Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Tpm2.0 with Tboot?
Tpm2.0 with Tboot?
Trying to figure out how to install Tpm 2.0 and use Intel Txt. I am not sure how to get this working i am guessing need to make keys any good docs?
-
- Emeritus
- Posts: 2435
- Joined: 2010-12-07 19:55
- Has thanked: 14 times
- Been thanked: 54 times
Re: Tpm2.0 with Tboot?
I read that article it really dont explain how to make keys.
In Gentoo i did the following: Debian most likely different
In Gentoo i did the following: Debian most likely different
Code: Select all
lcp2_mlehash --create --alg sha256 --cmdline "logging=serial,memory,vga" /boot/tboot.gz > mle_hash
lcp2_crtpolelt --create --type mle2 --minver 17 --alg sha256 --out mle.elt mle_hash
# optional PCONF2 element
lcp2_crtpolelt --create --type pconf2 --alg sha256 --pcr0 $(< /sys/class/tpm/tpm0/pcr-sha256/0) --out pcr.elt
# create VErified Launch policy (assuming current kernel is the desired one)
tb_polgen --create --alg sha1 --type continue vl.pol
tb_polgen --add --num 0 --pcr 19 --hash image --cmdline "$(</proc/cmdline) intel_iommu=on noefi" --image "/boot/vmlinuz-$(uname -r)" vl.pol
tb_polgen --add --num 1 --pcr 20 --hash image --image "/boot/initramfs-$(uname -r).img" vl.pol
lcp2_crtpolelt --create --type custom --out vl.elt --uuid tboot vl.pol
# If your PC is recent, listver is probably 0x300
lcp2_crtpollist --create --listver 0x300 --out list_unsig.lst mle.elt pcr.elt vl.elt
# You only need to the next block once. Ntoe TPM 2.0 supports EC keys as well (not shown)
openssl genpkey -out tboot.priv -algorithm rsa
openssl rsa -in tboot.priv -pubout -out tboot.pub
# Sign the list
cp list_unsig.lst list_sig.lst
lcp2_crtpollist --sign --sigalg rsapss --hashalg sha256 --pub tboot.pub --priv tboot.priv --out list_sig.lst
# generate the file we need. Ypu POLVER may vary.
lcp2_crtpol --create --alg sha256 --polver 3.2 --type list --pol list.pol --data list.data list_sig.lst
# You only need to define and write the policy once
tpm2_nvdefine -s $(( 38 + 32 )) -a 'ownerwrite|policywrite|authread|no_da' 0x1c10106
tpm2_nvwrite -i list.pol 0x1c10106
sudp cp list.data /boot
Re: Tpm2.0 with Tboot?
In debian there is no pcr-sha256 directory under /sys/class/tpm/tpm0 as I get an error
-
- Debian Developer
- Posts: 442
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 87 times
Re: Tpm2.0 with Tboot?
It seems the "pcr-sha256" directory was added in Linux commit https://github.com/torvalds/linux/commit/aab73d9524026 that is part of Linux 5.12.
I think you can get the same effect with the following somewhat ugly piece of shell scripting:
I'm packaging tboot for Debian so I'm curious where you got these commands, are they from some Gentoo wiki page? Do also note that for many use cases it might be ok to just use the built-in default policy of tboot.
I think you can get the same effect with the following somewhat ugly piece of shell scripting:
Code: Select all
lcp2_crtpolelt --create --type pconf2 --alg sha256 --pcr0 $(tpm2_pcrread | grep -A1 ^sha256: | grep "^ 0 : 0x" | cut -d x -f2-) --out pcr.elt
Re: Tpm2.0 with Tboot?
What is the built-in default policy of tboot? Can't seem to find it on their sourceforge
Re: Tpm2.0 with Tboot?
Do you also add module2 /boot/list.data to your grub entry?tmcca wrote: ↑2022-03-31 20:05 I read that article it really dont explain how to make keys.
In Gentoo i did the following: Debian most likely different
Code: Select all
lcp2_mlehash --create --alg sha256 --cmdline "logging=serial,memory,vga" /boot/tboot.gz > mle_hash lcp2_crtpolelt --create --type mle2 --minver 17 --alg sha256 --out mle.elt mle_hash # optional PCONF2 element lcp2_crtpolelt --create --type pconf2 --alg sha256 --pcr0 $(< /sys/class/tpm/tpm0/pcr-sha256/0) --out pcr.elt # create VErified Launch policy (assuming current kernel is the desired one) tb_polgen --create --alg sha1 --type continue vl.pol tb_polgen --add --num 0 --pcr 19 --hash image --cmdline "$(</proc/cmdline) intel_iommu=on noefi" --image "/boot/vmlinuz-$(uname -r)" vl.pol tb_polgen --add --num 1 --pcr 20 --hash image --image "/boot/initramfs-$(uname -r).img" vl.pol lcp2_crtpolelt --create --type custom --out vl.elt --uuid tboot vl.pol # If your PC is recent, listver is probably 0x300 lcp2_crtpollist --create --listver 0x300 --out list_unsig.lst mle.elt pcr.elt vl.elt # You only need to the next block once. Ntoe TPM 2.0 supports EC keys as well (not shown) openssl genpkey -out tboot.priv -algorithm rsa openssl rsa -in tboot.priv -pubout -out tboot.pub # Sign the list cp list_unsig.lst list_sig.lst lcp2_crtpollist --sign --sigalg rsapss --hashalg sha256 --pub tboot.pub --priv tboot.priv --out list_sig.lst # generate the file we need. Ypu POLVER may vary. lcp2_crtpol --create --alg sha256 --polver 3.2 --type list --pol list.pol --data list.data list_sig.lst # You only need to define and write the policy once tpm2_nvdefine -s $(( 38 + 32 )) -a 'ownerwrite|policywrite|authread|no_da' 0x1c10106 tpm2_nvwrite -i list.pol 0x1c10106 sudp cp list.data /boot
-
- Debian Developer
- Posts: 442
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 87 times
Re: Tpm2.0 with Tboot?
For TPM 2.0 the default policy is at https://sourceforge.net/p/tboot/code/ci ... icy.c#l139
Re: Tpm2.0 with Tboot?
I'm wondering why not since in the documentationhttps://sourceforge.net/p/tboot/code/ci ... icy_v2.txt it says to do it (is it due to the documentation being really old and outdated?)
I'm attempting to do have a verified launch policy for initramfs/kernel that would halt on error/change (similar but not exactly what is shown above), do I need to add the .data to the grub entry or no?
Thanks for the previous answers
I'm attempting to do have a verified launch policy for initramfs/kernel that would halt on error/change (similar but not exactly what is shown above), do I need to add the .data to the grub entry or no?
Thanks for the previous answers
-
- Debian Developer
- Posts: 442
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 87 times
Re: Tpm2.0 with Tboot?
In my use case it is totally fine if the system continues to run even if the kernel or initramfs has been changed. The important part is that their measurements have changed and it is not possible to access data sealed to those original PCR values.
Re: Tpm2.0 with Tboot?
That would also work for my use case, I've managed to do a VLP but it doesn't use the index specified in the docs. Can't seem to find the index for the LCP.
Also how is the hash for the kernel and initramfs done? The hash of the vmlinuz and initrd isn't necessarily the same shown in the PCRs afterwards (nor in the policy)
Re: Tpm2.0 with Tboot?
To futher add to this: I'm working with a PowerEdge R730 with the latest BIOS which should have ACM version 3.1.5 and a TPM2.0 so as far as I know the nv index for the PO LCP should be 0x1C1_0106 but whenever I place anything in that index I get a problem booting ("An issue is observed in the previous invocation of TXT SINIT Authenticated Code Module (ACM) because the TXT information stored in the TPM chip may be corrupted"). The problem is weird since nothing changed and I can verify the policy list with --show --verbose and it comes out as fine (even if I read it from the nv index afterwards)
-
- Debian Developer
- Posts: 442
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 87 times
Re: Tpm2.0 with Tboot?
Good observation. The PCR values are extended by combining the previous value with the new value using a hash function. I have scripts for TPM 1.2 for this but not TPM 2.0. It would be good to have reliable tools for this. You can find discussion on calculating these for example at https://twobit.org/2013/05/05/calculating-pcr17/ and https://twobit.org/2013/06/15/calculati ... and-pcr19/
-
- Debian Developer
- Posts: 442
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 87 times
Re: Tpm2.0 with Tboot?
You might want to report this to the tboot-devel mailing list.debianpwr wrote: ↑2022-10-04 16:42To futher add to this: I'm working with a PowerEdge R730 with the latest BIOS which should have ACM version 3.1.5 and a TPM2.0 so as far as I know the nv index for the PO LCP should be 0x1C1_0106 but whenever I place anything in that index I get a problem booting ("An issue is observed in the previous invocation of TXT SINIT Authenticated Code Module (ACM) because the TXT information stored in the TPM chip may be corrupted"). The problem is weird since nothing changed and I can verify the policy list with --show --verbose and it comes out as fine (even if I read it from the nv index afterwards)
Re: Tpm2.0 with Tboot?
Will do for sure
You might want to report this to the tboot-devel mailing list.
Re: Tpm2.0 with Tboot?
Thanks for these blog posts no way I would have found them. The normal behaviour of PCRs was clear to me this combination of what they call the mle+module wasn't well explained in the lackluster docs.lindi wrote: ↑2022-10-05 04:50Good observation. The PCR values are extended by combining the previous value with the new value using a hash function. I have scripts for TPM 1.2 for this but not TPM 2.0. It would be good to have reliable tools for this. You can find discussion on calculating these for example at https://twobit.org/2013/05/05/calculating-pcr17/ and https://twobit.org/2013/06/15/calculati ... and-pcr19/