Re: [tboot-devel] Problems on tpmnv_defindex

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello all,

I had a DELL OPTIPLEX 755, and encountered a same question as
described in this thread. I am very happy to see that this thread
provide a workaround.

But because I am very new to tboot. I am not sure if I get it right
and make it correct. Here are some of my questions:

1. how to verify tboot is correctly running? My /etc/grub.conf looks like this:

title Xen-3.3.1 with tBoot
       root (hd0,1)
       kernel /boot/tboot.gz
       module /boot/xen-3.3.1.gz
       module /boot/vmlinuz-2.6.18.8-xen root=/dev/sda2
       module /boot/initrd-2.6.18.8-xen.img
       module /boot/Q35_SINIT_17.BIN

The first few seconds pass by very quickly. I didn't notice any TBOOT
message as below. But the startup is okay.

2. About the workaround process:

> - define the owner index
> - create vl.pol
> - compile with make embed=path_to_vl.pol
> - install tboot
> - create lcp
> - write lcp in owner index

after the above process, I should reboot the system, and try to find
TBOOT message on the console, right?

and "install tboot" simply means cp tboot.gz to /boot directory, and
add the following into grub.conf?

 title Xen-3.3.1 with tBoot
       root (hd0,1)
       kernel /boot/tboot.gz
       module /boot/xen-3.3.1.gz
       module /boot/vmlinuz-2.6.18.8-xen root=/dev/sda2
       module /boot/initrd-2.6.18.8-xen.img
       module /boot/Q35_SINIT_17.BIN

Thanks,
Wu

> Hello,
>
> I have applied your patch on the tboot.hg
> The patch work well (I had to manually apply patch for only one line).
>
> And it seems to work:
> ....
> TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"...
> TBOOT: \0x09 OK
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002
> TBOOT: TPM error code index not present in embedded policy mode.
> TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"...
> TBOOT: \0x09 OK
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002
> TBOOT: TPM error code index not present in embedded policy mode.
> TBOOT: all modules are verified
> ......
>
> I will study the error due to attempt to write in undefined index
>
> The step for use your patch:
>
> - define the owner index
> - create vl.pol
> - compile with make embed=path_to_vl.pol
> - install tboot
> - create lcp
> - write lcp in owner index
>
>
> The drawback is that the tboot.gz can be used for only one entry and if policy change , you should compile tboot....
>
> Thank a lot for your patch