Menu
▾
▴
Re: [tboot-devel] new location for mercurial repo
|
From: Cihula, J. <jos...@in...> - 2008-10-08 18:30:18
|
> From: Lil Evil [mailto:Lil...@gm...] > Sent: Wednesday, October 08, 2008 2:11 AM > > 1) Compilation > to reproduce the compilation error, I did the following: > > [root@lil staging] hg clone http://www.bughost.org/repos.hg/tboot.hg > destination directory: tboot.hg > requesting all changes > adding changesets > adding manifests > adding file changes > added 91 changesets with 393 changes to 122 files > updating working directory > 118 files updated, 0 files merged, 0 files removed, 0 files unresolved > [root@lil staging] cd tboot.hg > [root@lil tboot.hg] make > ... > <compile> > ... > > mlehash.c:47:34: error: ../include/elf_defns.h: No such file or > directory > > > [root@lil tboot.hg]# ls -la include/elf_defns.h > ls: cannot access include/elf_defns.h: No such file or directory > [root@lil tboot.hg]# > > hg reports the following changeset: > > changeset: 90:5d19b96f7c0e > tag: tip > user: Joseph Cihula <jos...@in...> > date: Tue Oct 07 12:03:27 2008 -0700 > summary: Added hg repo location to README > > I tried two different machines on different networks, same error. > which changeset are you on? OK, my bad (I only re-built tboot and not the tools). I have fixed this in the tip and uploaded a new tarfile. > 2) I already adopted to the new policy format already, as I have been > playing around with the mercurial repository a while ago. > The debug line I added, just prints out the PCR before extending. I was > a little bit surprised to see a none 0 row there. > Something is fishy, either with me, or the build :) > > here is my policy gen script, btw: > > modprobe tpm_tis > tcsd > rm -rf mle_hash lcp.pol vl.pol > > > #create hash of tboot > lcp_mlehash /boot/tboot.gz > mle_hash > > # transform hash into policy > lcp_crtpol -t hashonly -m mle_hash -o lcp.pol > > XENLINE="/xen.gz tboot=0x01019040 iommu=1 vtd=1 dom0_mem=1024mb > com1=1115200,8n1 console=vga,com1" > KERNEL="/vmlinuz-2.6.18.8-xen_unstable ro root=/dev/VolGroup01/LogVol01 > rhgb pciback.hide=(00:1d.7)(00:1d.1)" > TPM_PW="" The new policy code strips the module name from the module string provided by GRUB so that location isn't part of the measurement (which it shouldn't be). Thus, you should not have '/xen.gz ' or '/vmlinuz-2.6.18.8-xen_unstable ' in your strings. > #create launch policy of the VMM > tb_polgen --create --type nonfatal vl.pol > > tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "$XENLINE" -- > image /boot/xen.gz vl.pol --verbose >> verbose.txt > tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$KERNEL" -- > image /boot/vmlinuz-2.6.18.8-xen_unstable vl.pol --verbose >> > verbose.txt > tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image > /boot/initrd-2.6.18.8-xen_unstable.img vl.pol --verbose >> verbose.txt > > #write policy > lcp_writepol -i owner -f lcp.pol -p > lcp_writepol -i 0x20000001 -f vl.pol -p > > > 3) I also noticed with the stable tboot, on a reboot the GETSEC[SEXIT] > command is not broadcasted. > It is however on a shutdown. When you say "broadcasted" do you mean it doesn't appear on the serial output? That is likely just due to buffering and when/how the platform actually disables the serial port. If SEXIT were not done, the system could not reboot successfully (it would TXT_RESET and then the subsequent boot could not launch TXT until a power cycle). > Just to let you know where I am standing at the moment. Thanks for your comments and we'll try to keep things fixed up better. > Cheers > lIl > > -- > Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! > Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer |
