tboot-devel

Re: [tboot-devel] Problems on tpmnv_defindex

[Wu Z. <woo...@gm...>]

Hello all,

I had a DELL OPTIPLEX 755, and encountered a same question as
described in this thread. I am very happy to see that this thread
provide a workaround.

But because I am very new to tboot. I am not sure if I get it right
and make it correct. Here are some of my questions:

1. how to verify tboot is correctly running? My /etc/grub.conf looks like this:

title Xen-3.3.1 with tBoot
       root (hd0,1)
       kernel /boot/tboot.gz
       module /boot/xen-3.3.1.gz
       module /boot/vmlinuz-2.6.18.8-xen root=/dev/sda2
       module /boot/initrd-2.6.18.8-xen.img
       module /boot/Q35_SINIT_17.BIN

The first few seconds pass by very quickly. I didn't notice any TBOOT
message as below. But the startup is okay.

2. About the workaround process:

> - define the owner index
> - create vl.pol
> - compile with make embed=path_to_vl.pol
> - install tboot
> - create lcp
> - write lcp in owner index

after the above process, I should reboot the system, and try to find
TBOOT message on the console, right?

and "install tboot" simply means cp tboot.gz to /boot directory, and
add the following into grub.conf?

 title Xen-3.3.1 with tBoot
       root (hd0,1)
       kernel /boot/tboot.gz
       module /boot/xen-3.3.1.gz
       module /boot/vmlinuz-2.6.18.8-xen root=/dev/sda2
       module /boot/initrd-2.6.18.8-xen.img
       module /boot/Q35_SINIT_17.BIN

Thanks,
Wu

> Hello,
>
> I have applied your patch on the tboot.hg
> The patch work well (I had to manually apply patch for only one line).
>
> And it seems to work:
> ....
> TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"...
> TBOOT: \0x09 OK
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002
> TBOOT: TPM error code index not present in embedded policy mode.
> TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"...
> TBOOT: \0x09 OK
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002
> TBOOT: TPM error code index not present in embedded policy mode.
> TBOOT: all modules are verified
> ......
>
> I will study the error due to attempt to write in undefined index
>
> The step for use your patch:
>
> - define the owner index
> - create vl.pol
> - compile with make embed=path_to_vl.pol
> - install tboot
> - create lcp
> - write lcp in owner index
>
>
> The drawback is that the tboot.gz can be used for only one entry and if policy change , you should compile tboot....
>
> Thank a lot for your patch

Re: [tboot-devel] Problems on tpmnv_defindex

[Ross P. <Ros...@ci...>]

Some answers:

1. I don't know how new your tboot is but in earlier versions by default it sent output to the serial port so you need a remote console (defaults to COM1 115200 8n1). In newer versions there are a number of choices for startup logging that are outlined in the file docs/tboot-info.txt including configurable serial logging and vga logging.

2. My guess is that you had to modify the patch to get it to apply but your steps are correct. The "make install" should put tboot.gz in the right place and yes then you add it to grub.conf.

Thanks
Ross


-----Original Message-----
From: Wu Zhou [mailto:woo...@gm...] 
Sent: Wednesday, January 21, 2009 10:03 AM
To: tbo...@li...
Subject: Re: [tboot-devel] Problems on tpmnv_defindex

Hello all,

I had a DELL OPTIPLEX 755, and encountered a same question as
described in this thread. I am very happy to see that this thread
provide a workaround.

But because I am very new to tboot. I am not sure if I get it right
and make it correct. Here are some of my questions:

1. how to verify tboot is correctly running? My /etc/grub.conf looks like this:

title Xen-3.3.1 with tBoot
       root (hd0,1)
       kernel /boot/tboot.gz
       module /boot/xen-3.3.1.gz
       module /boot/vmlinuz-2.6.18.8-xen root=/dev/sda2
       module /boot/initrd-2.6.18.8-xen.img
       module /boot/Q35_SINIT_17.BIN

The first few seconds pass by very quickly. I didn't notice any TBOOT
message as below. But the startup is okay.

2. About the workaround process:

> - define the owner index
> - create vl.pol
> - compile with make embed=path_to_vl.pol
> - install tboot
> - create lcp
> - write lcp in owner index

after the above process, I should reboot the system, and try to find
TBOOT message on the console, right?

and "install tboot" simply means cp tboot.gz to /boot directory, and
add the following into grub.conf?

 title Xen-3.3.1 with tBoot
       root (hd0,1)
       kernel /boot/tboot.gz
       module /boot/xen-3.3.1.gz
       module /boot/vmlinuz-2.6.18.8-xen root=/dev/sda2
       module /boot/initrd-2.6.18.8-xen.img
       module /boot/Q35_SINIT_17.BIN

Thanks,
Wu

> Hello,
>
> I have applied your patch on the tboot.hg
> The patch work well (I had to manually apply patch for only one line).
>
> And it seems to work:
> ....
> TBOOT: verifying module "/boot/vmlinuz-2.6.28-rc5 root=/dev/sda2 ro console=ttyS0,115200 3"...
> TBOOT: \0x09 OK
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002
> TBOOT: TPM error code index not present in embedded policy mode.
> TBOOT: verifying module "/boot/initrd.img-2.6.28-rc5"...
> TBOOT: \0x09 OK
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002
> TBOOT: TPM error code index not present in embedded policy mode.
> TBOOT: all modules are verified
> ......
>
> I will study the error due to attempt to write in undefined index
>
> The step for use your patch:
>
> - define the owner index
> - create vl.pol
> - compile with make embed=path_to_vl.pol
> - install tboot
> - create lcp
> - write lcp in owner index
>
>
> The drawback is that the tboot.gz can be used for only one entry and if policy change , you should compile tboot....
>
> Thank a lot for your patch

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
tboot-devel mailing list
tbo...@li...
https://lists.sourceforge.net/lists/listinfo/tboot-devel