Hi Jimmy,

Thanks for your help. It works now!

I delete these two redundant space chars and set the new policy. Now all the verification succeed.

Thanks, 
Hu Hong 


On Fri, May 31, 2013 at 9:41 PM, Wei, Gang <gang.wei@intel.com> wrote:
What you need to do is make sure that only one space char is used to
separate the cmdline options for kernel in below cmdline. I can see there
are 3 space chars between "ro" and "quiet".

2.  tb_polgen/tb_polgen --add --num 0 --pcr none --hash image
    --cmdline "intel_iommu=on root=UUID=dbc9c7e6-d3f0-4b6a-9017-d43f70f09220
ro   quiet splash vt.handoff=7"
    --image /boot/vmlinuz-3.5.0-31-generic
    vl.pol

I know you are using the exact same command line as what occurred in the
grub file. But I observed that grub2 will remove redundent space chars
automatically before pass the cmdline to tboot or kernel, so that the
command tboot got was not exactly the same with grub config file.

BTW, FYI, old grub(in rhel or old fedora) will keep the redundent space
chars.

Thanks
Jimmy


> -----Original Message-----
> From: Hong Hu [mailto:huhongtpm@gmail.com]
> Sent: Friday, May 31, 2013 9:13 PM
> To: Wei, Gang
> Cc: tboot-devel@lists.sourceforge.net
> Subject: Re: [tboot-devel] TBOOT ERRORCODE: 0xc00020a1
>
> Hi Jimmy,
>
> Thanks for your reply.
>
> Here is the command I used to generate tb policy ;
>
> 1.  tb_polgen/tb_polgen --create --type nonfatal vl.pol
> 2.  tb_polgen/tb_polgen --add --num 0 --pcr none --hash image
>     --cmdline "intel_iommu=on
> root=UUID=dbc9c7e6-d3f0-4b6a-9017-d43f70f09220 ro   quiet splash
> vt.handoff=7"
>     --image /boot/vmlinuz-3.5.0-31-generic
>     vl.pol
> 3.  tb_polgen/tb_polgen --add --num 1 --pcr 19 --hash image
>     --cmdline ""
>     --image /boot/initrd.img-3.5.0-31-generic
>     vl.pol
>
> The corresponding grub entry is :
>
> menuentry 'tboot: Ubuntu, with Linux 3.5.0-31-generic' --class ubuntu
--class
> gnu-linux --class gnu --class os {
>         recordfail
>         gfxmode $linux_gfx_mode
>         insmod gzio
>         insmod part_msdos
>         insmod ext2
>         set root='(hd0,msdos2)'
>         search --no-floppy --fs-uuid --set=root
> dbc9c7e6-d3f0-4b6a-9017-d43f70f09220
> echo 'HHHHHHHHHHHHHHHHHHH: Loading tboot ...'
> multiboot /tboot.gz /tboot.gz logging=memory,vga,serial
> echo 'HHHHHHHHHHHHHHHHHHH: Loading vmlinuz ....'
>         module /boot/vmlinuz-3.5.0-31-generic
> /boot/vmlinuz-3.5.0-31-generic intel_iommu=on
> root=UUID=dbc9c7e6-d3f0-4b6a-9017-d43f70f09220 ro   quiet splash
> vt.handoff=7
> echo 'HHHHHHHHHHHHHHHHHHH: Loading initrd.img ...'
>         module  /boot/initrd.img-3.5.0-31-generic
> /boot/initrd.img-3.5.0-31-generic
> echo 'HHHHHHHHHHHHHHHHHHH: Loading ACM ...'
> module /boot/3rd_gen_i5_i7_SINIT_51.BIN
> echo 'HHHHHHHHHHHHHHHHHHH: Loading policy data ...'
> module /list.data
> }
>
> The log file is also attached.
>
> Thanks,
> Hu Hong
>
>
> On Fri, May 31, 2013 at 8:59 PM, Wei, Gang <gang.wei@intel.com> wrote:
>
>
>       Hong Hu wrote on 2013-05-31:
>
>       > Hi Jimmy,
>       >
>       > Thanks for you help.
>       >
>       > Now I can almost successfully run tboot on X220 tablet. The only
> problem
>       > is the verification of module 0 (linux kernel in my case) which is
>       > extended to PCR-18 failed.
>       >
>       > I followed instructions in docs/policy_v2.txt and
lcptools/lcptools2.txt
>       to create
>       > the LCP and VLP. The only difference is the second step in
creating VLP:
>       >
>       > The original version:
>       >
>       > 2.  tb_polgen/tb_polgen --add --num 0 --pcr none --hash image
> --cmdline
>       "the
>       > command line for xen from grub.conf" --image /boot/xen.gz vl.pol
>       >
>       > and I changed it to :
>       >
>       > 2.   tb_polgen/tb_polgen --add --num 0 --pcr none --hash image
> --cmdline
>       > "intel_iommu=on root=UUID=XX(my uuid)XXX ro quiet splash
> vt.handoff=7"
>       > --image /boot/vmlinuz-3.5.0.-31=generic vl.pol
>       >
>       > since there is no xen in my case.
>       >
>       > The result of module verification is that the verification for PCR
18
>       failed while
>       > the verification for PCR 19 (initrd.img) successed.
>       >
>       > Is there any specific command to hash linux kernel other than xen?
Any
>       help will
>       > be much  appreciated.
>
>
>       Please send me me the exact command line you are using for generate
the
> tb
>       policy, as well as the grub config file.
>
>       Jimmy
>
>