Re: [tboot-devel] "no LCP module found" on Getac X500 G3

Wed, 09 Sep 2020 01:54:11 -0700 

Did you add LCP data part to grub.cfg as module2 entry? If you have
multiple SINITs in grub.cfg, please leave only good one and check if it
helps.

Thanks,
Lukasz

On Tue, 2020-09-08 at 08:29 +0000, LE ROY Olivier - Contractor wrote:
> 
> <!--
> p
>       {margin-top:0;
>       margin-bottom:0}
> -->
> 
> 
> 
> Hi Lukasz and all,
> 
> 
> 
> thanks for your insight.
> 
> 
> 
> I understand that 
> 
> 
> > it is an expected behaviour that TBOOT is unable to read
> 
> 
> my LCP policy with an MLE element.
> 
> 
> 
> 
> 
> But I don't see the reason why, on a Supermicro platform, TBOOT logs are:
> 
> TBOOT: bios_data (@0x77f00008, 0x2c):
> 
> TBOOT:      version: 3
> 
> TBOOT:      bios_sinit_size: 0x40000 (262144)
> 
> 
> TBOOT:      lcp_pd_base: 0x0
> 
> TBOOT:      lcp_pd_size: 0x0 (0)
> 
> TBOOT:      lcp_pd_base: 0x0
> 
> TBOOT:      lcp_pd_size: 0x0 (0)
> 
> ...
> 
> TBOOT: v2 LCP policy data found
> 
> TBOOT:      lcp_po_base: 0x77f0014c
> 
> TBOOT:      lcp_po_size: 0x5e (94)
> 
> TBOOT:      lcp_pd_base: 0x0
> 
> TBOOT:      lcp_pd_size: 0x0 (0)
> 
> TBOOT:      lcp_pd_base: 0x0
> 
> TBOOT:      lcp_pd_size: 0x0 (0)
> 
> ...
> 
> TBOOT:      lcp_po_base: 0x77f0014c
> 
> TBOOT:      lcp_po_size: 0x5e (94)
> 
> TBOOT:      lcp_policy_hash:
> 
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
> 
> TBOOT:      lcp_policy_control: 0x00000000
> 
> ...
> 
> TBOOT: v2 LCP policy data found
> 
> TBOOT: no LCP module found
> 
> 
> 
> 
> 
> whereas and on a Getac platform, same policy ouptuts following TBOOT logs:
> reading
>  Launch Control Policy from TPM NV...
> 
> TBOOT:     :70 bytes read
> 
> TBOOT: in unwrap_lcp_policy
> 
> TBOOT: no LCP module found
> 
> TBOOT:     :reading failed
> 
> TBOOT: failed to read policy from TPM NV, using default
> 
> TBOOT: policy:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Cordialement / regards,
> 
> 
> 
> Olivier le Roy (contractor)
> 
> 
> 
> HW – SW development engineer
> 
> Thales LAS France
> 
> Tel.: +33 1 64 91 66 43
> 
> Mobile : +33 6 26 56 44 99
> 
> 
> 
> 
> De : Lukasz Hawrylko <lukasz.hawry...@linux.intel.com>
> 
> Envoyé : lundi 7 septembre 2020 14:25:58
> 
> À : LE ROY Olivier - Contractor; tboot-devel@lists.sourceforge.net
> 
> Objet : Re: [tboot-devel] "no LCP module found" on Getac X500 G3
>  
> 
> 
> 
> Hi Olivier
> 
> 
> 
> On Fri, 2020-09-04 at 09:28 +0000, LE ROY Olivier - Contractor wrote:
> 
> 
> 
> > I tried to implement a LCP @ 0x01400001 and a VLP @ 0x01200001. These 2 
> > policies were known to work on same OS but different platform (Supermicro).
> 
> > For LCP, I have the following error:
> 
> > 
> 
> > reading Launch Control Policy from TPM NV...
> 
> > TBOOT:     :70 bytes read
> 
> > TBOOT: in unwrap_lcp_policy
> 
> > TBOOT: no LCP module found
> 
> > TBOOT:     :reading failed
> 
> > TBOOT: failed to read policy from TPM NV, using default
> 
> > TBOOT: policy:
> 
> 
> 
> [snip]
> 
> 
> 
> > My LCP is created the following manner:
> 
> > 
> 
> >         tpm2_nvdefine -x 0x01400001 -a 0x40000001 -s 70 -t 0x204000a -P 
> > $TPM_OWNER_PASSWORD
> 
> >         lcp2_mlehash --create --alg sha256 --cmdline "extpol=sha256 
> > logging=serial,memory" /boot/tboot.gz > mle_hash
> 
> >         lcp2_crtpolelt --create --type mle --alg sha256 --ctrl 0x00 
> > --minver 0 --out mle.elt mle_hash
> 
> >         lcp2_crtpollist --create --out list_unsig.lst mle.elt
> 
> >         lcp2_crtpol --create --type list --pol list.pol --alg sha256 --sign 
> > 0x0A --ctrl 0x00 --data list.data list_unsig.lst
> 
> >         tpm2_nvwrite -x 0x01400001 -a 0x40000001 -P $TPM_OWNER_PASSWORD 
> > list.pol
> 
> >         cp -f list.data /boot/
> 
> > 
> 
> > Any idea why this LCP, which consists in just an mle element, could be 
> > functional on a platform and not on another?
> 
> 
> 
> With these commands you create LCP with MLE element that is consumed by
> 
> SINIT. It is an expected behaviour that TBOOT is unable to read it.
> 
> 
> 
> To create policy for TBOOT (VLP) you have to use tb_polgen tool, ex.:
> 
> 
> 
>     tb_polgen --create --ctrl 0x00 --type continue vl.pol
> 
>     tb_polgen --add --num 0 --pcr 19 --hash image \
> 
>               --cmdline "intel_iommu=on console=ttyS0,115200n8" \
> 
>               --image /boot/bzImage vl.pol
> 
> 
> 
> Then you have two options how to provision it to TPM:
> 
>  * provision as standalone policy
> 
>  * add it to LCP as custom element
> 
> 
> 
> If you already use LCP, easier way is to add custom element with TBOOT's
> 
> policy.
> 
> 
> 
>     lcp2_crtpolelt --create --ctrl 0x00 --type custom --out vl.elt \
> 
>                    --uuid tboot vl.pol
> 
> 
> 
> Then build LCP list with all elements that you want to have, provision
> 
> it to TPM and copy .data file to /boot (and add entry to grub.cfg).
> 
> 
> 
> If anything is unclear, please ask. It would be helpful if you can
> 
> describe what is your goal, what behaviour you want to achieve.
> 
> 
> 
> Thanks,
> 
> Lukasz
> 
> 
> 
> 
> 
> 
> 



_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel






















					Reply via email to