There appear to be a couple of things that I don’t understand. It appears that while you have written you VL policy, you haven’t written a Launch Control Policy (which goes in the owner NV index). What your LCP will be depends on the processor, which you didn’t mention in you post. That is the place the tboot is validated by the SINIT module, and then when it returns tboot validates the remainder of the modules in grub.


It may be possible to do what you tried, but I have always had to have a LCP, which is where tboot and it command line are validated, so the first tb_polgen line is the one for vmlinuz-2.6.32-279…




From: Charles Bushong []
Sent: Monday, March 25, 2013 8:52 AM
Subject: [tboot-devel] verifying module against policy failed


Hi all,

I'm trying to get tboot up and running for my first time, and this list has been a great help.  However it seems I'm running into some problems when actually validating the modules.  I was hoping someone might have some insight as to what I'm doing wrong.  I'm using tboot 1.7.3 and legacy grub if it makes a difference.

I get ownership and define the nvram indicies without much issue (finally).  Then I create and write the v1 policy with this:

tb_polgen --create --type nonfatal vl_ver1.pol
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "logging=vga,serial,memory loglvl=all" --image /boot/tboot.gz vl_ver1.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$kernel_cmdline" --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image /boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS

There are a few red flags that are sticking out to me.

1) Does this post-GETSEC[SENTER] error code mean anything?

TBOOT: AC module error : acm_type=0x1, progress=0x00, error=0x0


2) Modules failing.
TBOOT: verifying module "
/vmlinuz-2.6.32-279.5.1.el6.x86_64 (kernel command line)"...
TBOOT:   verification failed
TBOOT: verifying module against policy failed.
TBOOT: verifying module "
TBOOT:   verification failed
TBOOT: verifying module against policy failed.
TBOOT: all modules are verified

I can't figure out why it's reading the policy without issue, getting into GETSEC[SENTER], and then still failing the policy check.  Any help or points in the right direction would be appreciated.  Thanks!