands you create LCP with MLE element that is consumed by
SINIT. It is an expected behaviour that TBOOT is unable to read it.

To create policy for TBOOT (VLP) you have to use tb_polgen tool, ex.:

    tb_polgen --create --ctrl 0x00 --type continue vl.pol
    tb_polgen --add --num 0 --pcr 19 --hash image \
              --cmdline "intel_iommu=on console=ttyS0,115200n8" \
              --image /boot/bzImage vl.pol

Then you have two options how to provision it to TPM:
 * provision as standalone policy
 * add it to LCP as custom element

If you already use LCP, easier way is to add custom element with TBOOT's
policy.

    lcp2_crtpolelt --create --ctrl 0x00 --type custom --out vl.elt \
                   --uuid tboot vl.pol

Then build LCP list with all elements that you want to have, provision
it to TPM and copy .data file to /boot (and add entry to grub.cfg).

If anything is unclear, please ask. It would be helpful if you can
describe what is your goal, what behaviour you want to achieve.

Thanks,
Lukasz



_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to