Re: [tboot-devel] new location for mercurial repo

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

okay verification works now fine. Must have skipped that part in the README :).

I said broadcasted, because I assumed that it hasn't indeed been broadcasted.
Meaning it didn't show up on the serial console.
As I said it showed up during powering off, but not during rebooting.

However, if I issue a reboot, the machine will hang with no screen at all.
Only a hard reset brings it back to life.
Hence, I assumed that TXT is protecting the machine, because it hasn't successfully issued SEXIT.
But, it also could be an issue of my machine's BIOS, as I already encountered some.

I keep on playing around and let you know what's happening. 

Cheers
lIl

-------- Original-Nachricht --------
> Datum: Wed, 8 Oct 2008 11:26:51 -0700
> Von: "Cihula, Joseph" <jos...@in...>
> An: "Lil Evil" <Lil...@gm...>, tbo...@li...
> Betreff: RE: [tboot-devel] new location for mercurial repo

> > From: Lil Evil [mailto:Lil...@gm...]
> > Sent: Wednesday, October 08, 2008 2:11 AM
> > 
> > 1) Compilation
> > to reproduce the compilation error, I did the following:
> > 
> > [root@lil staging]  hg clone http://www.bughost.org/repos.hg/tboot.hg
> > destination directory: tboot.hg
> > requesting all changes
> > adding changesets
> > adding manifests
> > adding file changes
> > added 91 changesets with 393 changes to 122 files
> > updating working directory
> > 118 files updated, 0 files merged, 0 files removed, 0 files unresolved
> > [root@lil staging]  cd tboot.hg
> > [root@lil tboot.hg] make
> > ...
> > <compile>
> > ...
> > 
> > mlehash.c:47:34: error: ../include/elf_defns.h: No such file or
> > directory
> > 
> > 
> > [root@lil tboot.hg]# ls -la include/elf_defns.h
> > ls: cannot access include/elf_defns.h: No such file or directory
> > [root@lil tboot.hg]#
> > 
> > hg reports the following changeset:
> > 
> > changeset:   90:5d19b96f7c0e
> > tag:         tip
> > user:        Joseph Cihula <jos...@in...>
> > date:        Tue Oct 07 12:03:27 2008 -0700
> > summary:     Added hg repo location to README
> > 
> > I tried two different machines on different networks, same error.
> > which changeset are you on?
> 
> OK, my bad (I only re-built tboot and not the tools).  I have fixed this
> in the tip and uploaded a new tarfile.
> 
> > 2) I already adopted to the new policy format already, as I have been
> > playing around with the mercurial repository a while ago.
> > The debug line I added, just prints out the PCR before extending. I was
> > a little bit surprised to see a none 0 row there.
> > Something is fishy, either with me, or the build :)
> > 
> > here is my policy gen script, btw:
> > 
> > modprobe tpm_tis
> > tcsd
> > rm -rf mle_hash lcp.pol vl.pol
> > 
> > 
> > #create hash of tboot
> > lcp_mlehash /boot/tboot.gz > mle_hash
> > 
> > # transform hash into policy
> > lcp_crtpol -t hashonly -m mle_hash -o lcp.pol
> > 
> > XENLINE="/xen.gz tboot=0x01019040 iommu=1 vtd=1 dom0_mem=1024mb
> > com1=1115200,8n1 console=vga,com1"
> > KERNEL="/vmlinuz-2.6.18.8-xen_unstable ro root=/dev/VolGroup01/LogVol01
> > rhgb pciback.hide=(00:1d.7)(00:1d.1)"
> > TPM_PW=""
> 
> The new policy code strips the module name from the module string provided
> by GRUB so that location isn't part of the measurement (which it shouldn't
> be).  Thus, you should not have '/xen.gz ' or
> '/vmlinuz-2.6.18.8-xen_unstable ' in your strings.
> 
> > #create launch policy of the VMM
> > tb_polgen --create --type nonfatal vl.pol
> > 
> > tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "$XENLINE" --
> > image /boot/xen.gz vl.pol --verbose >> verbose.txt
> > tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$KERNEL" --
> > image /boot/vmlinuz-2.6.18.8-xen_unstable vl.pol --verbose >>
> > verbose.txt
> > tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image
> > /boot/initrd-2.6.18.8-xen_unstable.img vl.pol --verbose >> verbose.txt
> > 
> > #write policy
> > lcp_writepol -i owner -f lcp.pol -p
> > lcp_writepol -i 0x20000001 -f vl.pol  -p
> > 
> > 
> > 3) I also noticed with the stable tboot, on a reboot the GETSEC[SEXIT]
> > command is not broadcasted.
> >    It is however on a shutdown.
> 
> When you say "broadcasted" do you mean it doesn't appear on the serial
> output?  That is likely just due to buffering and when/how the platform
> actually disables the serial port.  If SEXIT were not done, the system could not
> reboot successfully (it would TXT_RESET and then the subsequent boot could
> not launch TXT until a power cycle).
> 
> > Just to let you know where I am standing at the moment.
> 
> Thanks for your comments and we'll try to keep things fixed up better.
> 
> > Cheers
> > lIl
> > 
> > --
> > Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
> > Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer