Menu
▾
▴
tboot-devel — Developer support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(3) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(19) |
Feb
(24) |
Mar
(8) |
Apr
(14) |
May
(8) |
Jun
(10) |
Jul
(14) |
Aug
(3) |
Sep
(13) |
Oct
(27) |
Nov
(39) |
Dec
(24) |
| 2009 |
Jan
(19) |
Feb
(4) |
Mar
(2) |
Apr
(15) |
May
|
Jun
(2) |
Jul
(44) |
Aug
(21) |
Sep
(20) |
Oct
(2) |
Nov
(1) |
Dec
(7) |
| 2010 |
Jan
(7) |
Feb
(10) |
Mar
(2) |
Apr
(12) |
May
(7) |
Jun
(2) |
Jul
(18) |
Aug
(11) |
Sep
(4) |
Oct
(25) |
Nov
(8) |
Dec
(1) |
| 2011 |
Jan
(27) |
Feb
(2) |
Mar
(19) |
Apr
(8) |
May
(16) |
Jun
(11) |
Jul
(9) |
Aug
(9) |
Sep
(35) |
Oct
(9) |
Nov
(8) |
Dec
(32) |
| 2012 |
Jan
(37) |
Feb
(20) |
Mar
(2) |
Apr
(24) |
May
(4) |
Jun
(3) |
Jul
(5) |
Aug
(21) |
Sep
(8) |
Oct
(15) |
Nov
(1) |
Dec
(7) |
| 2013 |
Jan
(4) |
Feb
(8) |
Mar
(38) |
Apr
(9) |
May
(42) |
Jun
(4) |
Jul
(21) |
Aug
(4) |
Sep
|
Oct
(7) |
Nov
(2) |
Dec
(3) |
| 2014 |
Jan
(8) |
Feb
(8) |
Mar
(5) |
Apr
(9) |
May
(19) |
Jun
(1) |
Jul
(10) |
Aug
(25) |
Sep
(6) |
Oct
(2) |
Nov
(5) |
Dec
(1) |
| 2015 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
(12) |
Jun
|
Jul
(2) |
Aug
(5) |
Sep
(11) |
Oct
(5) |
Nov
(3) |
Dec
(1) |
| 2016 |
Jan
(2) |
Feb
(24) |
Mar
|
Apr
(6) |
May
(26) |
Jun
(20) |
Jul
(8) |
Aug
(15) |
Sep
(21) |
Oct
(1) |
Nov
(7) |
Dec
(24) |
| 2017 |
Jan
(12) |
Feb
(2) |
Mar
(6) |
Apr
(8) |
May
(18) |
Jun
(13) |
Jul
(12) |
Aug
(8) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
| 2018 |
Jan
(2) |
Feb
(12) |
Mar
(8) |
Apr
(5) |
May
(7) |
Jun
(1) |
Jul
(4) |
Aug
(8) |
Sep
(2) |
Oct
(3) |
Nov
(4) |
Dec
(3) |
| 2019 |
Jan
(8) |
Feb
|
Mar
(2) |
Apr
|
May
(3) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(8) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2020 |
Jan
(25) |
Feb
(12) |
Mar
(2) |
Apr
(13) |
May
(44) |
Jun
(9) |
Jul
|
Aug
(3) |
Sep
(5) |
Oct
(4) |
Nov
(2) |
Dec
|
| 2021 |
Jan
(6) |
Feb
|
Mar
(7) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
(16) |
Sep
(4) |
Oct
(6) |
Nov
(1) |
Dec
(6) |
| 2022 |
Jan
(5) |
Feb
(4) |
Mar
(22) |
Apr
(6) |
May
(4) |
Jun
(17) |
Jul
(2) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(2) |
| 2023 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2024 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(1) |
Dec
|
|
From: Ross P. <Ros...@ci...> - 2008-12-02 13:44:24
|
Seiji,
Yeah, I saw the same thing when I was trying to get it to work. I forced
it to load and saw the status check fail in the debugger. I think I
tried working around issue at the time by ignoring the status but
something failed downstream and I couldn't use the iTPM even though the
driver loaded and ready. Did you actually try sending it work to do -
you may find it still doesn't work? Anyway it was a while ago so I don't
remember all the details.
Thanks
Ross
-----Original Message-----
From: Seiji Munetoh [mailto:sei...@gm...]
Sent: Tuesday, December 02, 2008 2:08 AM
To: Cihula, Joseph
Cc: tbo...@li...; tpmdd-devel; Marcin Obara
Subject: Re: [tboot-devel] [tpmdd-devel] TPM driver problem on GM45
On Tue, Dec 2, 2008 at 7:29 AM, Cihula, Joseph <jos...@in...>
wrote:
>> From: Seiji Munetoh [mailto:sei...@gm...]
>> Sent: Monday, December 01, 2008 2:24 PM
>>
>> On Mon, Dec 1, 2008 at 4:53 PM, Marcin Obara
>> <mar...@us...> wrote:
>> > 2008/12/1 Seiji Munetoh <sei...@gm...>:
>> >> 2008/11/28 Marcin Obara <mar...@us...>:
>> >>> Linux is not supported by iTPM on these mobile platforms.
>> >>> iTPM on these platforms will work only with Windows OS-es.
>> >>
>> >> So, do we need special driver to access the iTPM?
>> >
>> > It is not driver issue. It is platform design.
>> > iTPM on these (mobile) platforms was designed to work only with
>> > Windows OS-es. It is not possible to use any TPM Linux driver on
these
>> > platforms.
>> > iTPM on other (desktop) platforms should work with standard Linux -
>> > tpm_tis driver.
>>
>> So we can't use tboot & xen also on these platforms:-(
>>
>> thanks,
>> Seiji
>
> (cross-posting to tboot-devel since this question concerns that
project)
>
> tboot will work fine on these systems, since it accesses
> the TPM directly through its MMIO interface. You will just have
> to use a non-Linux environment and tools to provision the
> TXT LCP and tboot policy indices.
I think tpm_tis driver also uses MMIO.
I have take a look the detail. and It seems there are two problems.
- iTPM on GM45 does not supports PNP
- It return wrong TIS status???
Here is Quick-and-dirty fix:
1) modify status check of tpm_tis_send() function.
e.g.
- if ((status & TPM_STS_DATA_EXPECT) == 0) {
+ if ((status & TPM_STS_VALID) == 0) {
and rebuild the tpm_tis driver
2) Force device probe rather than using ACPI entry
/sbin/modprobe tpm_tis force=1
if it returns error, try again.
then you can access the iTPM on GM45 from Linux.
regards,
Seiji
------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
tboot-devel mailing list
tbo...@li...
https://lists.sourceforge.net/lists/listinfo/tboot-devel
|
|
From: Ross P. <Ros...@ci...> - 2008-12-02 13:31:14
|
I wanted to ask since there is something that doesn't quite make sense here. The Linux tpm_tis driver clearly uses MMIO to access the TPM registers so it should work as does any other OS code. Also if the Windows OS can access the iTPM then Linux should arguably also be able to. So I guess it must be some difference in the iTPM interface that makes the standard tpm_tis (presumably 1.2 compliant) driver just not work. Is that accurate? > > It is not possible to use any TPM Linux driver on these platforms. I don't understand why that would be the case. There may be none that currently are able to but they should be able to be modified to access it (just as Windows drivers access it). Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, December 01, 2008 5:30 PM To: Seiji Munetoh; Marcin Obara Cc: tbo...@li...; tpmdd-devel Subject: Re: [tboot-devel] [tpmdd-devel] TPM driver problem on GM45 > From: Seiji Munetoh [mailto:sei...@gm...] > Sent: Monday, December 01, 2008 2:24 PM > > On Mon, Dec 1, 2008 at 4:53 PM, Marcin Obara > <mar...@us...> wrote: > > 2008/12/1 Seiji Munetoh <sei...@gm...>: > >> 2008/11/28 Marcin Obara <mar...@us...>: > >>> Linux is not supported by iTPM on these mobile platforms. > >>> iTPM on these platforms will work only with Windows OS-es. > >> > >> So, do we need special driver to access the iTPM? > > > > It is not driver issue. It is platform design. > > iTPM on these (mobile) platforms was designed to work only with > > Windows OS-es. It is not possible to use any TPM Linux driver on these > > platforms. > > iTPM on other (desktop) platforms should work with standard Linux - > > tpm_tis driver. > > So we can't use tboot & xen also on these platforms:-( > > thanks, > Seiji (cross-posting to tboot-devel since this question concerns that project) tboot will work fine on these systems, since it accesses the TPM directly through its MMIO interface. You will just have to use a non-Linux environment and tools to provision the TXT LCP and tboot policy indices. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
|
From: Seiji M. <sei...@gm...> - 2008-12-02 09:49:40
|
On Tue, Dec 2, 2008 at 4:08 PM, Seiji Munetoh
> I think tpm_tis driver also uses MMIO.
> I have take a look the detail. and It seems there are two problems.
> - iTPM on GM45 does not supports PNP
It has the following entry in DSDT.
---
<snip>
Device (TPM)
{
Method (_HID, 0, NotSerialized)
{
TPHY (0x00)
If (LEqual (TPMV, 0x01))
<snip>
---
However, Linux PNP detects the device based on the EisaID.
Also. I have check the TCG ACPI Specification. it does not
required EisaID as the HID.
---
_HID
Named object that provides the interface's Plug and Play
identifier. This value may be TPM vendor specific. _HID is
a standard device configuration control method defined in
the ACPI Specification.
Required only for devices that do not have standard enumeration mechanism.
---
We can use the device by modprobe with force=1 option.
But it may have power management issue.
regards,
Seiji
|
|
From: Seiji M. <sei...@gm...> - 2008-12-02 07:08:23
|
On Tue, Dec 2, 2008 at 7:29 AM, Cihula, Joseph <jos...@in...> wrote:
>> From: Seiji Munetoh [mailto:sei...@gm...]
>> Sent: Monday, December 01, 2008 2:24 PM
>>
>> On Mon, Dec 1, 2008 at 4:53 PM, Marcin Obara
>> <mar...@us...> wrote:
>> > 2008/12/1 Seiji Munetoh <sei...@gm...>:
>> >> 2008/11/28 Marcin Obara <mar...@us...>:
>> >>> Linux is not supported by iTPM on these mobile platforms.
>> >>> iTPM on these platforms will work only with Windows OS-es.
>> >>
>> >> So, do we need special driver to access the iTPM?
>> >
>> > It is not driver issue. It is platform design.
>> > iTPM on these (mobile) platforms was designed to work only with
>> > Windows OS-es. It is not possible to use any TPM Linux driver on these
>> > platforms.
>> > iTPM on other (desktop) platforms should work with standard Linux -
>> > tpm_tis driver.
>>
>> So we can't use tboot & xen also on these platforms:-(
>>
>> thanks,
>> Seiji
>
> (cross-posting to tboot-devel since this question concerns that project)
>
> tboot will work fine on these systems, since it accesses
> the TPM directly through its MMIO interface. You will just have
> to use a non-Linux environment and tools to provision the
> TXT LCP and tboot policy indices.
I think tpm_tis driver also uses MMIO.
I have take a look the detail. and It seems there are two problems.
- iTPM on GM45 does not supports PNP
- It return wrong TIS status???
Here is Quick-and-dirty fix:
1) modify status check of tpm_tis_send() function.
e.g.
- if ((status & TPM_STS_DATA_EXPECT) == 0) {
+ if ((status & TPM_STS_VALID) == 0) {
and rebuild the tpm_tis driver
2) Force device probe rather than using ACPI entry
/sbin/modprobe tpm_tis force=1
if it returns error, try again.
then you can access the iTPM on GM45 from Linux.
regards,
Seiji
|
|
From: Cihula, J. <jos...@in...> - 2008-12-01 22:30:04
|
> From: Seiji Munetoh [mailto:sei...@gm...] > Sent: Monday, December 01, 2008 2:24 PM > > On Mon, Dec 1, 2008 at 4:53 PM, Marcin Obara > <mar...@us...> wrote: > > 2008/12/1 Seiji Munetoh <sei...@gm...>: > >> 2008/11/28 Marcin Obara <mar...@us...>: > >>> Linux is not supported by iTPM on these mobile platforms. > >>> iTPM on these platforms will work only with Windows OS-es. > >> > >> So, do we need special driver to access the iTPM? > > > > It is not driver issue. It is platform design. > > iTPM on these (mobile) platforms was designed to work only with > > Windows OS-es. It is not possible to use any TPM Linux driver on these > > platforms. > > iTPM on other (desktop) platforms should work with standard Linux - > > tpm_tis driver. > > So we can't use tboot & xen also on these platforms:-( > > thanks, > Seiji (cross-posting to tboot-devel since this question concerns that project) tboot will work fine on these systems, since it accesses the TPM directly through its MMIO interface. You will just have to use a non-Linux environment and tools to provision the TXT LCP and tboot policy indices. Joe |
|
From: Courtay O. <Oli...@th...> - 2008-11-28 10:24:34
|
Hi all, If I understand well, the problem with the GM45 is that the TPM is embedded in the chipset and so Linux can not communicate with the TPM. Is there a platform with Danbury fully supported by Linux ? I am very interesting to test Danbury and McCreary technologies (my Q35 have not it) but I use only Linux. The X58 chipset(i7) integrates all of these functionalities? and supported by Linux ? Or I should take a P45 (ore 2 Duo) ? Another question in security topic. Set the TPM inside the chipset is good choice for the security (The LCP bus is too simple for hardware attacker). But how a hardware attacker can reach the TPM inside the chipset ? There is already a LCP bus outside of the chipset where the TPM is connected ? In other words: what is the level of hardware attackers to successfully perform a man-in-the-middle attack on the TPM ? Thanks Olivier Courtay -----Original Message----- From: Weide Zheng [mailto:zh...@gm...] Sent: Thu 11/27/08 15:18 To: tboot-devel Subject: [tboot-devel] Problem about TPM driver on GM45 Hi all, I am happy to find that the SINIT AC Modules for GM45 have released. I downloaded the code and tried it on two latest machines with GM45 chipset-- Lenovo T400 & X200. But unfortunately, I was surprised to find that TPM devices can not even be detected. I have tried the latest linux-2.6.27.7 kernel and used "modprobe tpm_tis" command, but the device still remain undetectable. Have you ever come about similar problems? Does the tpm integrated in GM45 need special driver support? P.S. : TPM device in these two machines work fine in windows xp& Vista environment. I will be greatly grateful for your advise. 2008-11-27 Weide Zheng |
|
From: Ross P. <Ros...@ci...> - 2008-11-27 14:55:21
|
I ran into the same issue on the GM45 (Montevina) platform with the integrated iTPM. It is a known problem with the either the Linux tpm_tis driver and/or the iTPM itself. I don't think there is a plan to fix it. I did not actually find out what the problem was since the platform I ended up using had a discrete 3rd party TPM and there were no issues. It might be possible to fix/workaround the the issue in the Linux driver if we determined what the actual problem is. Not sure. Is there any way to add a discrete TPM to this system? Thanks Ross ________________________________ From: Weide Zheng [mailto:zh...@gm...] Sent: Thu 11/27/2008 9:18 AM To: tboot-devel Subject: [tboot-devel] Problem about TPM driver on GM45 Hi all, I am happy to find that the SINIT AC Modules for GM45 have released. I downloaded the code and tried it on two latest machines with GM45 chipset-- Lenovo T400 & X200. But unfortunately, I was surprised to find that TPM devices can not even be detected. I have tried the latest linux-2.6.27.7 kernel and used "modprobe tpm_tis" command, but the device still remain undetectable. Have you ever come about similar problems? Does the tpm integrated in GM45 need special driver support? P.S. : TPM device in these two machines work fine in windows xp& Vista environment. I will be greatly grateful for your advise. 2008-11-27 ________________________________ Weide Zheng |
|
From: Weide Z. <zh...@gm...> - 2008-11-27 14:17:50
|
Hi all, I am happy to find that the SINIT AC Modules for GM45 have released. I downloaded the code and tried it on two latest machines with GM45 chipset-- Lenovo T400 & X200. But unfortunately, I was surprised to find that TPM devices can not even be detected. I have tried the latest linux-2.6.27.7 kernel and used "modprobe tpm_tis" command, but the device still remain undetectable. Have you ever come about similar problems? Does the tpm integrated in GM45 need special driver support? P.S. : TPM device in these two machines work fine in windows xp& Vista environment. I will be greatly grateful for your advise. 2008-11-27 Weide Zheng |
|
From: Cihula, J. <jos...@in...> - 2008-11-27 07:07:32
|
I believe the index that it is reporting is the tboot error code index (0x20000002). Joe > -----Original Message----- > From: Ross Philipson [mailto:Ros...@ci...] > Sent: Tuesday, November 25, 2008 11:35 AM > To: Courtay Olivier; tbo...@li... > Subject: Re: [tboot-devel] Problems on tpmnv_defindex > > Yeah, the line about the error code index not being there is expected. I thought the patch got > rid of the attempts to even right the index but that is all that is wrong there. > > That is the drawback to this but it is really just a workaround for a hardware issue. > > Thanks > Ross > > > -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Tuesday, November 25, 2008 12:37 PM > To: Ross Philipson; tbo...@li... > Subject: RE : [tboot-devel] Problems on tpmnv_defindex > > Hello, > > I have applied your patch on the tboot.hg > The patch work well (I had to manually apply patch for only one line). > > And it seems to work: > .... > TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"... > TBOOT: \0x09 OK > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 > TBOOT: TPM error code index not present in embedded policy mode. > TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"... > TBOOT: \0x09 OK > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 > TBOOT: TPM error code index not present in embedded policy mode. > TBOOT: all modules are verified > ...... > > I will study the error due to attempt to write in undefined index > > The step for use your patch: > > - define the owner index > - create vl.pol > - compile with make embed=path_to_vl.pol > - install tboot > - create lcp > - write lcp in owner index > > > The drawback is that the tboot.gz can be used for only one entry and if policy change , you > should compile tboot.... > > Thank a lot for your patch > > Olivier > > > -------- Message d'origine-------- > De: Ross Philipson [mailto:Ros...@ci...] > Date: lun. 11/24/08 19:19 > À: Cihula, Joseph; Courtay Olivier; tbo...@li... > Objet : RE: [tboot-devel] Problems on tpmnv_defindex > > I ran into this issue one the Dell 755 platform. I worked around this by > patching tboot to embed the verified launch within the MLE itself. You > then only need one index, the owner one 0x40000001 for the LCP policy. > Since the verified launch policy is embedded in the MLE, this solution > is secure since the LCP hashes over the VL policy too. You also need to > forgo the error recording index 0x20000002. > > I am attaching a patch I did to make this work on the Dell 755. You > basically have to generate the VL policy before building tboot. You use > the environment variable "embed=<my vl file>" to pass the policy to > embed to the build (either export it or use it on the command line for > make). The patch also deals with the missing error NV index. Then you > can create the LCP over the tboot image and load that into the owner > index. > > One thing to note; this patch was based off of the June 2008 tboot code > tarball. It will not patch cleanly over the latest tboot stuff. You will > either need to work with the June code or modify the patch. Hope it > helps. > > Thanks > Ross > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Monday, November 24, 2008 12:31 PM > To: Courtay Olivier; tbo...@li... > Subject: Re: [tboot-devel] Problems on tpmnv_defindex > > -----Original Message----- > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Monday, November 24, 2008 7:44 AM > > > > My comment begins at the end > > > > -----Original Message----- > > From: Cihula, Joseph [mailto:jos...@in...] > > Sent: Fri 11/21/08 17:44 > > To: Courtay Olivier; tbo...@li... > > Subject: RE: Problems on tpmnv_defindex > > > From: Courtay Olivier [mailto:Oli...@th...] > > > Sent: Friday, November 21, 2008 6:36 AM > > > > > > Hello, > > > > > > I try to use tboot directly with the linux kernel using linux patch. > > > I have successfully boot with a 2.6.28-rc5. But I have no set policy > in TPM NV. > > > In past, I have also successfully boot a xen with policy. > > > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on > TPM but some problems > > > occurred. > > > > > > > > > # tpmnv_defindex -i owner -p xxxx > > > Haven't input permission value, use default value 0x2 > > > Haven't input data size, use default value 34 > > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host > localhost. > > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: > Received TCS Context: > > 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: > TCS Context: 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: > 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: > TCS Context: 0xa0b27101 > > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: > result=21 > > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources > (0x0815) > > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS > Context: 0xa0b27101 > > > > > > Impossible to define this index. > > > I have already defined the index 0x20000002 > > > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > > Successfully defined index 0x20000002 as permission 0x0, data size > is 8 > > > > > > Defined index are: > > > > > > # tpmnv_getcap > > > > > > 4 indices have been defined > > > list of indices for defined NV storage areas: > > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > > > > I found very difficult to correctly defined and write policy, at > each time I should do a lot > > > of manipulation before the system work correctly. I am the only one > to have this problem ? > > > Sometime, I should to reset BIOS for reboot the computer... > > > > > > I use Dell Optiplex 755/E8500 > > > > I have also seen some spurious errors with TrouSerS. Unfortunately, I > have not had the time > > to track them down, and as the commands still seem to work despite the > errors, it has not been > > a priority. I haven't encountered the issue of having to reboot--I > think that is particular > > to your platform model and you should make sure that you have the > latest BIOS. > > > > > > [Begin of my comments]: > > Yes, I already see that trousers can return error even the command is > a success. > > But, in my case the tpmnv_defindex abort with "Insufficient TPM > resources" error. > > This error seems to be reported by driver (error 21) and the index is > not defined > > > > I found a beginning of solution: the order of command is important. > > > > For example, some trace: > > > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > > # tpmnv_defindex -i owner -p p xxxx => OK > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => > Failed with error 21 > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > > > My Bios is up-to-date (A11). > > > > Any idea? > > > > > > Tanks, > > Olivier Courtay > > The "Insufficient TPM resources" error is due to the TPM on this > platform, which only support 4 NV indices. Three of these are already > taken for TCG and TXT support. That means that you can only create one > additional index. > > Joe > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel |
|
From: Ross P. <Ros...@ci...> - 2008-11-25 19:35:56
|
Yeah, the line about the error code index not being there is expected. I thought the patch got rid of the attempts to even right the index but that is all that is wrong there. That is the drawback to this but it is really just a workaround for a hardware issue. Thanks Ross -----Original Message----- From: Courtay Olivier [mailto:Oli...@th...] Sent: Tuesday, November 25, 2008 12:37 PM To: Ross Philipson; tbo...@li... Subject: RE : [tboot-devel] Problems on tpmnv_defindex Hello, I have applied your patch on the tboot.hg The patch work well (I had to manually apply patch for only one line). And it seems to work: .... TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: all modules are verified ...... I will study the error due to attempt to write in undefined index The step for use your patch: - define the owner index - create vl.pol - compile with make embed=path_to_vl.pol - install tboot - create lcp - write lcp in owner index The drawback is that the tboot.gz can be used for only one entry and if policy change , you should compile tboot.... Thank a lot for your patch Olivier -------- Message d'origine-------- De: Ross Philipson [mailto:Ros...@ci...] Date: lun. 11/24/08 19:19 À: Cihula, Joseph; Courtay Olivier; tbo...@li... Objet : RE: [tboot-devel] Problems on tpmnv_defindex I ran into this issue one the Dell 755 platform. I worked around this by patching tboot to embed the verified launch within the MLE itself. You then only need one index, the owner one 0x40000001 for the LCP policy. Since the verified launch policy is embedded in the MLE, this solution is secure since the LCP hashes over the VL policy too. You also need to forgo the error recording index 0x20000002. I am attaching a patch I did to make this work on the Dell 755. You basically have to generate the VL policy before building tboot. You use the environment variable "embed=<my vl file>" to pass the policy to embed to the build (either export it or use it on the command line for make). The patch also deals with the missing error NV index. Then you can create the LCP over the tboot image and load that into the owner index. One thing to note; this patch was based off of the June 2008 tboot code tarball. It will not patch cleanly over the latest tboot stuff. You will either need to work with the June code or modify the patch. Hope it helps. Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, November 24, 2008 12:31 PM To: Courtay Olivier; tbo...@li... Subject: Re: [tboot-devel] Problems on tpmnv_defindex -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
|
From: Courtay O. <Oli...@th...> - 2008-11-25 17:37:35
|
Hello, I have applied your patch on the tboot.hg The patch work well (I had to manually apply patch for only one line). And it seems to work: .... TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"... TBOOT: \0x09 OK TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002 TBOOT: TPM error code index not present in embedded policy mode. TBOOT: all modules are verified ...... I will study the error due to attempt to write in undefined index The step for use your patch: - define the owner index - create vl.pol - compile with make embed=path_to_vl.pol - install tboot - create lcp - write lcp in owner index The drawback is that the tboot.gz can be used for only one entry and if policy change , you should compile tboot.... Thank a lot for your patch Olivier -------- Message d'origine-------- De: Ross Philipson [mailto:Ros...@ci...] Date: lun. 11/24/08 19:19 À: Cihula, Joseph; Courtay Olivier; tbo...@li... Objet : RE: [tboot-devel] Problems on tpmnv_defindex I ran into this issue one the Dell 755 platform. I worked around this by patching tboot to embed the verified launch within the MLE itself. You then only need one index, the owner one 0x40000001 for the LCP policy. Since the verified launch policy is embedded in the MLE, this solution is secure since the LCP hashes over the VL policy too. You also need to forgo the error recording index 0x20000002. I am attaching a patch I did to make this work on the Dell 755. You basically have to generate the VL policy before building tboot. You use the environment variable "embed=<my vl file>" to pass the policy to embed to the build (either export it or use it on the command line for make). The patch also deals with the missing error NV index. Then you can create the LCP over the tboot image and load that into the owner index. One thing to note; this patch was based off of the June 2008 tboot code tarball. It will not patch cleanly over the latest tboot stuff. You will either need to work with the June code or modify the patch. Hope it helps. Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, November 24, 2008 12:31 PM To: Courtay Olivier; tbo...@li... Subject: Re: [tboot-devel] Problems on tpmnv_defindex -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
|
From: Ross P. <Ros...@ci...> - 2008-11-24 18:19:20
|
I ran into this issue one the Dell 755 platform. I worked around this by patching tboot to embed the verified launch within the MLE itself. You then only need one index, the owner one 0x40000001 for the LCP policy. Since the verified launch policy is embedded in the MLE, this solution is secure since the LCP hashes over the VL policy too. You also need to forgo the error recording index 0x20000002. I am attaching a patch I did to make this work on the Dell 755. You basically have to generate the VL policy before building tboot. You use the environment variable "embed=<my vl file>" to pass the policy to embed to the build (either export it or use it on the command line for make). The patch also deals with the missing error NV index. Then you can create the LCP over the tboot image and load that into the owner index. One thing to note; this patch was based off of the June 2008 tboot code tarball. It will not patch cleanly over the latest tboot stuff. You will either need to work with the June code or modify the patch. Hope it helps. Thanks Ross -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Monday, November 24, 2008 12:31 PM To: Courtay Olivier; tbo...@li... Subject: Re: [tboot-devel] Problems on tpmnv_defindex -----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ tboot-devel mailing list tbo...@li... https://lists.sourceforge.net/lists/listinfo/tboot-devel |
|
From: Cihula, J. <jos...@in...> - 2008-11-24 17:31:15
|
-----Original Message----- > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Monday, November 24, 2008 7:44 AM > > My comment begins at the end > > -----Original Message----- > From: Cihula, Joseph [mailto:jos...@in...] > Sent: Fri 11/21/08 17:44 > To: Courtay Olivier; tbo...@li... > Subject: RE: Problems on tpmnv_defindex > > From: Courtay Olivier [mailto:Oli...@th...] > > Sent: Friday, November 21, 2008 6:36 AM > > > > Hello, > > > > I try to use tboot directly with the linux kernel using linux patch. > > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > > In past, I have also successfully boot a xen with policy. > > > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > > occurred. > > > > > > # tpmnv_defindex -i owner -p xxxx > > Haven't input permission value, use default value 0x2 > > Haven't input data size, use default value 34 > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: > 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > > > Impossible to define this index. > > I have already defined the index 0x20000002 > > > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > > > Defined index are: > > > > # tpmnv_getcap > > > > 4 indices have been defined > > list of indices for defined NV storage areas: > > 0x10000001 0x50000002 0x50000001 0x20000002 > > > > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > > of manipulation before the system work correctly. I am the only one to have this problem ? > > Sometime, I should to reset BIOS for reboot the computer... > > > > I use Dell Optiplex 755/E8500 > > I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time > to track them down, and as the commands still seem to work despite the errors, it has not been > a priority. I haven't encountered the issue of having to reboot--I think that is particular > to your platform model and you should make sure that you have the latest BIOS. > > > [Begin of my comments]: > Yes, I already see that trousers can return error even the command is a success. > But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. > This error seems to be reported by driver (error 21) and the index is not defined > > I found a beginning of solution: the order of command is important. > > For example, some trace: > > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 > # tpmnv_defindex -i owner -p xxxx => Failed with error 21. > # tpmnv_relindex -i 0x20000002 -p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 > # tpmnv_defindex -i owner -p p xxxx => OK > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 > # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 > > My Bios is up-to-date (A11). > > Any idea? > > > Tanks, > Olivier Courtay The "Insufficient TPM resources" error is due to the TPM on this platform, which only support 4 NV indices. Three of these are already taken for TCG and TXT support. That means that you can only create one additional index. Joe |
|
From: Courtay O. <Oli...@th...> - 2008-11-24 16:07:47
|
My comment begins at the end -----Original Message----- From: Cihula, Joseph [mailto:jos...@in...] Sent: Fri 11/21/08 17:44 To: Courtay Olivier; tbo...@li... Subject: RE: Problems on tpmnv_defindex > From: Courtay Olivier [mailto:Oli...@th...] > Sent: Friday, November 21, 2008 6:36 AM > > Hello, > > I try to use tboot directly with the linux kernel using linux patch. > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > In past, I have also successfully boot a xen with policy. > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > occurred. > > > # tpmnv_defindex -i owner -p xxxx > Haven't input permission value, use default value 0x2 > Haven't input data size, use default value 34 > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > Impossible to define this index. > I have already defined the index 0x20000002 > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > Defined index are: > > # tpmnv_getcap > > 4 indices have been defined > list of indices for defined NV storage areas: > 0x10000001 0x50000002 0x50000001 0x20000002 > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > of manipulation before the system work correctly. I am the only one to have this problem ? > Sometime, I should to reset BIOS for reboot the computer... > > I use Dell Optiplex 755/E8500 I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time to track them down, and as the commands still seem to work despite the errors, it has not been a priority. I haven't encountered the issue of having to reboot--I think that is particular to your platform model and you should make sure that you have the latest BIOS. [Begin of my comments]: Yes, I already see that trousers can return error even the command is a success. But, in my case the tpmnv_defindex abort with "Insufficient TPM resources" error. This error seems to be reported by driver (error 21) and the index is not defined I found a beginning of solution: the order of command is important. For example, some trace: # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x20000002 # tpmnv_defindex -i owner -p xxxx => Failed with error 21. # tpmnv_relindex -i 0x20000002 -p xxxx => OK # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 # tpmnv_defindex -i owner -p p xxxx => OK # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 # tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx => Failed with error 21 # tpmnv_getcap => 0x10000001 0x50000002 0x50000001 0x40000001 My Bios is up-to-date (A11). Any idea? Tanks, Olivier Courtay |
|
From: Cihula, J. <jos...@in...> - 2008-11-21 19:34:16
|
I have added SINIT AC Modules for: the Intel(r) Q45 and Q43 Express Chipsets (aka ICH10 aka Eaglelake aka McCreary), the Intel(r) GM45 and PM45 Express Chipsets (aka ICH9M aka Cantiga aka Montevina). I have updated the SINIT ACMs for the Intel(r) Q35 and X38 Express Chipsets (aka ICH9 aka Bearlake aka Weybridge). The SINIT ACM Guide file has also been updated to reflect these new chipsets and their device IDs. I have dated the releases as 2008-10-17 to correspond to the naming convention used for Intel's Software Development Platform program. Joe |
|
From: Cihula, J. <jos...@in...> - 2008-11-21 16:44:46
|
> From: Courtay Olivier [mailto:Oli...@th...] > Sent: Friday, November 21, 2008 6:36 AM > > Hello, > > I try to use tboot directly with the linux kernel using linux patch. > I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. > In past, I have also successfully boot a xen with policy. > > After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems > occurred. > > > # tpmnv_defindex -i owner -p xxxx > Haven't input permission value, use default value 0x2 > Haven't input data size, use default value 34 > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 > LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 > Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 > > Impossible to define this index. > I have already defined the index 0x20000002 > > #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx > Successfully defined index 0x20000002 as permission 0x0, data size is 8 > > Defined index are: > > # tpmnv_getcap > > 4 indices have been defined > list of indices for defined NV storage areas: > 0x10000001 0x50000002 0x50000001 0x20000002 > > > I found very difficult to correctly defined and write policy, at each time I should do a lot > of manipulation before the system work correctly. I am the only one to have this problem ? > Sometime, I should to reset BIOS for reboot the computer... > > I use Dell Optiplex 755/E8500 I have also seen some spurious errors with TrouSerS. Unfortunately, I have not had the time to track them down, and as the commands still seem to work despite the errors, it has not been a priority. I haven't encountered the issue of having to reboot--I think that is particular to your platform model and you should make sure that you have the latest BIOS. > Another points. > I have adapted pol for boot linux directly. > Can you said me if this policy is correct: > > #tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "module /boot/vmlinuz-2.6.28-rc5 > root=/dev/sda2 ro console=ttyS0,115200 3" --image /boot/vmlinuz-2.6.28-rc5 vl.pol > #tb_polgen --add --num 1 --pcr 18 --hash image --cmdline "" --image /boot/initrd.img-2.6.28- > rc5 vl.pol > > > My grub entry is: > title Linux 2.6.28-rc5 w/ tboot > root (hd0,1) > kernel /boot/tboot.gz > module /boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3 > module /boot/initrd.img-2.6.28-rc5 > module /boot/Q35_SINIT_16.BIN The latest versions of tboot no longer include the module name in the command line of the policy. So your kernel tb_polgen should be (presuming that you also have already called tb_polgen with the --create option): #tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "root=/dev/sda2 ro console=ttyS0,115200 3" --image /boot/vmlinuz-2.6.28-rc5 vl.pol > > > > Thanks, > > Olivier > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel |
|
From: Courtay O. <Oli...@th...> - 2008-11-21 15:03:23
|
Hello, I try to use tboot directly with the linux kernel using linux patch. I have successfully boot with a 2.6.28-rc5. But I have no set policy in TPM NV. In past, I have also successfully boot a xen with policy. After a TPM clean, I try to set policy for my 2.6.28-rc5 kernel on TPM but some problems occurred. # tpmnv_defindex -i owner -p xxxx Haven't input permission value, use default value 0x2 Haven't input data size, use default value 34 LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_caps_tpm.c:40 RPC_GetTPMCapability_TP: TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_auth.c:70 RPC_OSAP_TP: TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:53 RPC_NV_DefineOrReleaseSpace_TP: TCS Context: 0xa0b27101 LOG_DEBUG TSPI rpc/tcstp/rpc_nv.c:83 RPC_NV_DefineOrReleaseSpace_TP: result=21 Tspi_NV_DefineSpace failed failed: Insufficient TPM resources (0x0815) LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa0b27101 Impossible to define this index. I have already defined the index 0x20000002 #tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p xxxx Successfully defined index 0x20000002 as permission 0x0, data size is 8 Defined index are: # tpmnv_getcap 4 indices have been defined list of indices for defined NV storage areas: 0x10000001 0x50000002 0x50000001 0x20000002 I found very difficult to correctly defined and write policy, at each time I should do a lot of manipulation before the system work correctly. I am the only one to have this problem ? Sometime, I should to reset BIOS for reboot the computer... I use Dell Optiplex 755/E8500 Another points. I have adapted pol for boot linux directly. Can you said me if this policy is correct: #tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "module /boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3" --image /boot/vmlinuz-2.6.28-rc5 vl.pol #tb_polgen --add --num 1 --pcr 18 --hash image --cmdline "" --image /boot/initrd.img-2.6.28-rc5 vl.pol My grub entry is: title Linux 2.6.28-rc5 w/ tboot root (hd0,1) kernel /boot/tboot.gz module /boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3 module /boot/initrd.img-2.6.28-rc5 module /boot/Q35_SINIT_16.BIN Thanks, Olivier |
|
From: Jonathan M. M. <jon...@cm...> - 2008-11-20 19:58:23
|
Cihula, Joseph wrote: > In addition to providing reference code, tboot is also a production-quality MLE (measured launched environment). This was done in order to provide a functioning, runable example of TXT use that could be integrated into products or deployments. For a variety of reasons, it is extremely valuable to have a practical, runable TXT "application". > This was a tremendous help while getting Flicker off the ground using TXT. By my estimation, you guys have done a nice job demonstrating the various capabilities of TXT. I'm very happy that this list finds the Flicker project to be an interesting and compelling use of TXT. I have the tricky parts working with TXT, and hope to release some code in the coming weeks. If there is sufficient interest, I can create a SourceForge project. Hopefully this will make it easier to integrate bug-fixes, features, etc. Cheers, -Jon |
|
From: Cihula, J. <jos...@in...> - 2008-11-20 19:35:15
|
Well said. The tboot project's primary purpose is to be reference code for the use of Intel(R) TXT. And since TXT is mostly about launching a trusted environment, most of the code for its use is about preparing for and executing the launch. There is some subsequent code for verifying the launched environment. This aspect of TXT is not really dependent on early and late launch models--the same process is required for all uses of TXT. In addition to providing reference code, tboot is also a production-quality MLE (measured launched environment). This was done in order to provide a functioning, runable example of TXT use that could be integrated into products or deployments. For a variety of reasons, it is extremely valuable to have a practical, runable TXT "application". We wanted tboot to serve as an example of TXT use, not as a complete virtualization/separation kernel/high-security kernel/etc. solution. So tboot is designed to work in conjunction with a VMM (e.g. Xen) or OS (e.g. Linux) to provide the TXT-related security functionality. The VMM or OS is responsible for extending or maintaining the trusted environment that tboot launched it in. This is also why tboot is designed to be fairly VMM/OS agnostic and with minimal VMM/OS changes needed for full support (as opposed to being tightly integrated into it). And by releasing tboot with an open source license, we wanted to facilitate others who work in open source to apply TXT to their projects and release the results. Hopefully this will give the community a range of usage models that a single company like Intel could not have developed on its own. Joe P.S. We will be posting SINIT AC Modules for the new mobile and desktop systems very soon. > -----Original Message----- > From: Hal Finney [mailto:hal...@gm...] > Sent: Thursday, November 20, 2008 11:01 AM > To: Mike Hearn > Cc: Cihula, Joseph; tbo...@li...; Lil Evil > Subject: Re: [tboot-devel] late launch > > On Thu, Nov 20, 2008 at 8:33 AM, Mike Hearn <mi...@pl...> wrote: > > What's the rationale for tboot not being a late launch project? My > > understanding was that the whole point of TXT was to enable late launch. > > It seems that the problem with late launch is not so much launching > something like tboot, it's what happens next. > > The simplest case would be to just abandon the original OS from which > you performed the late launch, and to go ahead and do what tboot does > now, measure and launch a VM monitor like Xen, which then launches a > new set of VMs from scratch. But that doesn't give you any advantages > over simply rebooting into today's tboot. > > Jon McCune's Flicker project does a late launch of a small executable > program that performs secure functions for a relatively brief moment > (a flicker of time, hence the name), and then tears down the secure > environment and returns to the original OS. This has also required > substantial work and research to accomplish, and seems to require OS > specific code. > > A very ambitious possibility would be to encapsulate the state of the > OS you were running before launching tboot, and to transfer it into a > VM, allowing it to continue to run under a VMM launched by tboot. > Ideally the user would hardly notice that the late launch had happened > and that his OS had gone from running on the real hardware, to running > in a VM managed by a measured VMM that tboot had started. I think this > was the original idea of Microsoft's Palladium project, renamed NGSCB > and then seemingly abandoned in the face of a firestorm of criticism. > Clearly it would be extremely challenging to accomplish, and would > very likely be OS specific. The "Blue Pill" project, > http://bluepillproject.org/ , is a sort of root kit which does > something similar, not using tboot but wrapping the OS in a VM and > keeping it running, maybe without the user noticing. It could probably > be modified to use tboot and might be a good starting point for this > kind of late launch architecture. > > Hal Finney |
|
From: Hal F. <hal...@gm...> - 2008-11-20 19:01:33
|
On Thu, Nov 20, 2008 at 8:33 AM, Mike Hearn <mi...@pl...> wrote: > What's the rationale for tboot not being a late launch project? My > understanding was that the whole point of TXT was to enable late launch. It seems that the problem with late launch is not so much launching something like tboot, it's what happens next. The simplest case would be to just abandon the original OS from which you performed the late launch, and to go ahead and do what tboot does now, measure and launch a VM monitor like Xen, which then launches a new set of VMs from scratch. But that doesn't give you any advantages over simply rebooting into today's tboot. Jon McCune's Flicker project does a late launch of a small executable program that performs secure functions for a relatively brief moment (a flicker of time, hence the name), and then tears down the secure environment and returns to the original OS. This has also required substantial work and research to accomplish, and seems to require OS specific code. A very ambitious possibility would be to encapsulate the state of the OS you were running before launching tboot, and to transfer it into a VM, allowing it to continue to run under a VMM launched by tboot. Ideally the user would hardly notice that the late launch had happened and that his OS had gone from running on the real hardware, to running in a VM managed by a measured VMM that tboot had started. I think this was the original idea of Microsoft's Palladium project, renamed NGSCB and then seemingly abandoned in the face of a firestorm of criticism. Clearly it would be extremely challenging to accomplish, and would very likely be OS specific. The "Blue Pill" project, http://bluepillproject.org/ , is a sort of root kit which does something similar, not using tboot but wrapping the OS in a VM and keeping it running, maybe without the user noticing. It could probably be modified to use tboot and might be a good starting point for this kind of late launch architecture. Hal Finney |
|
From: Ross P. <Ros...@ci...> - 2008-11-20 17:56:17
|
Patch for TBOOT logging enhancements usage information in
tboot-info.txt.
Signed-off-by: Ross Philipson <ros...@ci...>
diff -Nur a/tboot/common/early_printk.c b/tboot/common/early_printk.c
diff -Nur b/docs/tboot-info.txt c/docs/tboot-info.txt
--- b/docs/tboot-info.txt 2008-11-20 10:43:33.000000000 -0500
+++ c/docs/tboot-info.txt 2008-11-20 12:43:52.000000000 -0500
@@ -87,12 +87,33 @@
http://lkml.org/lkml/2008/10/7/442
http://lkml.org/lkml/2008/10/7/445
-o Progress of the launch process is indicated via debug printk's to
- COM1 (hardcoded). These appear before the normal "(XEN)" output and
are
- prefixed by "TBOOT:". Though tboot does initialize the COM port, it
is
- best if this is also done by GRUB - grub.conf should have:
- serial --speed=115200 --unit=0
- terminal console serial
+o Progress of the launch process is indicated via debug printk's using
three
+ different logging methods:
+ serial - logging is traced over a COM/serial port to a remote
console
+ vga - logging is traced to the local screen
+ memory - logging is traced to a memory location
+
+ These three methods are not mutually exclusive - any combination can
be
+ enabled. Logging is enabled with command line parameters to tboot.
The first
+ parameter enables or disables all logging (note that the default is
all):
+ loglvl=all|none
+
+ The next paramter is used to configure the various logging targets;
any
+ combination can be used (note that when the parameter is not set,
serial
+ is the default):
+ logging=vga,serial,memory
+
+ If serial logging is set, a third parameter can be used to configure
the
+ serial port settings. All of the options beyond baud rate are
optional:
+ serial=baud[/clock_hz][,DPS[,io_base]]
+
+ The clock_hz allows setting different crystal frequencies, DPS sets
the
+ data/parity/stop bits, and io_base sets the IO port for the device.
The
+ baud rate can also be set to "auto" allowing any current settings
for the
+ serial port to be left intact (e.g. if the serial port has already
been
+ configured by grub). If this parameter is omitted the default is
+ effectively the following for a legacy PC COM1:
+ serial=115200/115200,8n1,0x3f8
o tboot will attempt to seal the module measurements using the TPM so
that if
it is put into S3 it can restore the correct PCR values on resume.
In order
|
|
From: Mike H. <mi...@pl...> - 2008-11-20 16:33:30
|
> > The late launch model is where a DRTM provides the most value over a static > root of trust, as it is not even really possible to extend the SRTM to this > point for most OSes. What's the rationale for tboot not being a late launch project? My understanding was that the whole point of TXT was to enable late launch. |
|
From: Cihula, J. <jos...@in...> - 2008-11-19 13:05:19
|
> From: Lil Evil [mailto:Lil...@gm...] > Sent: Wednesday, November 19, 2008 3:21 AM > > Well, but I don't care what else is running as long as my hypervsior (call it MLE or whatever > you want) is measured. > We only need assurance of a trusted hypervisor, the code running previously can be untrusted > as long as it is sufficiently isolated from the rest. > > lIl The only project I know of that is using Intel(R) TXT in a late launch (post-OS) model is Flicker (http://sparrow.ece.cmu.edu/group/flicker.html). It's author, Jonathan McCune, often posts here and could give you more details about it. The late launch model is where a DRTM provides the most value over a static root of trust, as it is not even really possible to extend the SRTM to this point for most OSes. Joe > > -------- Original-Nachricht -------- > > Datum: Wed, 19 Nov 2008 09:17:20 +0800 > > Von: "Wang, Shane" <sha...@in...> > > An: Lil Evil <Lil...@gm...> > > Betreff: RE: [tboot-devel] late launch > > > Oh, but tboot targets at DRTM originally. > > The machine runs at unmeasured environment first and calls getsec[senter] > > to enter SINIT and measure untrusted tboot so as to build the root of > > trust. > > The only difference I can figure out is that tboot is close to the machine > > reset. > > Our method is simple since it is enough for SINIT to measure tboot only, > > since only tboot is in the memory. Simple as it is, it is also a kind of > > DRTM not static RTM. > > > > Anyway, with this mechanism, you can put your code after OS boots up. But > > this will make measurement complex, since so many things are in the memory. > > (I think this is what you want). Of course, that is also a kind of DRTM. > > > > You have to say both are all DRTM. How to implement, it is up to you:) > > > > Shane > > > > Lil Evil wrote: > > > Hi Shane, > > > > > > Well, with late launch I meant, the DRTM allows the platform to > > > perform a measured launch at any time. For instance, I have performed > > > my normal unmeasured boot process and now I decided to start my MLE. > > > > > > I was looking for a PoC or similar projects which already worked on > > > s.th. like this. > > > Obviously tboot would not be the right project name for it. > > > > > > I started working on it, but I suppose it is not necessary to > > > reinvent the wheel. > > > I think I saw s.b. posting on the mailing list about it already.... > > > > > > thanks > > > lIl > > > > > > -------- Original-Nachricht -------- > > >> Datum: Tue, 18 Nov 2008 13:54:53 +0800 > > >> Von: "Wang, Shane" <sha...@in...> > > >> An: Lil Evil <Lil...@gm...>, "tbo...@li..." > > >> <tbo...@li...> Betreff: Re: [tboot-devel] late > > >> launch > > > > > >> What do you mean of "late launch"? > > >> I assume it should not be "post launch". > > >> > > >> Shane > > >> > > >> Lil Evil wrote: > > >>> Hi, > > >>> > > >>> I was wondering whats the status and/or roadmap for late launch with > > >>> tboot, as I was looking at getting some kind of late launch to > > >>> work? I do believe some people on this mailing list are working on > > >>> a late launch proof of concept? What's the status there? > > >>> > > >>> > > >>> thanks > > >>> lIl > > >> > > >> > > >> > > ------------------------------------------------------------------------- > > >> This SF.Net email is sponsored by the Moblin Your Move Developer's > > >> challenge > > >> Build the coolest Linux based applications with Moblin SDK & win > > >> great > > >> prizes > > >> Grand prize is a trip for two to an Open Source event anywhere in the > > >> world > > >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > >> _______________________________________________ > > >> tboot-devel mailing list > > >> tbo...@li... > > >> https://lists.sourceforge.net/lists/listinfo/tboot-devel > > -- > Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: > http://www.gmx.net/de/go/multimessenger > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > tboot-devel mailing list > tbo...@li... > https://lists.sourceforge.net/lists/listinfo/tboot-devel |
|
From: Lil E. <Lil...@gm...> - 2008-11-19 11:21:32
|
Well, but I don't care what else is running as long as my hypervsior (call it MLE or whatever you want) is measured. We only need assurance of a trusted hypervisor, the code running previously can be untrusted as long as it is sufficiently isolated from the rest. lIl -------- Original-Nachricht -------- > Datum: Wed, 19 Nov 2008 09:17:20 +0800 > Von: "Wang, Shane" <sha...@in...> > An: Lil Evil <Lil...@gm...> > Betreff: RE: [tboot-devel] late launch > Oh, but tboot targets at DRTM originally. > The machine runs at unmeasured environment first and calls getsec[senter] > to enter SINIT and measure untrusted tboot so as to build the root of > trust. > The only difference I can figure out is that tboot is close to the machine > reset. > Our method is simple since it is enough for SINIT to measure tboot only, > since only tboot is in the memory. Simple as it is, it is also a kind of > DRTM not static RTM. > > Anyway, with this mechanism, you can put your code after OS boots up. But > this will make measurement complex, since so many things are in the memory. > (I think this is what you want). Of course, that is also a kind of DRTM. > > You have to say both are all DRTM. How to implement, it is up to you:) > > Shane > > Lil Evil wrote: > > Hi Shane, > > > > Well, with late launch I meant, the DRTM allows the platform to > > perform a measured launch at any time. For instance, I have performed > > my normal unmeasured boot process and now I decided to start my MLE. > > > > I was looking for a PoC or similar projects which already worked on > > s.th. like this. > > Obviously tboot would not be the right project name for it. > > > > I started working on it, but I suppose it is not necessary to > > reinvent the wheel. > > I think I saw s.b. posting on the mailing list about it already.... > > > > thanks > > lIl > > > > -------- Original-Nachricht -------- > >> Datum: Tue, 18 Nov 2008 13:54:53 +0800 > >> Von: "Wang, Shane" <sha...@in...> > >> An: Lil Evil <Lil...@gm...>, "tbo...@li..." > >> <tbo...@li...> Betreff: Re: [tboot-devel] late > >> launch > > > >> What do you mean of "late launch"? > >> I assume it should not be "post launch". > >> > >> Shane > >> > >> Lil Evil wrote: > >>> Hi, > >>> > >>> I was wondering whats the status and/or roadmap for late launch with > >>> tboot, as I was looking at getting some kind of late launch to > >>> work? I do believe some people on this mailing list are working on > >>> a late launch proof of concept? What's the status there? > >>> > >>> > >>> thanks > >>> lIl > >> > >> > >> > ------------------------------------------------------------------------- > >> This SF.Net email is sponsored by the Moblin Your Move Developer's > >> challenge > >> Build the coolest Linux based applications with Moblin SDK & win > >> great > >> prizes > >> Grand prize is a trip for two to an Open Source event anywhere in the > >> world > >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ > >> _______________________________________________ > >> tboot-devel mailing list > >> tbo...@li... > >> https://lists.sourceforge.net/lists/listinfo/tboot-devel -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger |
|
From: Wang, S. <sha...@in...> - 2008-11-18 06:17:30
|
Yes, it is really a bug. Thanks. Shane ________________________________ From: Ross Philipson [mailto:Ros...@ci...] Sent: 2008年11月17日 6:43 To: tbo...@li... Subject: [tboot-devel] ARRAY_SIZE bug in tboot I think I found a bug in the command line handling code in tboot. It is in the calls to cmdline_option_read() in lib.c. This function uses the ARRAY_SIZE macro within the loop but in this case it is being used with the cmdline_option_t *cmdline_option argument which is a pointer. The ARRAY_SIZE macro evaluates sizeof() on the pointer which is 4 in this case and the loop never runs. I wanted a sanity check on this but I think it is a problem. I checked the other places that ARRAY_SIZE is used and they seem OK. I discovered this while working on changes to tboot logging. I can fix it in the patch I hope to send out early next week if that works. Thanks Ross Ross Philipson Senior Software Engineer Citrix Systems, Inc 14 Crosby Drive Bedford, MA 01730 781-301-7949 ros...@ci...<mailto:ros...@ci...> |
15 messages has been excluded from this view by a project administrator.
