Any ideas on this, anybody?


On Wed, Apr 10, 2013 at 2:22 PM, Charles Bushong <> wrote:
So while I wait for a miracle on my other system, I have tried configuring tboot on a different platform using a similar config. I'm hoping to find out if the problem is configuration based or hardware based.

The result is:
TBOOT: AC module error : acm_type=0x1, progress=0x10, error=0x2

Which, according to the Q45_Q43_SINIT_51.BIN sinit_errors.txt file, is "10h Processing Launch Control Policy", "unsupported policy version"

I have tried this configuration in any way I can think of, from using LCPv1, LCPv2/unsigned/no MLE, LCPv2/signed/no MLE, LCPv2/signed/"custom" elt/no nvram, and then finally LCPv2 signed, custom element fully defined and written to NVRAM. I'm not really sure what it means by "unsupported policy version", as I've tried every version of LCP I know of. Any suggestions would be greatly appreciated.



## Set TPM_PASS var
export TPM_PASS=<the_pass>
## Start tcsd service
## Release old indicies to clear status
tpmnv_relindex -i owner -p $TPM_PASS
tpmnv_relindex -i 0x20000001 -p $TPM_PASS
tpmnv_relindex -i 0x20000002 -p $TPM_PASS
## Define indices for owner, error, and TBOOT
tpmnv_defindex -i owner -p $TPM_PASS
tpmnv_defindex -i 0x20000001 -s 256 -pv 0x02 -p $TPM_PASS
tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p $TPM_PASS
## Create MLE Policy
tb_polgen --create --type nonfatal vl_ver1.pol
## Hash vmlinuz, add to policy file
tb_polgen --add --num 0 --pcr none --hash image --cmdline "ro root=/dev/mapper/vg_rd8uxr84163g-lv_root rd_LVM_LV=vg_rd8uxr84163g/lv_swap rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_rd8uxr84163g/lv_root rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM intel_iommu=on" --image /boot/vmlinuz-2.6.32-220.el6.x86_64 vl_ver1.pol
## Hash initramfs, add to policy file
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image /boot/initramfs-2.6.32-220.el6.x86_64.img vl_ver1.pol
## Create TBOOT hash
lcp_mlehash c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz > tboot_hash
## Create Policy Element with tboot_hash
lcp_crtpolelt --create --type mle --ctrl 0x00 --out mle.elt tboot_hash
## Create the list of elements, yet to be signed
lcp_crtpollist --create --out list_unsig.lst mle.elt
## Generate private key
openssl genrsa -out privkey.pem 2048
## Generate public key
openssl rsa -pubout -in privkey.pem -out pubkey.pem
## Create the signed list
cp list_unsig.lst list_sig.lst
lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst
## Create the actual policy using the unsigned and signed element lists
lcp_crtpol2 --create --type list --pol list.pol --data list_{unsig,sig}.lst
## Write the policies to NVRAM
lcp_writepol -i owner -f list.pol -p $TPM_PASS
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
## Copy to boot directory
cp /boot
## validate grub.conf has / module and reboot