Menu
▾
▴
Re: [tboot-devel] verifying module against policy failed
|
From: Charles B. <bus...@gm...> - 2013-03-27 17:50:20
|
Charles F.,
Alright, I looked a bit more into this and tried to run something along
these lines:
#Hash tboot.gz
lcp_mlehash –c "logging=vga,serial,memory vga_delay=10 loglvl=all"
/boot/tboot.gz > tboot_hash
#Create the MLE Element
lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt
tboot_hash
#Get current pcr's
export pcr_file=`find /sys/devices -name pcrs`
cat $pcr_file | grep -e PCR-00 -e PCR-01 > pcrs
#Create PCONF element
lcp_crtpolelt --create --type pconf --out pconf.elt pcrs
#Create CUSTOM element (this references the VLP .pol file)
lcp_crtpolelt --create --type custom --out custom.elt --uuid tboot
vl_ver1.pol
#Combine the elements into an unsigned list
lcp_crtpollist --create --out list_unsig.lst mle.elt pconf.elt custom.elt
#Sign the list
openssl genrsa -out privkey.pem 2048
openssl rsa -pubout -in privkey.pem -out pubkey.pem
cp list_unsig.lst list_sig.lst
lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst
lcp_crtpol2 --create --type list --pol list.pol --data list.data
list_{unsig,sig}.lst
#Write the policy to nvram
lcp_writepol -i owner -f list.pol -p $TPM_PASS
When I tried to run this, it spit out the following. I had to transcribe
this myself as I don't have access to the serial printout right now. Since
it wont boot, just restarts after trying to execute SENTER, I can't access
txt-stat either.
TBOOT: TPM: get capability, return value = 00000002
TBOOT: TPM: fail to get public data of 0x20000001 in TPM NV
TBOOT: :reading failed
<I expected this, because I removed the 20000001 index to try and narrow
down the problem>
TBOOT: reading Launch Control Policy from TPM NV...
TBOOT: :54 bytes read
TBOOT: no LCP module found
TBOOT: :reading failed
TBOOT: failed to read policy from TPM NV, using default
TBOOT: policy:
<default policy>
TBOOT: no policy in TPM NV.
<continued on like normal, then rebooted the machine when trying to execute
SENTER>
Any thoughts?
-Charles B.
On Tue, Mar 26, 2013 at 11:16 AM, Charles Bushong <bus...@gm...>wrote:
> Charles F,
>
> You're right. I haven't written anything to the owner index. It seems in
> my shuffling of various configurations, that part was lost. The problem
> is, now that I'm writing this, it's stopping on SENTER and rebooting the
> system. I have tried with the following configurations:
>
> ###Attempt 1
> ###VLP
>
> tb_polgen --create --type nonfatal vl_ver1.pol
> tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "ro
> root=/dev/mapper/vg_penguin-lv_root intel_iommu=on rd_NO_LUKS
> rd_LVM_LV=vg_penguin/lv_swap rd_LVM_LV=vg_penguin/lv_root rd_NO_MD quiet
> SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto LANG=en_US.UTF-8
> KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet reboot=pci max_loop=255"
> --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
> tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image
> /boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
>
> #### Create and write Launch Control Policy (LCPv1)
> lcp_mlehash -c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz >
> mle_hash
> lcp_crtpol -t hashonly -m mle_hash -o lcp_v1.pol
>
> lcp_writepol -i owner -f lcp_v1.pol -p $TPM_PASS
>
> lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
>
> #### Result: Instant system reset once it hit SENTER
>
> ####Attempt 2
> ###VLP
>
> tb_polgen --create --type nonfatal vl_ver1.pol
> tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "ro
> root=/dev/mapper/vg_penguin-lv_root intel_iommu=on rd_NO_LUKS
> rd_LVM_LV=vg_penguin/lv_swap rd_LVM_LV=vg_penguin/lv_root rd_NO_MD quiet
> SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto LANG=en_US.UTF-8
> KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet reboot=pci max_loop=255"
> --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
> tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image
> /boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
>
> ###LCPv2
> lcp_mlehash –c "logging=vga,serial,memory loglvl=all" /boot/tboot.gz >
> tboot_hash
> lcp_crtpolelt --create --type mle --ctrl 0x00 --out mle.elt tboot_hash
> lcp_crtpollist --create --out list_unsig.lst mle.elt
> lcp_crtpol2 --create --type list --pol list.pol --data list.data
> list_unsig.lst
> cp list.data /boot
>
> tcsd
> lcp_writepol -i owner -f list.pol -p $TPM_PASS
>
> lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
>
> ###Add /list.data to /boot/grub/grub.conf
>
> #### Result: Instant system reset once it hit SENTER
>
> The processor is a Xeon X5675. I'll keep playing around with the LCP,
> because it seems like this might be the root of my problems. Any insight
> you can offer would be a big help.
>
> -Charles B.
>
>
> On Mon, Mar 25, 2013 at 9:14 PM, <Cha...@gd...> wrote:
>
>> There appear to be a couple of things that I don’t understand. It appears
>> that while you have written you VL policy, you haven’t written a Launch
>> Control Policy (which goes in the owner NV index). What your LCP will be
>> depends on the processor, which you didn’t mention in you post. That is the
>> place the tboot is validated by the SINIT module, and then when it returns
>> tboot validates the remainder of the modules in grub.****
>>
>> ** **
>>
>> It may be possible to do what you tried, but I have always had to have a
>> LCP, which is where tboot and it command line are validated, so the first
>> tb_polgen line is the one for vmlinuz-2.6.32-279…****
>>
>> ** **
>>
>> Charles****
>>
>> ** **
>>
>> *From:* Charles Bushong [mailto:bus...@gm...]
>> *Sent:* Monday, March 25, 2013 8:52 AM
>> *To:* tbo...@li...
>> *Subject:* [tboot-devel] verifying module against policy failed****
>>
>> ** **
>>
>> Hi all,****
>>
>> I'm trying to get tboot up and running for my first time, and this list
>> has been a great help. However it seems I'm running into some problems
>> when actually validating the modules. I was hoping someone might have some
>> insight as to what I'm doing wrong. I'm using tboot 1.7.3 and legacy grub
>> if it makes a difference.****
>>
>> I get ownership and define the nvram indicies without much issue
>> (finally). Then I create and write the v1 policy with this:
>>
>> tb_polgen --create --type nonfatal vl_ver1.pol
>> tb_polgen --add --num 0 --pcr 18 --hash image --cmdline
>> "logging=vga,serial,memory loglvl=all" --image /boot/tboot.gz vl_ver1.pol
>> tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$kernel_cmdline"
>> --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
>> tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image
>> /boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
>> lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS****
>>
>> There are a few red flags that are sticking out to me.****
>>
>> 1) Does this post-GETSEC[SENTER] error code mean anything?****
>>
>> TBOOT: TXT.ERRORCODE: 0xc0000001
>> TBOOT: AC module error : acm_type=0x1, progress=0x00, error=0x0****
>>
>> ** **
>>
>> 2) Modules failing.
>> TBOOT: verifying module "
>> /vmlinuz-2.6.32-279.5.1.el6.x86_64 (kernel command line)"...
>> TBOOT: verification failed
>> TBOOT: verifying module against policy failed.
>> TBOOT: verifying module "
>> /initramfs-2.6.32-279.5.1.el6.x86_64.img"...
>> TBOOT: verification failed
>> TBOOT: verifying module against policy failed.
>> TBOOT: all modules are verified****
>>
>> I can't figure out why it's reading the policy without issue, getting
>> into GETSEC[SENTER], and then still failing the policy check. Any help or
>> points in the right direction would be appreciated. Thanks!****
>>
>>
>> ****
>>
>> -Charles****
>>
>
>
|