grsecurity forums

Hello. I'm trying to get tboot to work on my server. The kernel is hardened-sources-4.5.7-r1 (gentoo). I've enabled most of the grsecurity options, and when executing txt-stat (of tboot 1.9.4), I am now getting "ERROR: reading TBOOT log failed by read()". There's also a line in dmesg, "kernel: Program txt-stat tried to access /dev/mem between 60000->68000."

Hoping someone can advice me what to do. If I need to provide more information, please let me know which.

Finally (as this is my first post) as a non-professional Linux user I want to say thanks to the developers.

You must be trying to use txt-stat with a kernel where the log doesn't exist. We only allow access to that range when tboot_enabled() is true.

-Brad

To be sure I installed a vanilla 4.6.2 kernel and have done everything exactly the same way. For the vanilla kernel it seems to work as it should, txt-stat giving lots of output. I don't know if it matters, but this is a TPM2.0 module.

Apologies for being terse, I'm currently using my mobile.

For both kernels, txt-stat outputs that TXT measured launch is true, secrets flag is also true. I've scripted the generation of 'list.data', that file is loaded by grub2's multiboot2. I'm booting in uefi mode.

Can you add an #include <linux/tboot.h> to grsecurity/grsec_init.c and have it printk(KERN_ALERT "tboot_enabled: %d\n", tboot_enabled()); at the beginning of grsecurity_init() ? Then send me the dmesg of that kernel as well as the vanilla 4.6.2.

-Brad

Yes, will do.