Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Tpm2.0 with Tboot?

Need help with peripherals or devices?
Post Reply
Message
Author
tmcca
Posts: 5
Joined: 2022-03-31 19:16

Tpm2.0 with Tboot?

#1 Post by tmcca »

Trying to figure out how to install Tpm 2.0 and use Intel Txt. I am not sure how to get this working i am guessing need to make keys any good docs?


tmcca
Posts: 5
Joined: 2022-03-31 19:16

Re: Tpm2.0 with Tboot?

#3 Post by tmcca »

I read that article it really dont explain how to make keys.

In Gentoo i did the following: Debian most likely different

Code: Select all

lcp2_mlehash --create --alg sha256 --cmdline "logging=serial,memory,vga" /boot/tboot.gz > mle_hash
lcp2_crtpolelt --create --type mle2 --minver 17 --alg sha256 --out mle.elt mle_hash
# optional PCONF2 element
lcp2_crtpolelt --create --type pconf2 --alg sha256 --pcr0 $(< /sys/class/tpm/tpm0/pcr-sha256/0) --out pcr.elt
# create VErified Launch policy (assuming current kernel is the desired one)
tb_polgen --create --alg sha1 --type continue vl.pol
tb_polgen --add --num 0 --pcr 19 --hash image --cmdline "$(</proc/cmdline) intel_iommu=on noefi" --image "/boot/vmlinuz-$(uname -r)" vl.pol
tb_polgen --add --num 1 --pcr 20 --hash image --image "/boot/initramfs-$(uname -r).img" vl.pol
lcp2_crtpolelt --create --type custom --out vl.elt --uuid tboot vl.pol
# If your PC is recent, listver is probably 0x300
lcp2_crtpollist --create --listver 0x300 --out list_unsig.lst mle.elt pcr.elt vl.elt
# You only need to the next block once. Ntoe TPM 2.0 supports EC keys as well (not shown)
openssl genpkey -out tboot.priv -algorithm rsa
openssl rsa -in tboot.priv -pubout -out tboot.pub
# Sign the list
cp list_unsig.lst list_sig.lst
lcp2_crtpollist --sign --sigalg rsapss --hashalg sha256 --pub tboot.pub --priv tboot.priv --out list_sig.lst
# generate the file we need. Ypu POLVER may vary.
lcp2_crtpol --create --alg sha256 --polver 3.2 --type list --pol list.pol --data list.data list_sig.lst
# You only need to define and write the policy once
tpm2_nvdefine -s $(( 38 + 32 )) -a 'ownerwrite|policywrite|authread|no_da' 0x1c10106
tpm2_nvwrite -i list.pol 0x1c10106
sudp cp list.data /boot 

tmcca
Posts: 5
Joined: 2022-03-31 19:16

Re: Tpm2.0 with Tboot?

#4 Post by tmcca »

In debian there is no pcr-sha256 directory under /sys/class/tpm/tpm0 as I get an error

lindi
Debian Developer
Debian Developer
Posts: 412
Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 77 times

Re: Tpm2.0 with Tboot?

#5 Post by lindi »

It seems the "pcr-sha256" directory was added in Linux commit https://github.com/torvalds/linux/commit/aab73d9524026 that is part of Linux 5.12.

I think you can get the same effect with the following somewhat ugly piece of shell scripting:

Code: Select all

lcp2_crtpolelt --create --type pconf2 --alg sha256 --pcr0 $(tpm2_pcrread | grep -A1 ^sha256: | grep "^  0 : 0x" | cut -d x -f2-)  --out pcr.elt
I'm packaging tboot for Debian so I'm curious where you got these commands, are they from some Gentoo wiki page? Do also note that for many use cases it might be ok to just use the built-in default policy of tboot.

debianpwr
Posts: 26
Joined: 2014-11-21 13:38
Has thanked: 2 times

Re: Tpm2.0 with Tboot?

#6 Post by debianpwr »

lindi wrote: 2022-07-12 14:24 I'm packaging tboot for Debian so I'm curious where you got these commands, are they from some Gentoo wiki page? Do also note that for many use cases it might be ok to just use the built-in default policy of tboot.
What is the built-in default policy of tboot? Can't seem to find it on their sourceforge

debianpwr
Posts: 26
Joined: 2014-11-21 13:38
Has thanked: 2 times

Re: Tpm2.0 with Tboot?

#7 Post by debianpwr »

tmcca wrote: 2022-03-31 20:05 I read that article it really dont explain how to make keys.

In Gentoo i did the following: Debian most likely different

Code: Select all

lcp2_mlehash --create --alg sha256 --cmdline "logging=serial,memory,vga" /boot/tboot.gz > mle_hash
lcp2_crtpolelt --create --type mle2 --minver 17 --alg sha256 --out mle.elt mle_hash
# optional PCONF2 element
lcp2_crtpolelt --create --type pconf2 --alg sha256 --pcr0 $(< /sys/class/tpm/tpm0/pcr-sha256/0) --out pcr.elt
# create VErified Launch policy (assuming current kernel is the desired one)
tb_polgen --create --alg sha1 --type continue vl.pol
tb_polgen --add --num 0 --pcr 19 --hash image --cmdline "$(</proc/cmdline) intel_iommu=on noefi" --image "/boot/vmlinuz-$(uname -r)" vl.pol
tb_polgen --add --num 1 --pcr 20 --hash image --image "/boot/initramfs-$(uname -r).img" vl.pol
lcp2_crtpolelt --create --type custom --out vl.elt --uuid tboot vl.pol
# If your PC is recent, listver is probably 0x300
lcp2_crtpollist --create --listver 0x300 --out list_unsig.lst mle.elt pcr.elt vl.elt
# You only need to the next block once. Ntoe TPM 2.0 supports EC keys as well (not shown)
openssl genpkey -out tboot.priv -algorithm rsa
openssl rsa -in tboot.priv -pubout -out tboot.pub
# Sign the list
cp list_unsig.lst list_sig.lst
lcp2_crtpollist --sign --sigalg rsapss --hashalg sha256 --pub tboot.pub --priv tboot.priv --out list_sig.lst
# generate the file we need. Ypu POLVER may vary.
lcp2_crtpol --create --alg sha256 --polver 3.2 --type list --pol list.pol --data list.data list_sig.lst
# You only need to define and write the policy once
tpm2_nvdefine -s $(( 38 + 32 )) -a 'ownerwrite|policywrite|authread|no_da' 0x1c10106
tpm2_nvwrite -i list.pol 0x1c10106
sudp cp list.data /boot 
Do you also add module2 /boot/list.data to your grub entry?

lindi
Debian Developer
Debian Developer
Posts: 412
Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 77 times

Re: Tpm2.0 with Tboot?

#8 Post by lindi »

debianpwr wrote: 2022-09-30 14:56 What is the built-in default policy of tboot? Can't seem to find it on their sourceforge
For TPM 2.0 the default policy is at https://sourceforge.net/p/tboot/code/ci ... icy.c#l139

lindi
Debian Developer
Debian Developer
Posts: 412
Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 77 times

Re: Tpm2.0 with Tboot?

#9 Post by lindi »

debianpwr wrote: 2022-09-30 17:20 Do you also add module2 /boot/list.data to your grub entry?
No I don't.

debianpwr
Posts: 26
Joined: 2014-11-21 13:38
Has thanked: 2 times

Re: Tpm2.0 with Tboot?

#10 Post by debianpwr »

I'm wondering why not since in the documentationhttps://sourceforge.net/p/tboot/code/ci ... icy_v2.txt it says to do it (is it due to the documentation being really old and outdated?)

I'm attempting to do have a verified launch policy for initramfs/kernel that would halt on error/change (similar but not exactly what is shown above), do I need to add the .data to the grub entry or no?

Thanks for the previous answers :)

lindi
Debian Developer
Debian Developer
Posts: 412
Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 77 times

Re: Tpm2.0 with Tboot?

#11 Post by lindi »

In my use case it is totally fine if the system continues to run even if the kernel or initramfs has been changed. The important part is that their measurements have changed and it is not possible to access data sealed to those original PCR values.

debianpwr
Posts: 26
Joined: 2014-11-21 13:38
Has thanked: 2 times

Re: Tpm2.0 with Tboot?

#12 Post by debianpwr »

lindi wrote: 2022-10-03 18:29 In my use case it is totally fine if the system continues to run even if the kernel or initramfs has been changed. The important part is that their measurements have changed and it is not possible to access data sealed to those original PCR values.
That would also work for my use case, I've managed to do a VLP but it doesn't use the index specified in the docs. Can't seem to find the index for the LCP.
Also how is the hash for the kernel and initramfs done? The hash of the vmlinuz and initrd isn't necessarily the same shown in the PCRs afterwards (nor in the policy)

debianpwr
Posts: 26
Joined: 2014-11-21 13:38
Has thanked: 2 times

Re: Tpm2.0 with Tboot?

#13 Post by debianpwr »

debianpwr wrote: 2022-10-04 13:26 That would also work for my use case, I've managed to do a VLP but it doesn't use the index specified in the docs. Can't seem to find the index for the LCP.
To futher add to this: I'm working with a PowerEdge R730 with the latest BIOS which should have ACM version 3.1.5 and a TPM2.0 so as far as I know the nv index for the PO LCP should be 0x1C1_0106 but whenever I place anything in that index I get a problem booting ("An issue is observed in the previous invocation of TXT SINIT Authenticated Code Module (ACM) because the TXT information stored in the TPM chip may be corrupted"). The problem is weird since nothing changed and I can verify the policy list with --show --verbose and it comes out as fine (even if I read it from the nv index afterwards)

lindi
Debian Developer
Debian Developer
Posts: 412
Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 77 times

Re: Tpm2.0 with Tboot?

#14 Post by lindi »

debianpwr wrote: 2022-10-04 13:26 Also how is the hash for the kernel and initramfs done? The hash of the vmlinuz and initrd isn't necessarily the same shown in the PCRs afterwards (nor in the policy)
Good observation. The PCR values are extended by combining the previous value with the new value using a hash function. I have scripts for TPM 1.2 for this but not TPM 2.0. It would be good to have reliable tools for this. You can find discussion on calculating these for example at https://twobit.org/2013/05/05/calculating-pcr17/ and https://twobit.org/2013/06/15/calculati ... and-pcr19/

lindi
Debian Developer
Debian Developer
Posts: 412
Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 77 times

Re: Tpm2.0 with Tboot?

#15 Post by lindi »

debianpwr wrote: 2022-10-04 16:42
debianpwr wrote: 2022-10-04 13:26 That would also work for my use case, I've managed to do a VLP but it doesn't use the index specified in the docs. Can't seem to find the index for the LCP.
To futher add to this: I'm working with a PowerEdge R730 with the latest BIOS which should have ACM version 3.1.5 and a TPM2.0 so as far as I know the nv index for the PO LCP should be 0x1C1_0106 but whenever I place anything in that index I get a problem booting ("An issue is observed in the previous invocation of TXT SINIT Authenticated Code Module (ACM) because the TXT information stored in the TPM chip may be corrupted"). The problem is weird since nothing changed and I can verify the policy list with --show --verbose and it comes out as fine (even if I read it from the nv index afterwards)
You might want to report this to the tboot-devel mailing list.

debianpwr
Posts: 26
Joined: 2014-11-21 13:38
Has thanked: 2 times

Re: Tpm2.0 with Tboot?

#16 Post by debianpwr »


You might want to report this to the tboot-devel mailing list.
Will do for sure :)

debianpwr
Posts: 26
Joined: 2014-11-21 13:38
Has thanked: 2 times

Re: Tpm2.0 with Tboot?

#17 Post by debianpwr »

lindi wrote: 2022-10-05 04:50
debianpwr wrote: 2022-10-04 13:26 Also how is the hash for the kernel and initramfs done? The hash of the vmlinuz and initrd isn't necessarily the same shown in the PCRs afterwards (nor in the policy)
Good observation. The PCR values are extended by combining the previous value with the new value using a hash function. I have scripts for TPM 1.2 for this but not TPM 2.0. It would be good to have reliable tools for this. You can find discussion on calculating these for example at https://twobit.org/2013/05/05/calculating-pcr17/ and https://twobit.org/2013/06/15/calculati ... and-pcr19/
Thanks for these blog posts no way I would have found them. The normal behaviour of PCRs was clear to me this combination of what they call the mle+module wasn't well explained in the lackluster docs.

Post Reply