From Fedora Project Wiki

Introduction

Trusted Boot is a technique...

Prerequisites

   yum install tboot

   yum install openssl

Installation

The following will provide a trusted boot setup with checksums on the initramd and kernel.

Step 1

Take ownership of the TPM 

   tpm_takeownership -z

Download the proper tboot.gz file for your architecture. Place it in /boot/tboot.gz

Step 2

In order to create a VLP we need the path to the initial ram disk and kernel, as well as the kernel line in grub.conf.

Create a new verified launch policy. 

   tb_polgen --create --type nonfatal vl.pol

Add the kernel hash / grub command to our VLP 

   tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "$grub_cmdline" --image $kernel_file vl.pol

Add the initramd to VLP 

   tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image $initramd_file vl.pol

Hash tboot.gz 

   lcp_mlehash -c "logging=vga,serial,memory" /boot/tboot.gz > mle_hash

   lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt mle_hash

Find your system's pcr values. They may alternatively be in /sys/bus/pnp/devices/00:0a/pcrs 

   cat /sys/devices/platform/tpm_tis/pcrs | grep -e PCR-00 -e PCR-01 > pcrs

Create the Launch Policy 

   lcp_crtpolelt --create --type pconf --out pconf.elt pcrs

Note: the following command uses a default uuid. You may want to replace tboot with your systems uuid. 

   lcp_crtpolelt --create --type custom --out custom.elt --uuid tboot vl.pol

   lcp_crtpollist --create --out list_unsig.lst mle.elt pconf.elt

   openssl genrsa -out privkey.pem 2048

   openssl rsa -pubout -in privkey.pem -out pubkey.pem

   cp list_unsig.lst list_sig.lst

   lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst

   lcp_crtpol2 --create --type list --pol list.pol --data list.data list_{unsig,sig}.lst

   tcsd

Step 3

Load the Launch policy into nvram. 

   lcp_writepol -z -i owner -f list.pol

   lcp_writepol -z -i 0x20000001 -f vl.pol

Step 4

Create a new grub.conf. 

title tboot
    root (hd0,0)
    kernel /tboot.gz loglvl=all logging=serial,vga,memory vga_delay=1
    module /vmlinuz-3.3.4-5.tis.fc17.x86_64 root=/dev/sda3 intel_iommu=on ro
    module /initramfs-3.3.4-5.tis.fc17.x86_64.img
    module /2nd_gen_i5_i7_SINIT_51.BIN
    module /list.data

LCP

Add more in depth information about launch control policy here.

TPM PCRs

  • PCR 0 - CRTM, BIOS, and Host Platform Extensions
  • PCR 1 - Host Platform Configuration (BIOS Data)
  • PCR 2 - Option ROM Code
  • PCR 3 - Option ROM Configuration and Data
  • PCR 4 - IPL Code (usually the MBR)
  • PCR 5 - IPL Code Configuration and Data (Partition Table?)
  • PCR 6 - State Transition and Wake Events
  • PCR 7 - Host Platform Manufactuer Control
  • PCR 10 - IMA Measurement List
  • PCR 17 - TXT Stuff ?!?!
  • PCR 18 - SHA-1 Hash of MLE (Kernel and initrd? Defined by LCP?)

Notes

We may need to modprobe tpm --force=1

Retrieved from "https://fedoraproject.org/w/index.php?title=Tboot&oldid=293447"