Menu
▾
▴
Re: [tboot-devel] Problems on tpmnv_defindex
|
From: Cihula, J. <jos...@in...> - 2008-11-27 07:07:32
|
I believe the index that it is reporting is the tboot error code index (0x20000002). Joe > -----Original Message----- > From: Ross Philipson [mailto:Ros...@ci...] > Sent: Tuesday, November 25, 2008 11:35 AM > To: Courtay Olivier; tbo...@li... > Subject: Re: [tboot-devel] Problems on tpmnv_defindex > > Yeah, the line about the error code index not being there is expected. I thought the patch got > rid of the attempts to even right the index but that is all that is wrong there. > > That is the drawback to this but it is really just a workaround for a hardware issue. > > Thanks > Ross > > > -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Tuesday, November 25, 2008 12:37 PM > To: Ross Philipson; tbo...@li... > Subject: RE : [tboot-devel] Problems on tpmnv_defindex > > Hello, > > I have applied your patch on the tboot.hg > The patch work well (I had to manually apply patch for only one line). > > And it seems to work: > .... > TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"... > TBOOT: \0x09 OK > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 > TBOOT: TPM error code index not present in embedded policy mode. > TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"... > TBOOT: \0x09 OK > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 > TBOOT: TPM error code index not present in embedded policy mode. > TBOOT: all modules are verified > ...... > > I will study the error due to attempt to write in undefined index > > The step for use your patch: > > - define the owner index > - create vl.pol > - compile with make embed=path_to_vl.pol > - install tboot > - create lcp > - write lcp in owner index > > > The drawback is that the tboot.gz can be used for only one entry and if policy change , you > should compile tboot.... > > Thank a lot for your patch > > Olivier > > > -------- Message d'origine-------- > De: Ross Philipson [mailto:Ros...@ci...] > Date: lun. 11/24/08 19:19 > À: Cihula, Joseph; Courtay Olivier; tbo...@li... > Objet : RE: [tboot-devel] Problems on tpmnv_defindex > > I ran into this issue one the Dell 755 platform. I worked around this by > patching tboot to embed the verified launch within the MLE itself. You > then only need one index, the owner one 0x40000001 for the LCP policy. > Since the verified launch policy is embedded in the MLE, this solution > is secure since the LCP hashes over the VL policy too. You also need to > forgo the error recording index 0x20000002. > > I am attaching a patch I did to make this work on the Dell 755. You > basically have to generate the VL policy before building tboot. You use > the environment variable "embed=<my vl file>" to pass the policy to > embed to the build (either export it or use it on the command line for > make). The patch also deals with the missing error NV index. Then you > can create the LCP over the tboot image and load that into the owner > index. > > One thing to note; this patch was based off of the June 2008 tboot code > tarball. It will not patch cleanly over the latest tboot stuff. You will > either need to work with the June code or modify the patch. Hope it > helps. > > Thanks > Ross > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Monday, November 24, 2008 12:31 PM > To: Courtay Olivier; tbo...@li... > Subject: Re: [tboot-devel] Problems on tpmnv_defindex > > -----Original Message----- > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Monday, November 24, 2008 7:44 AM > > > > My comment begins at the end > > > > -----Original Message----- > > From: Cihula, Joseph [mailto:jos...@in...] > > Sent: Fri 11/21/08 17:44 > > To: Courtay Olivier; tbo...@li... > > Subject: RE: Problems on tpmnv_defindex > > > From: Courtay Olivier [mailto:Oli...@th...] > > > Sent: Friday, November 21, 2008 6:36 AM > > > > > > Hello, > > > > > > I try to use tboot directly with the linux kernel using linux patch. > > > I have successfully boot with a 2.6.28-rc5. But I have no set policy > in TPM NV. > > > In past, I have also successfully boot a xen with policy. > > > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on > TPM but some problems > > > occurred. > > > > > > > > > # tpmnv_defindex -i owner -p xxxx > > > Haven't input permission value, use default value 0x2 > > > Haven't input data size, use default value 34 > > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host > localhost. > > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: > Received TCS Context: > > 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: > TCS Context: 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: > 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: > TCS Context: 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: > result=21 > > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources > (0x0815) > > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS > Context: 0xa0b27101 > > > > > > Impossible to define this index. > > > I have already defined the index 0x20000002 > > > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > > Successfully defined index 0x20000002 as permission 0x0, data size > is 8 > > > > > > Defined index are: > > > > > > # tpmnv_getcap > > > > > > 4 indices have been defined > > > list of indices for defined NV storage areas: > > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > > > > I found very difficult to correctly defined and write policy, at > each time I should do a lot > > > of manipulation before the system work correctly. I am the only one > to have this problem ? > > > Sometime, I should to reset BIOS for reboot the computer... > > > > > > I use Dell Optiplex 755/E8500 > > > > I have also seen some spurious errors with TrouSerS. Unfortunately, I > have not had the time > > to track them down, and as the commands still seem to work despite the > errors, it has not been > > a priority. I haven't encountered the issue of having to reboot--I > think that is particular > > to your platform model and you should make sure that you have the > latest BIOS. > > > > > > [Begin of my comments]: > > Yes, I already see that trousers can return error even the command is > a success. > > But, in my case the tpmnv_defindex abort with "Insufficient TPM > resources" error. > > This error seems to be reported by driver (error 21) and the index is > not defined > > > > I found a beginning of solution: the order of command is important. > > > > For example, some trace: > > > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > > # tpmnv_defindex -i owner -p p xxxx => OK > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => > Failed with error 21 > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > > > My Bios is up-to-date (A11). > > > > Any idea? > > > > > > Tanks, > > Olivier Courtay > > The "Insufficient TPM resources" error is due to the TPM on this > platform, which only support 4 NV indices. Three of these are already > taken for TCG and TXT support. That means that you can only create one > additional index. > > Joe > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel |
