From: Courtay O. <Oli...@th...> - 2008-11-21 15:03:23
|
Hello, I try to use tboot directly with the linux kernel using linux patch. I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. In past, I have also successfully boot a xen with policy. After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems occurred. # tpmnv_defindex -i owner -p xxxx Haven't input permission value, use default value 0x2 Haven't input data size, use default value 34 LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 Impossible to define this index. I have already defined the index 0x20000002 #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx Successfully defined index 0x20000002 as permission 0x0, data size is 8 Defined index are: # tpmnv_getcap 4 indices have been defined list of indices for defined NV storage areas: 0x10000001 0x50000002 0x50000001 0x20000002 I found very difficult to correctly defined and write policy, at each time I should do a lot of manipulation before the system work correctly. I am the only one to have this problem ? Sometime, I should to reset BIOS for reboot the computer... I use Dell Optiplex 755/E8500 Another points. I have adapted pol for boot linux directly. Can you said me if this policy is correct: #tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "module /boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3" --image /boot/vmlinuz-2.6.28-rc5 vl.pol #tb_polgen --add --num 1 --pcr 18 --hash image --cmdline "" --image /boot/initrd.img-2.6.28-rc5 vl.pol My grub entry is: title Linux 2.6.28-rc5 w/ tboot root (hd0,1) kernel /boot/tboot.gz module /boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3 module /boot/initrd.img-2.6.28-rc5 module /boot/Q35_SINIT_16.BIN Thanks, Olivier |
From: Cihula, J. <jos...@in...> - 2008-11-21 16:44:46
|
> From: Courtay Olivier [mailto:Oli...@th...] > Sent: Friday, November 21, 2008 6:36 AM > > Hello, > > I try to use tboot directly with the linux kernel using linux patch. > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > In past, I have also successfully boot a xen with policy. > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > occurred. > > > # tpmnv_defindex -i owner -p xxxx > Haven't input permission value, use default value 0x2 > Haven't input data size, use default value 34 > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > Impossible to define this index. > I have already defined the index 0x20000002 > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > Defined index are: > > # tpmnv_getcap > > 4 indices have been defined > list of indices for defined NV storage areas: > 0x10000001 0x50000002 0x50000001 0x20000002 > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > of manipulation before the system work correctly. I am the only one to have this problem ? > Sometime, I should to reset BIOS for reboot the computer... > > I use Dell Optiplex 755/E8500 I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time to track them down, and as the commands still seem to work despite the errors, it has not been a priority. I haven't encountered the issue of having to reboot--I think that is particular to your platform model and you should make sure that you have the latest BIOS. > Another points. > I have adapted pol for boot linux directly. > Can you said me if this policy is correct: > > #tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "module /boot/vmlinuz-2.6.28-rc5 > root=/dev/sda2 ro console=ttyS0,115200 3" --image /boot/vmlinuz-2.6.28-rc5 vl.pol > #tb_polgen --add --num 1 --pcr 18 --hash image --cmdline "" --image /boot/initrd.img-2.6.28- > rc5 vl.pol > > > My grub entry is: > title Linux 2.6.28-rc5 w/ tboot > root (hd0,1) > kernel /boot/tboot.gz > module /boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3 > module /boot/initrd.img-2.6.28-rc5 > module /boot/Q35_SINIT_16.BIN The latest versions of tboot no longer include the module name in the command line of the policy. So your kernel tb_polgen should be (presuming that you also have already called tb_polgen with the --create option): #tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "root=/dev/sda2 ro console=ttyS0,115200 3" --image /boot/vmlinuz-2.6.28-rc5 vl.pol > > > > Thanks, > > Olivier > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel |
From: Courtay O. <Oli...@th...> - 2008-11-24 16:07:47
|
My comment begins at the end -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Fri 11/21/08 17:44 To: Courtay Olivier; tbo...@li... Subject: RE: Problems on tpmnv_defindex > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Friday, November 21, 2008 6:36 AM > > Hello, > > I try to use tboot directly with the linux kernel using linux patch. > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > In past, I have also successfully boot a xen with policy. > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > occurred. > > > # tpmnv_defindex -i owner -p xxxx > Haven't input permission value, use default value 0x2 > Haven't input data size, use default value 34 > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > Impossible to define this index. > I have already defined the index 0x20000002 > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > Defined index are: > > # tpmnv_getcap > > 4 indices have been defined > list of indices for defined NV storage areas: > 0x10000001 0x50000002 0x50000001 0x20000002 > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > of manipulation before the system work correctly. I am the only one to have this problem ? > Sometime, I should to reset BIOS for reboot the computer... > > I use Dell Optiplex 755/E8500 I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time to track them down, and as the commands still seem to work despite the errors, it has not been a priority. I haven't encountered the issue of having to reboot--I think that is particular to your platform model and you should make sure that you have the latest BIOS. [Begin of my comments]: Yes, I already see that trousers can return error even the command is a success. But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. This error seems to be reported by driver (error 21) and the index is not defined I found a beginning of solution: the order of command is important. For example, some trace: # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 # tpmnv_defindex -i owner -p xxxx => Failed with error 21. # tpmnv_relindex -i 0x20000002 -p xxxx => OK # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 # tpmnv_defindex -i owner -p p xxxx => OK # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 My Bios is up-to-date (A11). Any idea? Tanks, Olivier Courtay |
From: Cihula, J. <jos...@in...> - 2008-11-24 17:31:15
|
-----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe |
From: Ross P. <Ros...@ci...> - 2008-11-24 18:19:20
Attachments:
tboot-embed-policy.patch
|
I ran into this issue one the Dell 755 platform. I worked around this by patching tboot to embed the verified launch within the MLE itself. You then only need one index, the owner one 0x40000001 for the LCP policy. Since the verified launch policy is embedded in the MLE, this solution is secure since the LCP hashes over the VL policy too. You also need to forgo the error recording index 0x20000002. I am attaching a patch I did to make this work on the Dell 755. You basically have to generate the VL policy before building tboot. You use the environment variable "embed=<my vl file>" to pass the policy to embed to the build (either export it or use it on the command line for make). The patch also deals with the missing error NV index. Then you can create the LCP over the tboot image and load that into the owner index. One thing to note; this patch was based off of the June 2008 tboot code tarball. It will not patch cleanly over the latest tboot stuff. You will either need to work with the June code or modify the patch. Hope it helps. Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, November 24, 2008 12:31 PM To: Courtay Olivier; tbo...@li... Subject: Re: [tboot-devel] Problems on tpmnv_defindex -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
From: Courtay O. <Oli...@th...> - 2008-11-25 17:37:35
|
Hello, I have applied your patch on the tboot.hg The patch work well (I had to manually apply patch for only one line). And it seems to work: .... TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: all modules are verified ...... I will study the error due to attempt to write in undefined index The step for use your patch: - define the owner index - create vl.pol - compile with make embed=path_to_vl.pol - install tboot - create lcp - write lcp in owner index The drawback is that the tboot.gz can be used for only one entry and if policy change , you should compile tboot.... Thank a lot for your patch Olivier -------- Message d'origine-------- De: Ross Philipson [mailto:Ros...@ci...] Date: lun. 11/24/08 19:19 À: Cihula, Joseph; Courtay Olivier; tbo...@li... Objet : RE: [tboot-devel] Problems on tpmnv_defindex I ran into this issue one the Dell 755 platform. I worked around this by patching tboot to embed the verified launch within the MLE itself. You then only need one index, the owner one 0x40000001 for the LCP policy. Since the verified launch policy is embedded in the MLE, this solution is secure since the LCP hashes over the VL policy too. You also need to forgo the error recording index 0x20000002. I am attaching a patch I did to make this work on the Dell 755. You basically have to generate the VL policy before building tboot. You use the environment variable "embed=<my vl file>" to pass the policy to embed to the build (either export it or use it on the command line for make). The patch also deals with the missing error NV index. Then you can create the LCP over the tboot image and load that into the owner index. One thing to note; this patch was based off of the June 2008 tboot code tarball. It will not patch cleanly over the latest tboot stuff. You will either need to work with the June code or modify the patch. Hope it helps. Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, November 24, 2008 12:31 PM To: Courtay Olivier; tbo...@li... Subject: Re: [tboot-devel] Problems on tpmnv_defindex -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
From: Ross P. <Ros...@ci...> - 2008-11-25 19:35:56
|
Yeah, the line about the error code index not being there is expected. I thought the patch got rid of the attempts to even right the index but that is all that is wrong there. That is the drawback to this but it is really just a workaround for a hardware issue. Thanks Ross -----Original Message----- From: Courtay Olivier [mailto:Oli...@th...] Sent: Tuesday, November 25, 2008 12:37 PM To: Ross Philipson; tbo...@li... Subject: RE : [tboot-devel] Problems on tpmnv_defindex Hello, I have applied your patch on the tboot.hg The patch work well (I had to manually apply patch for only one line). And it seems to work: .... TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: all modules are verified ...... I will study the error due to attempt to write in undefined index The step for use your patch: - define the owner index - create vl.pol - compile with make embed=path_to_vl.pol - install tboot - create lcp - write lcp in owner index The drawback is that the tboot.gz can be used for only one entry and if policy change , you should compile tboot.... Thank a lot for your patch Olivier -------- Message d'origine-------- De: Ross Philipson [mailto:Ros...@ci...] Date: lun. 11/24/08 19:19 À: Cihula, Joseph; Courtay Olivier; tbo...@li... Objet : RE: [tboot-devel] Problems on tpmnv_defindex I ran into this issue one the Dell 755 platform. I worked around this by patching tboot to embed the verified launch within the MLE itself. You then only need one index, the owner one 0x40000001 for the LCP policy. Since the verified launch policy is embedded in the MLE, this solution is secure since the LCP hashes over the VL policy too. You also need to forgo the error recording index 0x20000002. I am attaching a patch I did to make this work on the Dell 755. You basically have to generate the VL policy before building tboot. You use the environment variable "embed=<my vl file>" to pass the policy to embed to the build (either export it or use it on the command line for make). The patch also deals with the missing error NV index. Then you can create the LCP over the tboot image and load that into the owner index. One thing to note; this patch was based off of the June 2008 tboot code tarball. It will not patch cleanly over the latest tboot stuff. You will either need to work with the June code or modify the patch. Hope it helps. Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, November 24, 2008 12:31 PM To: Courtay Olivier; tbo...@li... Subject: Re: [tboot-devel] Problems on tpmnv_defindex -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
From: Cihula, J. <jos...@in...> - 2008-11-27 07:07:32
|
I believe the index that it is reporting is the tboot error code index (0x20000002). Joe > -----Original Message----- > From: Ross Philipson [mailto:Ros...@ci...] > Sent: Tuesday, November 25, 2008 11:35 AM > To: Courtay Olivier; tbo...@li... > Subject: Re: [tboot-devel] Problems on tpmnv_defindex > > Yeah, the line about the error code index not being there is expected. I thought the patch got > rid of the attempts to even right the index but that is all that is wrong there. > > That is the drawback to this but it is really just a workaround for a hardware issue. > > Thanks > Ross > > > -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Tuesday, November 25, 2008 12:37 PM > To: Ross Philipson; tbo...@li... > Subject: RE : [tboot-devel] Problems on tpmnv_defindex > > Hello, > > I have applied your patch on the tboot.hg > The patch work well (I had to manually apply patch for only one line). > > And it seems to work: > .... > TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"... > TBOOT: \0x09 OK > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 > TBOOT: TPM error code index not present in embedded policy mode. > TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"... > TBOOT: \0x09 OK > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 > TBOOT: TPM error code index not present in embedded policy mode. > TBOOT: all modules are verified > ...... > > I will study the error due to attempt to write in undefined index > > The step for use your patch: > > - define the owner index > - create vl.pol > - compile with make embed=path_to_vl.pol > - install tboot > - create lcp > - write lcp in owner index > > > The drawback is that the tboot.gz can be used for only one entry and if policy change , you > should compile tboot.... > > Thank a lot for your patch > > Olivier > > > -------- Message d'origine-------- > De: Ross Philipson [mailto:Ros...@ci...] > Date: lun. 11/24/08 19:19 > À: Cihula, Joseph; Courtay Olivier; tbo...@li... > Objet : RE: [tboot-devel] Problems on tpmnv_defindex > > I ran into this issue one the Dell 755 platform. I worked around this by > patching tboot to embed the verified launch within the MLE itself. You > then only need one index, the owner one 0x40000001 for the LCP policy. > Since the verified launch policy is embedded in the MLE, this solution > is secure since the LCP hashes over the VL policy too. You also need to > forgo the error recording index 0x20000002. > > I am attaching a patch I did to make this work on the Dell 755. You > basically have to generate the VL policy before building tboot. You use > the environment variable "embed=<my vl file>" to pass the policy to > embed to the build (either export it or use it on the command line for > make). The patch also deals with the missing error NV index. Then you > can create the LCP over the tboot image and load that into the owner > index. > > One thing to note; this patch was based off of the June 2008 tboot code > tarball. It will not patch cleanly over the latest tboot stuff. You will > either need to work with the June code or modify the patch. Hope it > helps. > > Thanks > Ross > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Monday, November 24, 2008 12:31 PM > To: Courtay Olivier; tbo...@li... > Subject: Re: [tboot-devel] Problems on tpmnv_defindex > > -----Original Message----- > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Monday, November 24, 2008 7:44 AM > > > > My comment begins at the end > > > > -----Original Message----- > > From: Cihula, Joseph [mailto:jos...@in...] > > Sent: Fri 11/21/08 17:44 > > To: Courtay Olivier; tbo...@li... > > Subject: RE: Problems on tpmnv_defindex > > > From: Courtay Olivier [mailto:Oli...@th...] > > > Sent: Friday, November 21, 2008 6:36 AM > > > > > > Hello, > > > > > > I try to use tboot directly with the linux kernel using linux patch. > > > I have successfully boot with a 2.6.28-rc5. But I have no set policy > in TPM NV. > > > In past, I have also successfully boot a xen with policy. > > > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on > TPM but some problems > > > occurred. > > > > > > > > > # tpmnv_defindex -i owner -p xxxx > > > Haven't input permission value, use default value 0x2 > > > Haven't input data size, use default value 34 > > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host > localhost. > > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: > Received TCS Context: > > 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: > TCS Context: 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: > 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: > TCS Context: 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: > result=21 > > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources > (0x0815) > > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS > Context: 0xa0b27101 > > > > > > Impossible to define this index. > > > I have already defined the index 0x20000002 > > > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > > Successfully defined index 0x20000002 as permission 0x0, data size > is 8 > > > > > > Defined index are: > > > > > > # tpmnv_getcap > > > > > > 4 indices have been defined > > > list of indices for defined NV storage areas: > > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > > > > I found very difficult to correctly defined and write policy, at > each time I should do a lot > > > of manipulation before the system work correctly. I am the only one > to have this problem ? > > > Sometime, I should to reset BIOS for reboot the computer... > > > > > > I use Dell Optiplex 755/E8500 > > > > I have also seen some spurious errors with TrouSerS. Unfortunately, I > have not had the time > > to track them down, and as the commands still seem to work despite the > errors, it has not been > > a priority. I haven't encountered the issue of having to reboot--I > think that is particular > > to your platform model and you should make sure that you have the > latest BIOS. > > > > > > [Begin of my comments]: > > Yes, I already see that trousers can return error even the command is > a success. > > But, in my case the tpmnv_defindex abort with "Insufficient TPM > resources" error. > > This error seems to be reported by driver (error 21) and the index is > not defined > > > > I found a beginning of solution: the order of command is important. > > > > For example, some trace: > > > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > > # tpmnv_defindex -i owner -p p xxxx => OK > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => > Failed with error 21 > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > > > My Bios is up-to-date (A11). > > > > Any idea? > > > > > > Tanks, > > Olivier Courtay > > The "Insufficient TPM resources" error is due to the TPM on this > platform, which only support 4 NV indices. Three of these are already > taken for TCG and TXT support. That means that you can only create one > additional index. > > Joe > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel |