Menu
▾
▴
Re: [tboot-devel] Problems on tpmnv_defindex
|
From: Ross P. <Ros...@ci...> - 2008-11-24 18:19:20
|
I ran into this issue one the Dell 755 platform. I worked around this by patching tboot to embed the verified launch within the MLE itself. You then only need one index, the owner one 0x40000001 for the LCP policy. Since the verified launch policy is embedded in the MLE, this solution is secure since the LCP hashes over the VL policy too. You also need to forgo the error recording index 0x20000002. I am attaching a patch I did to make this work on the Dell 755. You basically have to generate the VL policy before building tboot. You use the environment variable "embed=<my vl file>" to pass the policy to embed to the build (either export it or use it on the command line for make). The patch also deals with the missing error NV index. Then you can create the LCP over the tboot image and load that into the owner index. One thing to note; this patch was based off of the June 2008 tboot code tarball. It will not patch cleanly over the latest tboot stuff. You will either need to work with the June code or modify the patch. Hope it helps. Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, November 24, 2008 12:31 PM To: Courtay Olivier; tbo...@li... Subject: Re: [tboot-devel] Problems on tpmnv_defindex -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
