Charles Bushong | 25 Mar 16:51 2013
Picon

verifying module against policy failed

Hi all,

I'm trying to get tboot up and running for my first time, and this list has been a great help.  However it seems I'm running into some problems when actually validating the modules.  I was hoping someone might have some insight as to what I'm doing wrong.  I'm using tboot 1.7.3 and legacy grub if it makes a difference.

I get ownership and define the nvram indicies without much issue (finally).  Then I create and write the v1 policy with this:

tb_polgen --create --type nonfatal vl_ver1.pol
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "logging=vga,serial,memory loglvl=all" --image /boot/tboot.gz vl_ver1.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$kernel_cmdline" --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64 vl_ver1.pol
tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image /boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS

There are a few red flags that are sticking out to me.

1) Does this post-GETSEC[SENTER] error code mean anything?
TBOOT: TXT.ERRORCODE: 0xc0000001
TBOOT: AC module error : acm_type=0x1, progress=0x00, error=0x0

2) Modules failing.
TBOOT: verifying module "
/vmlinuz-2.6.32-279.5.1.el6.x86_64 (kernel command line)"...
TBOOT:   verification failed
TBOOT: verifying module against policy failed.
TBOOT: verifying module "
/initramfs-2.6.32-279.5.1.el6.x86_64.img"...
TBOOT:   verification failed
TBOOT: verifying module against policy failed.
TBOOT: all modules are verified

I can't figure out why it's reading the policy without issue, getting into GETSEC[SENTER], and then still failing the policy check.  Any help or points in the right direction would be appreciated.  Thanks!

-Charles
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Jan Beulich | 11 Mar 10:48 2013

[PATCH] Xen/ACPI: support sleep state entering on hardware reduced systems

In version 3.4 acpi_os_prepare_sleep() got introduced in parallel with
reduced hardware sleep support, and the two changes didn't get
synchronized: The new code doesn't call the hook function (if so
requested). Fix this, requiring a boolean parameter to be added to the
hook function to distinguish "extended" from "legacy" sleep.

This requires adjusting TXT, but the adjustments only go as far as
failing the extended mode call (since, looking at the TXT interface,
there doesn't even appear to be precautions to deal with that
alternative interface).

Signed-off-by: Jan Beulich <jbeulich <at> suse.com>
Cc: Richard L Maliszewski <richard.l.maliszewski <at> intel.com>
Cc: Gang Wei <gang.wei <at> intel.com>
Cc: Shane Wang <shane.wang <at> intel.com>

---
 arch/x86/kernel/tboot.c          |    6 +++++-
 drivers/acpi/acpica/hwesleep.c   |    8 ++++++++
 drivers/acpi/acpica/hwsleep.c    |    2 +-
 drivers/acpi/osl.c               |   16 ++++++++--------
 drivers/xen/acpi.c               |   26 +++++++++++++-------------
 include/linux/acpi.h             |   10 +++++-----
 include/xen/acpi.h               |    4 ++--
 include/xen/interface/platform.h |    7 ++++---
 8 files changed, 46 insertions(+), 33 deletions(-)

--- 3.9-rc2/arch/x86/kernel/tboot.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/arch/x86/kernel/tboot.c
 <at>  <at>  -273,7 +273,8  <at>  <at>  static void tboot_copy_fadt(const struct
 		offsetof(struct acpi_table_facs, firmware_waking_vector);
 }

-static int tboot_sleep(u8 sleep_state, u32 pm1a_control, u32 pm1b_control)
+static int tboot_sleep(u8 sleep_state, u32 pm1a_control, u32 pm1b_control,
+		       bool extended)
 {
 	static u32 acpi_shutdown_map[ACPI_S_STATE_COUNT] = {
 		/* S0,1,2: */ -1, -1, -1,
 <at>  <at>  -284,6 +285,9  <at>  <at>  static int tboot_sleep(u8 sleep_state, u
 	if (!tboot_enabled())
 		return 0;

+	if (extended)
+		return -1;
+
 	tboot_copy_fadt(&acpi_gbl_FADT);
 	tboot->acpi_sinfo.pm1a_cnt_val = pm1a_control;
 	tboot->acpi_sinfo.pm1b_cnt_val = pm1b_control;
--- 3.9-rc2/drivers/acpi/acpica/hwesleep.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/acpi/acpica/hwesleep.c
 <at>  <at>  -43,6 +43,7  <at>  <at> 
  */

 #include <acpi/acpi.h>
+#include <linux/acpi.h>
 #include "accommon.h"

 #define _COMPONENT          ACPI_HARDWARE
 <at>  <at>  -128,6 +129,13  <at>  <at>  acpi_status acpi_hw_extended_sleep(u8 sl

 	ACPI_FLUSH_CPU_CACHE();

+	status = acpi_os_prepare_sleep(sleep_state, acpi_gbl_sleep_type_a,
+				       acpi_gbl_sleep_type_b, true);
+	if (ACPI_SKIP(status))
+		return_ACPI_STATUS(AE_OK);
+	if (ACPI_FAILURE(status))
+		return_ACPI_STATUS(status);
+
 	/*
 	 * Set the SLP_TYP and SLP_EN bits.
 	 *
--- 3.9-rc2/drivers/acpi/acpica/hwsleep.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/acpi/acpica/hwsleep.c
 <at>  <at>  -153,7 +153,7  <at>  <at>  acpi_status acpi_hw_legacy_sleep(u8 slee
 	ACPI_FLUSH_CPU_CACHE();

 	status = acpi_os_prepare_sleep(sleep_state, pm1a_control,
-				       pm1b_control);
+				       pm1b_control, false);
 	if (ACPI_SKIP(status))
 		return_ACPI_STATUS(AE_OK);
 	if (ACPI_FAILURE(status))
--- 3.9-rc2/drivers/acpi/osl.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/acpi/osl.c
 <at>  <at>  -77,8 +77,8  <at>  <at>  EXPORT_SYMBOL(acpi_in_debugger);
 extern char line_buf[80];
 #endif				/*ENABLE_DEBUGGER */

-static int (*__acpi_os_prepare_sleep)(u8 sleep_state, u32 pm1a_ctrl,
-				      u32 pm1b_ctrl);
+static int (*__acpi_os_prepare_sleep)(u8 sleep_state, u32 val_a, u32 val_b,
+				      bool extended);

 static acpi_osd_handler acpi_irq_handler;
 static void *acpi_irq_context;
 <at>  <at>  -1757,13 +1757,13  <at>  <at>  acpi_status acpi_os_terminate(void)
 	return AE_OK;
 }

-acpi_status acpi_os_prepare_sleep(u8 sleep_state, u32 pm1a_control,
-				  u32 pm1b_control)
+acpi_status acpi_os_prepare_sleep(u8 sleep_state, u32 val_a, u32 val_b,
+				  bool extended)
 {
 	int rc = 0;
 	if (__acpi_os_prepare_sleep)
-		rc = __acpi_os_prepare_sleep(sleep_state,
-					     pm1a_control, pm1b_control);
+		rc = __acpi_os_prepare_sleep(sleep_state, val_a, val_b,
+					     extended);
 	if (rc < 0)
 		return AE_ERROR;
 	else if (rc > 0)
 <at>  <at>  -1772,8 +1772,8  <at>  <at>  acpi_status acpi_os_prepare_sleep(u8 sle
 	return AE_OK;
 }

-void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state,
-			       u32 pm1a_ctrl, u32 pm1b_ctrl))
+void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state, u32 val_a,
+					   u32 val_b, bool extended))
 {
 	__acpi_os_prepare_sleep = func;
 }
--- 3.9-rc2/drivers/xen/acpi.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/xen/acpi.c
 <at>  <at>  -35,27 +35,27  <at>  <at> 
 #include <asm/xen/hypercall.h>
 #include <asm/xen/hypervisor.h>

-int xen_acpi_notify_hypervisor_state(u8 sleep_state,
-				     u32 pm1a_cnt, u32 pm1b_cnt)
+int xen_acpi_notify_hypervisor_state(u8 sleep_state, u32 val_a, u32 val_b,
+				     bool extended)
 {
+	unsigned int bits = extended ? 8 : 16;
+
 	struct xen_platform_op op = {
 		.cmd = XENPF_enter_acpi_sleep,
 		.interface_version = XENPF_INTERFACE_VERSION,
-		.u = {
-			.enter_acpi_sleep = {
-				.pm1a_cnt_val = (u16)pm1a_cnt,
-				.pm1b_cnt_val = (u16)pm1b_cnt,
-				.sleep_state = sleep_state,
-			},
+		.u.enter_acpi_sleep = {
+			.val_a = (u16)val_a,
+			.val_b = (u16)val_b,
+			.sleep_state = sleep_state,
+			.flags = extended ? XENPF_ACPI_SLEEP_EXTENDED : 0,
 		},
 	};

-	if ((pm1a_cnt & 0xffff0000) || (pm1b_cnt & 0xffff0000)) {
-		WARN(1, "Using more than 16bits of PM1A/B 0x%x/0x%x!"
-		     "Email xen-devel <at> lists.xensource.com  Thank you.\n", \
-		     pm1a_cnt, pm1b_cnt);
+	if (WARN((val_a & (~0 << bits)) || (val_b & (~0 << bits)),
+		 "Using more than %u bits of sleep control values %#x/%#x!"
+		 "Email xen-devel <at> lists.xen.org - Thank you.\n", \
+		 bits, val_a, val_b))
 		return -1;
-	}

 	HYPERVISOR_dom0_op(&op);
 	return 1;
--- 3.9-rc2/include/linux/acpi.h
+++ 3.9-rc2-xen-ACPI-v5-sleep/include/linux/acpi.h
 <at>  <at>  -486,11 +486,11  <at>  <at>  static inline bool acpi_driver_match_dev
 #endif	/* !CONFIG_ACPI */

 #ifdef CONFIG_ACPI
-void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state,
-			       u32 pm1a_ctrl,  u32 pm1b_ctrl));
+void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state, u32 val_a,
+					   u32 val_b, bool extended));

-acpi_status acpi_os_prepare_sleep(u8 sleep_state,
-				  u32 pm1a_control, u32 pm1b_control);
+acpi_status acpi_os_prepare_sleep(u8 sleep_state, u32 val_a, u32 val_b,
+				  bool extended);
 #ifdef CONFIG_X86
 void arch_reserve_mem_area(acpi_physical_address addr, size_t size);
 #else
 <at>  <at>  -500,7 +500,7  <at>  <at>  static inline void arch_reserve_mem_area
 }
 #endif /* CONFIG_X86 */
 #else
-#define acpi_os_set_prepare_sleep(func, pm1a_ctrl, pm1b_ctrl) do { } while (0)
+#define acpi_os_set_prepare_sleep(func, val_a, val_b, ext) do { } while (0)
 #endif

 #if defined(CONFIG_ACPI) && defined(CONFIG_PM_RUNTIME)
--- 3.9-rc2/include/xen/acpi.h
+++ 3.9-rc2-xen-ACPI-v5-sleep/include/xen/acpi.h
 <at>  <at>  -75,8 +75,8  <at>  <at>  static inline int xen_acpi_get_pxm(acpi_
 	return -ENXIO;
 }

-int xen_acpi_notify_hypervisor_state(u8 sleep_state,
-				     u32 pm1a_cnt, u32 pm1b_cnd);
+int xen_acpi_notify_hypervisor_state(u8 sleep_state, u32 val_a, u32 val_b,
+				     bool extended);

 static inline void xen_acpi_sleep_register(void)
 {
--- 3.9-rc2/include/xen/interface/platform.h
+++ 3.9-rc2-xen-ACPI-v5-sleep/include/xen/interface/platform.h
 <at>  <at>  -152,10 +152,11  <at>  <at>  DEFINE_GUEST_HANDLE_STRUCT(xenpf_firmwar
 #define XENPF_enter_acpi_sleep    51
 struct xenpf_enter_acpi_sleep {
 	/* IN variables */
-	uint16_t pm1a_cnt_val;      /* PM1a control value. */
-	uint16_t pm1b_cnt_val;      /* PM1b control value. */
+	uint16_t val_a;             /* PM1a control / sleep type A. */
+	uint16_t val_b;             /* PM1b control / sleep type B. */
 	uint32_t sleep_state;       /* Which state to enter (Sn). */
-	uint32_t flags;             /* Must be zero. */
+#define XENPF_ACPI_SLEEP_EXTENDED 0x00000001
+	uint32_t flags;             /* XENPF_ACPI_SLEEP_*. */
 };
 DEFINE_GUEST_HANDLE_STRUCT(xenpf_enter_acpi_sleep_t);

Xen/ACPI: support sleep state entering on hardware reduced systems

In version 3.4 acpi_os_prepare_sleep() got introduced in parallel with
reduced hardware sleep support, and the two changes didn't get
synchronized: The new code doesn't call the hook function (if so
requested). Fix this, requiring a boolean parameter to be added to the
hook function to distinguish "extended" from "legacy" sleep.

This requires adjusting TXT, but the adjustments only go as far as
failing the extended mode call (since, looking at the TXT interface,
there doesn't even appear to be precautions to deal with that
alternative interface).

Signed-off-by: Jan Beulich <jbeulich <at> suse.com>
Cc: Richard L Maliszewski <richard.l.maliszewski <at> intel.com>
Cc: Gang Wei <gang.wei <at> intel.com>
Cc: Shane Wang <shane.wang <at> intel.com>

---
 arch/x86/kernel/tboot.c          |    6 +++++-
 drivers/acpi/acpica/hwesleep.c   |    8 ++++++++
 drivers/acpi/acpica/hwsleep.c    |    2 +-
 drivers/acpi/osl.c               |   16 ++++++++--------
 drivers/xen/acpi.c               |   26 +++++++++++++-------------
 include/linux/acpi.h             |   10 +++++-----
 include/xen/acpi.h               |    4 ++--
 include/xen/interface/platform.h |    7 ++++---
 8 files changed, 46 insertions(+), 33 deletions(-)

--- 3.9-rc2/arch/x86/kernel/tboot.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/arch/x86/kernel/tboot.c
 <at>  <at>  -273,7 +273,8  <at>  <at>  static void tboot_copy_fadt(const struct
 		offsetof(struct acpi_table_facs, firmware_waking_vector);
 }

-static int tboot_sleep(u8 sleep_state, u32 pm1a_control, u32 pm1b_control)
+static int tboot_sleep(u8 sleep_state, u32 pm1a_control, u32 pm1b_control,
+		       bool extended)
 {
 	static u32 acpi_shutdown_map[ACPI_S_STATE_COUNT] = {
 		/* S0,1,2: */ -1, -1, -1,
 <at>  <at>  -284,6 +285,9  <at>  <at>  static int tboot_sleep(u8 sleep_state, u
 	if (!tboot_enabled())
 		return 0;

+	if (extended)
+		return -1;
+
 	tboot_copy_fadt(&acpi_gbl_FADT);
 	tboot->acpi_sinfo.pm1a_cnt_val = pm1a_control;
 	tboot->acpi_sinfo.pm1b_cnt_val = pm1b_control;
--- 3.9-rc2/drivers/acpi/acpica/hwesleep.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/acpi/acpica/hwesleep.c
 <at>  <at>  -43,6 +43,7  <at>  <at> 
  */

 #include <acpi/acpi.h>
+#include <linux/acpi.h>
 #include "accommon.h"

 #define _COMPONENT          ACPI_HARDWARE
 <at>  <at>  -128,6 +129,13  <at>  <at>  acpi_status acpi_hw_extended_sleep(u8 sl

 	ACPI_FLUSH_CPU_CACHE();

+	status = acpi_os_prepare_sleep(sleep_state, acpi_gbl_sleep_type_a,
+				       acpi_gbl_sleep_type_b, true);
+	if (ACPI_SKIP(status))
+		return_ACPI_STATUS(AE_OK);
+	if (ACPI_FAILURE(status))
+		return_ACPI_STATUS(status);
+
 	/*
 	 * Set the SLP_TYP and SLP_EN bits.
 	 *
--- 3.9-rc2/drivers/acpi/acpica/hwsleep.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/acpi/acpica/hwsleep.c
 <at>  <at>  -153,7 +153,7  <at>  <at>  acpi_status acpi_hw_legacy_sleep(u8 slee
 	ACPI_FLUSH_CPU_CACHE();

 	status = acpi_os_prepare_sleep(sleep_state, pm1a_control,
-				       pm1b_control);
+				       pm1b_control, false);
 	if (ACPI_SKIP(status))
 		return_ACPI_STATUS(AE_OK);
 	if (ACPI_FAILURE(status))
--- 3.9-rc2/drivers/acpi/osl.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/acpi/osl.c
 <at>  <at>  -77,8 +77,8  <at>  <at>  EXPORT_SYMBOL(acpi_in_debugger);
 extern char line_buf[80];
 #endif				/*ENABLE_DEBUGGER */

-static int (*__acpi_os_prepare_sleep)(u8 sleep_state, u32 pm1a_ctrl,
-				      u32 pm1b_ctrl);
+static int (*__acpi_os_prepare_sleep)(u8 sleep_state, u32 val_a, u32 val_b,
+				      bool extended);

 static acpi_osd_handler acpi_irq_handler;
 static void *acpi_irq_context;
 <at>  <at>  -1757,13 +1757,13  <at>  <at>  acpi_status acpi_os_terminate(void)
 	return AE_OK;
 }

-acpi_status acpi_os_prepare_sleep(u8 sleep_state, u32 pm1a_control,
-				  u32 pm1b_control)
+acpi_status acpi_os_prepare_sleep(u8 sleep_state, u32 val_a, u32 val_b,
+				  bool extended)
 {
 	int rc = 0;
 	if (__acpi_os_prepare_sleep)
-		rc = __acpi_os_prepare_sleep(sleep_state,
-					     pm1a_control, pm1b_control);
+		rc = __acpi_os_prepare_sleep(sleep_state, val_a, val_b,
+					     extended);
 	if (rc < 0)
 		return AE_ERROR;
 	else if (rc > 0)
 <at>  <at>  -1772,8 +1772,8  <at>  <at>  acpi_status acpi_os_prepare_sleep(u8 sle
 	return AE_OK;
 }

-void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state,
-			       u32 pm1a_ctrl, u32 pm1b_ctrl))
+void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state, u32 val_a,
+					   u32 val_b, bool extended))
 {
 	__acpi_os_prepare_sleep = func;
 }
--- 3.9-rc2/drivers/xen/acpi.c
+++ 3.9-rc2-xen-ACPI-v5-sleep/drivers/xen/acpi.c
 <at>  <at>  -35,27 +35,27  <at>  <at> 
 #include <asm/xen/hypercall.h>
 #include <asm/xen/hypervisor.h>

-int xen_acpi_notify_hypervisor_state(u8 sleep_state,
-				     u32 pm1a_cnt, u32 pm1b_cnt)
+int xen_acpi_notify_hypervisor_state(u8 sleep_state, u32 val_a, u32 val_b,
+				     bool extended)
 {
+	unsigned int bits = extended ? 8 : 16;
+
 	struct xen_platform_op op = {
 		.cmd = XENPF_enter_acpi_sleep,
 		.interface_version = XENPF_INTERFACE_VERSION,
-		.u = {
-			.enter_acpi_sleep = {
-				.pm1a_cnt_val = (u16)pm1a_cnt,
-				.pm1b_cnt_val = (u16)pm1b_cnt,
-				.sleep_state = sleep_state,
-			},
+		.u.enter_acpi_sleep = {
+			.val_a = (u16)val_a,
+			.val_b = (u16)val_b,
+			.sleep_state = sleep_state,
+			.flags = extended ? XENPF_ACPI_SLEEP_EXTENDED : 0,
 		},
 	};

-	if ((pm1a_cnt & 0xffff0000) || (pm1b_cnt & 0xffff0000)) {
-		WARN(1, "Using more than 16bits of PM1A/B 0x%x/0x%x!"
-		     "Email xen-devel <at> lists.xensource.com  Thank you.\n", \
-		     pm1a_cnt, pm1b_cnt);
+	if (WARN((val_a & (~0 << bits)) || (val_b & (~0 << bits)),
+		 "Using more than %u bits of sleep control values %#x/%#x!"
+		 "Email xen-devel <at> lists.xen.org - Thank you.\n", \
+		 bits, val_a, val_b))
 		return -1;
-	}

 	HYPERVISOR_dom0_op(&op);
 	return 1;
--- 3.9-rc2/include/linux/acpi.h
+++ 3.9-rc2-xen-ACPI-v5-sleep/include/linux/acpi.h
 <at>  <at>  -486,11 +486,11  <at>  <at>  static inline bool acpi_driver_match_dev
 #endif	/* !CONFIG_ACPI */

 #ifdef CONFIG_ACPI
-void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state,
-			       u32 pm1a_ctrl,  u32 pm1b_ctrl));
+void acpi_os_set_prepare_sleep(int (*func)(u8 sleep_state, u32 val_a,
+					   u32 val_b, bool extended));

-acpi_status acpi_os_prepare_sleep(u8 sleep_state,
-				  u32 pm1a_control, u32 pm1b_control);
+acpi_status acpi_os_prepare_sleep(u8 sleep_state, u32 val_a, u32 val_b,
+				  bool extended);
 #ifdef CONFIG_X86
 void arch_reserve_mem_area(acpi_physical_address addr, size_t size);
 #else
 <at>  <at>  -500,7 +500,7  <at>  <at>  static inline void arch_reserve_mem_area
 }
 #endif /* CONFIG_X86 */
 #else
-#define acpi_os_set_prepare_sleep(func, pm1a_ctrl, pm1b_ctrl) do { } while (0)
+#define acpi_os_set_prepare_sleep(func, val_a, val_b, ext) do { } while (0)
 #endif

 #if defined(CONFIG_ACPI) && defined(CONFIG_PM_RUNTIME)
--- 3.9-rc2/include/xen/acpi.h
+++ 3.9-rc2-xen-ACPI-v5-sleep/include/xen/acpi.h
 <at>  <at>  -75,8 +75,8  <at>  <at>  static inline int xen_acpi_get_pxm(acpi_
 	return -ENXIO;
 }

-int xen_acpi_notify_hypervisor_state(u8 sleep_state,
-				     u32 pm1a_cnt, u32 pm1b_cnd);
+int xen_acpi_notify_hypervisor_state(u8 sleep_state, u32 val_a, u32 val_b,
+				     bool extended);

 static inline void xen_acpi_sleep_register(void)
 {
--- 3.9-rc2/include/xen/interface/platform.h
+++ 3.9-rc2-xen-ACPI-v5-sleep/include/xen/interface/platform.h
 <at>  <at>  -152,10 +152,11  <at>  <at>  DEFINE_GUEST_HANDLE_STRUCT(xenpf_firmwar
 #define XENPF_enter_acpi_sleep    51
 struct xenpf_enter_acpi_sleep {
 	/* IN variables */
-	uint16_t pm1a_cnt_val;      /* PM1a control value. */
-	uint16_t pm1b_cnt_val;      /* PM1b control value. */
+	uint16_t val_a;             /* PM1a control / sleep type A. */
+	uint16_t val_b;             /* PM1b control / sleep type B. */
 	uint32_t sleep_state;       /* Which state to enter (Sn). */
-	uint32_t flags;             /* Must be zero. */
+#define XENPF_ACPI_SLEEP_EXTENDED 0x00000001
+	uint32_t flags;             /* XENPF_ACPI_SLEEP_*. */
 };
 DEFINE_GUEST_HANDLE_STRUCT(xenpf_enter_acpi_sleep_t);

Jay Schwichtenberg | 4 Mar 19:52 2013
Picon

tboot setup with Ubuntu Server 12.10 and 20_linux_tboot

Hello,

Don't know if this is a Ubuntu thing or tboot but need to start tracking it down somewhere.

I'm trying to get tboot working with Ubuntu Server 12.10 on a dual Xeon Intel server and have not been having
any success. I've read the documents lcptools2 and policy_v2 and those make sense and I can generate a
list.data file. But there is no grub.conf or menu.lst file to work with.

With Ubuntu 12.10 Server they now use a file called boot.cfg that was generated by grub-mkconfig from
scripts in /etc/grub.d. One of these scripts is 20_linux_tboot which generates the tboot section in the
boot.cfg file. I can see that with the procedures in the documents that you'd still need to generate
something that has the private and public keys and also setup the NV indexes. But a lot of the other
information seems to be generated by the 20_linux_tboot script.

Is there any information on how to setup tboot using this 20_linux_boot boot script and the way they're
using grub?

I don't have a serial cable for this thing yet (takes a RJ45 to serial cable) so I don't have a tboot log. Should
have that done by the end of the day.

Thanks in advance.
Jay S.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
Charles.Fisher | 26 Feb 22:39 2013

Haswell SINIT ACM

Hi,

 

Does anyone have an idea of when the SINIT modules for the new Haswell processors will be release?

 

Thanks

 

Charles

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
LE DISEZ Erwan | 15 Feb 11:45 2013

Boot a not relocatable Linux kernel with Tboot

Hello,

I'am trying to boot a Linux kernel (v 2.3.32) compiled as not 
relocatable. The kernel works fine and can be loaded directly from GRUB2 
for example.

When booting using GRUB2+TBOOT I use the following 'simple' 
configuration :
   menuentry "LINUX via TBOOT" {
           set root=(hd0,1)
           multiboot /tboot.gz /tboot.gz logging=vga,memory,serial
           module /lnx /lnx
           module /2nd_gen_i5_i7_SINIT_51.BIN
   }

When loading TBOOT, the last traces just before jumping to Linux are :
   TBOOT: Error: ELF magic number is not matched.
   TBOOT: assuming kernel is Linux format
   TBOOT: kernel type is Linux
   TBOOT: Initrd from 0x7fc39000 to 0x7ffffeb0
   TBOOT: kernel is not relocatable
   TBOOT: load protected-mode part
   TBOOT: Kernel (protected mode) from 0x100000 to 0x4c3ab0
   TBOOT: load real-mode part
   TBOOT: Kernel (real mode) from 0x90000 to 0x93400
   TBOOT: Entry point initialized = 0xf1dbf443

For a not relocated kernel all seems good no ?
   Protected base is 0x100000 (it is a bzImage)
   Read mode base is 0x90000

The jump occurs to  hdr->code32_start =  <at> 0xf1dbf443.

Just after the system reset.

So I have a few questions :
- Have you already tested with a not relocatable Linux kernel ?
- It is normal to jump to 0xf1dbf443, why not the real mode part ?

Thanks !
Best regards

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
Sahil Rihan | 31 Jan 19:56 2013

Re: PCR 17 computation (SinitMleData.Version 8)

I'm using the value from SinitMleData.SinitHash directly. I'm assuming that this is the value of PCR 17 after the first extend based on the following: 

"If the SINIT To MLE Data Table (section C.4) version is 7 or greater, the hash of the SINIT ACM is performed using SHA-256, otherwise it uses 
SHA-1. If a SHA-256 hash was used, the SinitMleData.SinitHash field will contain the value of PCR 17 after the initial extend operation (see below for more details)."

Also, just to be clarify, the SHA-256 is only used for hashing SINIT, the rest of the hashes are performed using SHA-1. Is that correct?


On Thu, Jan 31, 2013 at 10:49 AM, Jonathan McCune <jonmccune <at> gmail.com> wrote:
In MLE dev guide sec 1.9.1: "If the SINIT To MLE Data Table (section
C.4) version is 7 or greater, the hash of the SINIT ACM is performed
using SHA-256, otherwise it uses SHA-1."

Are you using SHA-2 where appropriate?

-Jon


On Thu, Jan 31, 2013 at 10:41 AM, Sahil Rihan <sahil <at> privatecore.com> wrote:
> Hi Jimmy,
>
> Thanks for your quick response. I double checked the data lengths and they
> seem to be correct. I'm copying the Python code I'm using below.
>
> I was able to use a slightly modified version of the function below to
> validate the PCR 17 computed by Jonathan McCune's Perl script
> (http://sourceforge.net/mailarchive/message.php?msg_id=23257129), so I'm
> reasonably confident the basic code (unhexlify, update, etc.) is correct.
>
> Thanks,
> Sahil
>
>
> def computePcr17():
> #    all_zeroes_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00"
>
>     bios_acm_id_ascii = "80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff ff
> ff ff ff"
> #    edx_senter_flags_ascii = "00 00 00 00"
>     mseg_valid_ascii = "00 00 00 00 00 00 00 00"
>
>     sinit_hash_ascii = "7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e e2
> 84 3d 04"
>     mle_hash_ascii = "d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13 d8
> 33 34"
>     stm_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00"
>     lcp_policy_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00"
>
>     lcp_policy_control_ascii = "00 00 00 00"
>     os_sinit_capabilities_ascii = "00 00 00 00"
>     scrtm_status_ascii = "00 00 00 01"
>
> #    all_zeroes_hex = binascii.unhexlify(all_zeroes_ascii.replace(' ', ''))
>     sinit_hash_hex = binascii.unhexlify(sinit_hash_ascii.replace(' ', ''))
> #    edx_senter_flags_hex =
> binascii.unhexlify(edx_senter_flags_ascii.replace(' ', ''))
>
>     bios_acm_id_hex = binascii.unhexlify(bios_acm_id_ascii.replace(' ', ''))
>     mseg_valid_hex = binascii.unhexlify(mseg_valid_ascii.replace(' ', ''))
>     stm_hash_hex = binascii.unhexlify(stm_hash_ascii.replace(' ', ''))
>     lcp_policy_control_hex =
> binascii.unhexlify(lcp_policy_control_ascii.replace(' ', ''))
>     lcp_policy_hash_hex = binascii.unhexlify(lcp_policy_hash_ascii.replace('
> ', ''))
>     os_sinit_capabilities_hex =
> binascii.unhexlify(os_sinit_capabilities_ascii.replace(' ', ''))
>     scrtm_status_hex = binascii.unhexlify(scrtm_status_ascii.replace(' ',
> ''))
>
>     sha1_pcr17_second = hashlib.sha1()
>     sha1_pcr17_second.update(bios_acm_id_hex)
>     sha1_pcr17_second.update(mseg_valid_hex)
>     sha1_pcr17_second.update(stm_hash_hex)
>     sha1_pcr17_second.update(lcp_policy_control_hex)
>     sha1_pcr17_second.update(lcp_policy_hash_hex)
>     sha1_pcr17_second.update(os_sinit_capabilities_hex)
>     sha1_pcr17_second.update(scrtm_status_hex)
>
>     pcr17 = hashlib.sha1()
>     pcr17.update(sinit_hash_hex)
>     pcr17.update(sha1_pcr17_second.digest())
>
>     print "sha1_pcr17_second: " + sha1_pcr17_second.hexdigest()
>     print "final pcr17: " + pcr17.hexdigest()
>
>
> This is the output from tboot that I'm using to initialize the variables in
> the function:
>
> TBOOT: sinit_mle_data ( <at> 0xcf7311b8, 0x224):
> TBOOT:  version: 8
> TBOOT:  bios_acm_id:  80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff ff ff
> ff ff
> TBOOT:  edx_senter_flags: 0x00000000
> TBOOT:  mseg_valid: 0x0
> TBOOT:  sinit_hash: 7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e e2 84 3d
> 04
> TBOOT:  mle_hash: d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13 d8 33
> 34
> TBOOT:  stm_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00
> TBOOT:  lcp_policy_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00
> TBOOT:  lcp_policy_control: 0x00000000
> TBOOT:  rlp_wakeup_addr: 0xcf701220
> TBOOT:  num_mdrs: 7
> TBOOT:  mdrs_off: 0x9c
> TBOOT:  num_vtd_dmars: 224
> TBOOT:  vtd_dmars_off: 0x144
> TBOOT:  sinit_mdrs:
> TBOOT:  0000000000000000 - 00000000000a0000 (GOOD)
> TBOOT:  0000000000100000 - 0000000001000000 (GOOD)
> TBOOT:  0000000001000000 - 00000000cf800000 (GOOD)
> TBOOT:  0000000100000000 - 0000000430000000 (GOOD)
> TBOOT:  0000000000000000 - 0000000000000000 (GOOD)
> TBOOT:  00000000cf800000 - 00000000d0000000 (SMRAM NON-OVERLAY)
> TBOOT:  00000000e0000000 - 00000000e4000000 (PCIE EXTENDED CONFIG)
> TBOOT:  proc_scrtm_status: 0x00000001
>
>
> I expect that it should match the value of PCR 17 after SENTER (and before
> it is extended by tboot):
>
> TBOOT: PCRs before extending:
> TBOOT:   PCR 17: a9 6f c9 dd 99 f7 5d 07 18 eb e5 3d 38 c7 eb 8f 14 9e 76 95
> TBOOT:   PCR 18: a4 1b b3 ef 12 f6 d6 65 58 60 b9 05 4d 72 6f f0 ca 78 21 54
> TBOOT:   PCR 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
>
> On Wed, Jan 30, 2013 at 5:54 PM, Wei, Gang <gang.wei <at> intel.com> wrote:
>>
>> Sahil Rihan wrote on 2013-01-31:
>> > Hi list,
>> >
>> > Like a few before me, I'm trying to calculate in software the value of
>> PCR17
>> > after SENTER. I'm taking the value of the first extend as a given (from
>> > SinitMleData.SinitHash) and am trying to reconstruct the value at the
>> > end
>> of
>> > the second extend.
>> >
>> > I took Jonathan McCune's Perl script as a starting point and was able to
>> > reproduce his result (which I'm assuming is for SinitMleData.Version 6,
>> given
>> > his computation of the first PCR17 extend in his Perl script) using a
>> Python
>> > script I wrote. I then modified my script to use the value from
>> > SinitMleData.SinitHash directly, since my understanding is that it
>> contains the
>> > value of PCR17 after the first extend for SinitMleData.Version 8).
>> >
>> > So my computation is now identical to the one in the MLE Developer's
>> Guide.
>> >
>> > SHA-1 ( SinitMleData.SinitHash  | SHA-1 ( SinitMleData.BiosAcm.ID |
>> > SinitMleData.MsegValid | SinitMleData.StmHash |
>> > SinitMleData.PolicyControl | SinitMleData.LcpPolicyHash |
>> > (OsSinitData.Capabilities, 0) | SinitMleData.ProcessorSCRTMStatus) )
>> >
>> > Unfortunately, I'm not able to get to the value for PCR 17 that tboot
>> dumps,
>> > before it performs its own extend to PCR17.
>> >
>> > If anyone has successfully computed PCR 17 or has thoughts on what I
>> > might
>> be
>> > doing wrong, I'd appreciate your input.
>>
>> Please make sure the data length you used for PCR17 value calculation is
>> right:
>>
>> SinitMleData.MsegValid     8bytes
>> SinitMleData.PolicyControl   4bytes
>> (OsSinitData.Capabilities, 0)  4bytes
>> SinitMleData.ProcessorSCRTMStatus 4bytes
>>
>> And (OsSinitData.Capabilities,0) means:
>>
>> if SinitMleData.PolicyControl.bit2 is 1, use value of
>> OsSinitData.Capabilities
>> if SinitMleData.PolicyControl.bit2 is 0, use a 4-byte 0s.
>>
>> Wish those will help.
>>
>> Jimmy
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> tboot-devel mailing list
> tboot-devel <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Sahil Rihan | 31 Jan 01:31 2013

PCR 17 computation (SinitMleData.Version 8)

Hi list,

Like a few before me, I'm trying to calculate in software the value of PCR17 after SENTER. I'm taking the value of the first extend as a given (from SinitMleData.SinitHash) and am trying to reconstruct the value at the end of the second extend.

I took Jonathan McCune's Perl script as a starting point and was able to reproduce his result (which I'm assuming is for SinitMleData.Version 6, given his computation of the first PCR17 extend in his Perl script) using a Python script I wrote. I then modified my script to use the value from SinitMleData.SinitHash directly, since my understanding is that it contains the value of PCR17 after the first extend for SinitMleData.Version 8).

So my computation is now identical to the one in the MLE Developer's Guide.

SHA-1 ( SinitMleData.SinitHash  | SHA-1 ( SinitMleData.BiosAcm.ID
SinitMleData.MsegValid | SinitMleData.StmHash | SinitMleData.PolicyControl | 
SinitMleData.LcpPolicyHash | (OsSinitData.Capabilities, 0) | 
SinitMleData.ProcessorSCRTMStatus) )

Unfortunately, I'm not able to get to the value for PCR 17 that tboot dumps, before it performs its own extend to PCR17.

If anyone has successfully computed PCR 17 or has thoughts on what I might be doing wrong, I'd appreciate your input.

Thanks,
Sahil
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Wei, Gang | 28 Dec 08:04 2012
Picon

tboot 1.7.3 released

Source package tboot-1.7.3.tar.gz can be downloaded from sourceforge.net.
And since 1.7.3 the upstream repository was moved to:
http://hg.code.sf.net/p/tboot/code .

Major changes since 1.7.2 (20120929):

	Update README with updated code repository url.
	Fix grub2 scripts to be compatible with more distros.
	Update README for RACM launch support
	Add a new option "call_racm=true|false" for revocation acm(RACM)
launch
	Fix potential buffer overrun & memory leak in crtpconf.c
	Fix a potential buffer overrun in lcptools/lock.c
	Print cmdline in multi-lines
	Optional print TXT.ERRORCODE under level error or info
	Fix side effects of tboot log level macros in tools
	Update readme for the new detail log level
	Classify all logs into different log levels
	Add detail log level and the macros defined for log level
	Fix acmod_error_t type to correctly align all bits in 4bytes

Please help testing it, and enjoy it.

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Wei, Gang | 27 Dec 10:40 2012
Picon

OpenAttestation project v1.6 released

The major target of this release is to improve code quality based on v1.5,
some important fixes will be back ported into v1.5 branch.

https://github.com/OpenAttestation/OpenAttestation.git

Key Changes in v1.6:
	Enhanced Reference CLI Curl scripts for API access
	Auto testing scripts covered more than 100 test cases for both APIs
& Reference CLI Curl scripts

Fixed issues:
* API related:
 - The HOST API should be
https://${server}:8443/AttestationService/resources/hosts instead of
https://${server}:8443/AttestationService/resources/host. 
 - Enhancement for "MLE_SEARCH" API
 - "POLLHOST" API exception handling
 - Adding MLE successful when "attestation type" is null, it is wrong
 - In source code, MLE "version" string's length limit is not match with
database
 - When attestation type contains special characters, add MLE successful
 - Delete MLE successful which connected to host
 - PCR value should not be null
 - The result of pollhost is unknown due to configuration in "/etc/hosts"
 - The run time of pollhost one machine is more than pollhost 1000 machines,
is unreasonably
* DB related:
 - OpenAttestation hibernate db communication failure
 - The field did not check the capital or lower character (Won't Fix)
 - Cannot add CONSTRAINT into DB on SLES
* Build & installation:
 - The download_jar_packages.sh should be enhanced for proxy check and
invalid jar package check
 - There is NO PrivacyCA.cer or TrustStore.jks, installed oat-appraiser with
Partner Repository.
 - Uncleaned endorsement certificate and password data in
OATprovisioner.properties of ClientInstallForLinux.zip
 - Tomcat service must be stopped after uninstallation
 - Need to modify spec for jdk version to compatibility with different OS
platform
* Auto Test Scripts:
 - Use auto script to add PCR data failed

Enjoy it!

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Wei, Gang | 25 Dec 07:06 2012
Picon

tboot project upgraded from classic sourceforge platform to the new Allura platform

As requested by SourceForge Community Manager, tboot just finished upgrade
from classic sourceforge platform to the new platform.

As the result of this upgrade, one major change is that the source code
repository URL got changed to:
	http://hg.code.sf.net/p/tboot/code

Please do a fresh checkout using the new repository location.

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 12 Dec 00:23 2012

Buffer overrun and memory leak problems.

All,

 

While doing a routine update of a security review of the tboot code, I found a couple of minor problems – two potential (but very unlikely) buffer overrun problems, and one minor memory leak – although the program is going to terminate almost immediately, so the memory comes back anyway.

 

At any rate, here is a patch to correct the problem.

 

Signed Off by: Charles Fisher charles.fisher <at> gdc4s.com

 

diff -up tboot-1.7.2/lcptools/crtpconf.c.orig tboot-1.7.2/lcptools/crtpconf.c

--- tboot-1.7.2/lcptools/crtpconf.c.orig  2012-12-11 13:16:12.239464000 -0700

+++ tboot-1.7.2/lcptools/crtpconf.c 2012-12-11 16:00:23.097982000 -0700

<at> <at> -109,14 +109,12 <at> <at> main(int argc, char *argv[])

     uint16_t i = 0;

     uint32_t index[MAX_INDEX] = {0};

     uint32_t idx_num = 0;

-    unsigned char *pcr_num[MAX_INDEX] = {NULL};

     FILE *p_file = NULL;

     unsigned char* srtm_data = NULL;

     uint32_t data_len = 0;

     TPM_LOCALITY_SELECTION local_sel;

     lcp_result_t ret_value = LCP_E_COMD_INTERNAL_ERR;

-    uint32_t temp = 0;

     /*

      * No parameter input will print out the help message.

<at> <at> -151,28 +149,13 <at> <at> main(int argc, char *argv[])

         ret_value = LCP_E_INVALID_PARAMETER;

         goto _error_end;

     }

-

-    for (i = 0; i < MAX_INDEX; i++) {

-        pcr_num[i] = (unsigned char *)malloc(10);

-        if ( pcr_num[i] == NULL ) {

-            ret_value = LCP_E_OUTOFMEMORY;

-            goto _error_end;

-        }

-    }

-    if ( str_split((char *)pcr_val, (char **)&pcr_num, &idx_num) < 0 ) {

-        ret_value = LCP_E_INVALID_PARAMETER;

-        goto _error_end;

-    }

+    idx_num = MAX_INDEX;

+    str_split((char *)pcr_val, index, &idx_num);

     for ( i = 0; i < idx_num; i++ ) {

-      if ( strtonum((char *)pcr_num[i], &temp) < 0 ) {

-            ret_value = LCP_E_INVALID_PARAMETER;

-            goto _error_end;

-        }

-        if ( temp > 23 ) {

+        if ( index[i] > 23 ) {

             ret_value = LCP_E_INVALID_PARAMETER;

             goto _error_end;

-        }

-        index[i] = temp;

+     }

     }

     local_sel = (TPM_LOCALITY_SELECTION)locality;

<at> <at> -200,8 +183,7 <at> <at> main(int argc, char *argv[])

             fclose(p_file);

         } else

             print_hexmsg("the PConf data is:\n", data_len, srtm_data);

-        if(srtm_data)

-            free(srtm_data);

+     free(srtm_data);

     } else

         goto _error_end;

<at> <at> -210,10 +192,10 <at> <at> _error_end:

     /*

      * Error when execute.

      */

-    for (i = 0; i < MAX_INDEX; i++)

-        free(pcr_num[i]);

-    free(srtm_data);

+    if (srtm_data)

+     free(srtm_data);

     log_error("\nCommand CrtPConf failed:\n");

     print_error(ret_value);

     return ret_value;

-}

+    }

+   

diff -up tboot-1.7.2/lcptools/lcputils.c.orig tboot-1.7.2/lcptools/lcputils.c

--- tboot-1.7.2/lcptools/lcputils.c.orig  2012-12-11 13:16:30.352217000 -0700

+++ tboot-1.7.2/lcptools/lcputils.c 2012-12-11 15:44:03.076312000 -0700

<at> <at> -217,42 +217,22 <at> <at> print_hexmsg(const char *header_msg, int

}

 /* split the input string in the format: num1,num2,...,numN

- * into the array = {num1, num2, ... , numN}

+ * into the numeric array = {num1, num2, ... , numN}

*/

-int

-str_split(const char *str_in, char **str_out, unsigned int *number)

+void

+str_split(char *str_in, uint32_t ints[], unsigned int *nr_ints)

{

-    char * temp;

-    int num = 0;

-    const char *sep = ",";

-    size_t str_length = 0;

-    char *string = (char *)malloc(strlen(str_in) + 1);

-

-    if ( string == NULL )

-        return -1;

-    if ( str_in == NULL || str_out == NULL || number == NULL ) {

-        free(string);

-        return -1;

-    }

-    strcpy(string, str_in);

-    temp =strtok(string, sep);

-    if ( temp != NULL && str_out[num] )

-        strcpy(str_out[num], temp);//strtok(string, sep));

-    while (str_out[num] != NULL) {

-        str_length += strlen(str_out[num]);

-        num++;

-        temp = strtok(NULL, sep);

-        if ( temp != NULL )

-            strcpy(str_out[num], temp);

-        else

-            str_out[num] = NULL;

+    unsigned int nr = 0;

+

+    while ( true ) {

+        char *str = strsep(&str_in, ",");

+        if ( str == NULL || nr == *nr_ints )

+            break;

+        ints[nr++] = strtoul(str, NULL, 0);

     }

-    free(string);

-    *number = num;

-    str_length += num - 1;

-    if ( str_length != strlen(str_in) )

-        return -1;

-    return 0;

+    if ( nr == *nr_ints )

+        log_error("Error: too many items in list\n");

+    *nr_ints = nr;

}

 uint16_t

diff -up tboot-1.7.2/lcptools/lcputils.h.orig tboot-1.7.2/lcptools/lcputils.h

--- tboot-1.7.2/lcptools/lcputils.h.orig  2012-12-11 15:20:08.106747000 -0700

+++ tboot-1.7.2/lcptools/lcputils.h 2012-12-11 15:42:34.009610000 -0700

<at> <at> -134,6 +134,6 <at> <at> calc_sizeofselect(uint32_t num_indices,

void print_locality(unsigned char loc);

void print_permissions(UINT32 perms, const char *prefix);

-int str_split(const char *str_in, char **str_out, unsigned int *number);

+void str_split(char *str_in, uint32_t ints[], unsigned int *number);

 #endif

diff -up tboot-1.7.2/lcptools/lock.c.orig tboot-1.7.2/lcptools/lock.c

--- tboot-1.7.2/lcptools/lock.c.orig      2012-12-11 14:57:02.784235000 -0700

+++ tboot-1.7.2/lcptools/lock.c     2012-12-11 15:15:43.532763000 -0700

<at> <at> -91,7 +91,8 <at> <at> parse_cmdline(int argc, const char * arg

int

main (int argc, char *argv[])

{

-    char confirm_lock[1024] = {0};

+    char confirm_lock[4] = {0};

+    char c;

     in_nv_definespace_t in_defspace;

     lcp_result_t ret_value = LCP_E_COMD_INTERNAL_ERR;

<at> <at> -119,12 +120,12 <at> <at> main (int argc, char *argv[])

          */

         do {

             log_info("Really want to lock TPM NV? (Y/N) ");

-            dummy = scanf("%s", confirm_lock);

+            dummy = scanf("%3s", confirm_lock);

             if ( dummy <= 0 )

                 return LCP_E_COMD_INTERNAL_ERR;

-        } while (strcmp(confirm_lock, "N") && strcmp(confirm_lock, "n") &&

-           strcmp(confirm_lock, "Y") && strcmp(confirm_lock, "y"));

-        if ( !strcmp(confirm_lock, "N") || !strcmp(confirm_lock, "n") ) {

+         c = confirm_lock[0] | ' ';

+        } while ( (c != 'n') && (c != 'y') );

+        if ( c == 'n') {

             ret_value = LCP_SUCCESS;

             return ret_value;

         }

 

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Gmane