Re: [tboot-devel] tboot policy problems

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Great :) I remember in the past getting some strange error when I
tried to use Xen (without TXT) with TXT enabled in the BIOS - I think
it was something like that virtualization was not enabled (which makes
sense given the way the bit was previously documentet in the IA32
manuals - before TXT was introduced). The reason I wrote before was
just to say that the problem may be more common than one might think
(I actually thought it was a bug in the BIOS for my specific board but
as far as I remember someone wrote it was the same in Intel's own
boards).

Best regards,

Martin Thiim

On Tue, Dec 9, 2008 at 11:55 AM, Ross Philipson
<Ros...@ci...> wrote:
> I hadn't seen that thread - I probably joined more recently than that. I
> agree that it is a perfectly valid configuration set by the vendor BIOS -
> though a bit annoying ;) The only thing we did was to modify Xen a bit to
> print out a more useful message about why it couldn't enable VMX - like
> "check to see if TXT is enabled".
>
> Thanks
> Ross
> ________________________________
> From: Martin Thiim [mailto:ma...@th...]
> Sent: Tue 12/9/2008 3:37 AM
> To: Ross Philipson
> Subject: Re: [tboot-devel] tboot policy problems
>
> Ok, I made a similar observation earlier this year and wrote to the
> list ("Question on feature control bits and some observations") and
> was told that this was actually the "standard" way that BIOS'es should
> handle it (i.e. enabling TXT should disable use of virtualization
> outside of TXT). It is annoying for TXT testers that would also like
> to run a VMWare with hardware acceleration, that's for sure ;) But it
> is up to the BIOS, how it configures the feature control MSR.
>
> Best regards,
>
> Martin Thiim
>
>
> On Tue, Dec 9, 2008 at 1:40 AM, Ross Philipson
> <Ros...@ci...> wrote:
>>> When booting xen there is a message which flashes by about disabling TXT.
>>>  Additionally it seems I am unable to run HVM domains with TXT enabled in
>>> the bios.
>>
>> Yeah I think we added that message in Xen a few months back. We saw that
>> on
>> certain platforms the BIOS was setting up the MSR feature bits to where if
>> you had TXT enabled you had to enter SMX mode to enable VMX mode. It was
>> definitely something OEM BIOS specific - I saw it on a Dell 755.
>>
>> Thanks
>> Ross
>> ________________________________
>> From: Do, Tam T. [mailto:td...@sw...]
>> Sent: Mon 12/8/2008 6:53 PM
>> To: Cihula, Joseph; tbo...@li...
>> Subject: Re: [tboot-devel] tboot policy problems
>>
>> Yes I have already taken ownership auth of the tpm.
>>
>>
>>
>> I get the following output when I run tpmnv_getcap:
>>
>>
>>
>> The response data is:
>>
>> 01 00 00 40 02 00 00 20
>>
>>
>>
>> 2 indices have been defined
>>
>> list of indices for defined NV storage areas:
>>
>> 0x01000040 0x02000020
>>
>>
>>
>> I have also noticed a few strange things about my machine…  When booting
>> xen
>> there is a message which flashes by about disabling TXT.  Additionally it
>> seems I am unable to run HVM domains with TXT enabled in the bios.  This
>> may
>> be a problem with the vendor's bios as this system is fairly new…  I will
>> attempt to update the bios to version A09 from A06 and will update you on
>> the results if any different.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> --Tam Do
>>
>>
>>
>> ________________________________
>>
>> From: Cihula, Joseph [mailto:jos...@in...]
>> Sent: Monday, December 08, 2008 3:43 PM
>> To: Do, Tam T.; tbo...@li...
>> Subject: RE: tboot policy problems
>>
>>
>>
>> And you've taken ownership and set the owner auth to "TPM-password"?  What
>> do you get if you run tpmnv_getcap?
>>
>>
>>
>> Joe
>>
>>
>>
>> From: Do, Tam T. [mailto:td...@sw...]
>> Sent: Monday, December 08, 2008 10:38 AM
>> To: tbo...@li...
>> Subject: Re: [tboot-devel] tboot policy problems
>>
>>
>>
>> Dell Latitude E6500
>>
>>
>>
>> Linux 2.6.18.18.8-xen (unstable build)
>>
>>
>>
>> --Tam Do
>>
>>
>>
>>
>>
>> ________________________________
>>
>> From: Cihula, Joseph [mailto:jos...@in...]
>> Sent: Monday, December 08, 2008 11:44 AM
>> To: Do, Tam T.; tbo...@li...
>> Subject: RE: tboot policy problems
>>
>>
>>
>> What model is your computer and what version of Linux are you using?
>>
>>
>>
>> Joe
>>
>>
>>
>> From: Do, Tam T. [mailto:td...@sw...]
>> Sent: Monday, December 08, 2008 9:00 AM
>> To: tbo...@li...
>> Cc: Cihula, Joseph
>> Subject: tboot policy problems
>>
>>
>>
>>> I am running into some problems with the tpm when following the steps
>>
>>> in /docs/policy.txt to set up a default policy.
>>
>>>
>>
>>> When I reach the step Define tboot error TPM NV index: and enter the
>>
>>> command
>>
>>>
>>
>>> tpmnv_defindex -i 0x20000002 -s 8 pv 0 -rl 0x07 -wl 0x07 -p
>>
>>> TPM-password
>>
>>>
>>
>>> I receive the following error:
>>
>>>
>>
>>> Tspi_NV_DefineSpace failed failed: Unknown (0x8fffffff) Command
>>
>>> DefIndex failed:
>>
>>>      TSS API failed
>>
>>
>>
>> I have verified that the tpm_tis driver has been properly loaded and the
>> pcrs file contains non-0 values.
>>
>>
>>
>> When running trousers in the foreground with debug options enabled I
>> receive
>> the following output:
>>
>>
>>
>> TCSD TDDL ioctl: (25) Inappropriate ioctl for device
>>
>> TCSD TDDL Falling back to Read/Write device support.
>>
>> TCSD trousers 0.3.1: TCSD up and running
>>
>>
>>
>> Thanks,
>>
>>
>>
>> --Tam Do
>>
>>
>> ------------------------------------------------------------------------------
>> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas,
>> Nevada.
>> The future of the web can't happen without you.  Join us at MIX09 to help
>> pave the way to the Next Web now. Learn more and register at
>>
>> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
>> _______________________________________________
>> tboot-devel mailing list
>> tbo...@li...
>> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>>
>>
>