** Changed in: ubuntu
Assignee: ethan.hsieh (ethan.hsieh) => (unassigned)
** Changed in: intel/lookout-canyon
Status: New => Triaged
** Changed in: ubuntu
Status: Triaged => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Changed in: intel/lookout-canyon
Importance: Undecided => Critical
** Changed in: intel/lookout-canyon
Assignee: (unassigned) => ethan.hsieh (ethan.hsieh)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: intel/lookout-canyon
Milestone: None => sprint2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on
** Also affects: intel/lookout-canyon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs
I dumped binary_bios_measurements on a production board (Aaeon EHL) and didn't
see "UEFI Debug Mode" from the log. With snapd (2.53.1) and patched kernel
snap, I can install UC20 with FDE enabled without any problem.
For detailed log, please see attached file.
---
Board: Aaeon UPN-EHL01
BIOS:
From the TCG log supplied in comment #43:
$ ./tcglog-dump --alg sha256 --verbose --pcrs 7
~/Downloads/binary_bios_measurements
7 a62bd67b2cc295976651b354468c0047f8d1547d25056ded5952aaf5991762a3
EV_EFI_ACTION [ UEFI Debug Mode ]
7
@Chris, Response from Intel TPM folks for #44 -
"
I presume by firmware they mean BIOS.
There is no debugger mode left enabled in normal production flows or SKUs for
CSME.
To enable CSME debug mode you'd first unlock the part with an IDLM. I seriously
doubt that the part they have is unlocked.
Helps if I add the file
** Attachment added: "binary_bios_measurements.txt"
https://bugs.launchpad.net/intel/+bug/1938678/+attachment/5519435/+files/binary_bios_measurements.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thanks. The issue is that the firmware provides a debugger which breaks
the PCR calculations. I'm not sure whether it's actually desirable to
fix this or detect it and provide a better error message given that the
ability to attach a debugger defeats any protections offered by full-
disk
@Chris
The files in comment#42 and #43: I dumped them in Ubuntu classic desktop
** Attachment added: "binary_bios_measurements"
https://bugs.launchpad.net/intel/+bug/1938678/+attachment/5519433/+files/binary_bios_measurements
--
You received this bug notification because you are a member
** Attachment added: "tpm2_pcrread.log"
https://bugs.launchpad.net/intel/+bug/1938678/+attachment/5519432/+files/tpm2_pcrread.log
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
Can I see the event log from this device after booting with secure boot
on please? (/sys/kernel/security/tpm0/binary_bios_measurements)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
** Tags added: lookout-canyon
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on
TGL-H
To manage notifications about
Summary:
1. Still can reproduce the issue (#31) after deleting PK and enrolling
db/KEK/custom PK vis BIOS settings.
For details, please refer to #38 and [1].
2. Can install the uc20 test image[2][3] with TPM and secure boot enabled on
other x86 machines (not TGL-H and EHL).
And, I only
@Chris
I used another x86 machine on which I can install uc20 successfully with same
test image.
I enrolled the key by mokutil and re-installed uc20.
I got following error message:
taskrunner.go: 271: [change 2 "Setup system for run mode" task] failed: cannot
make system runnable: cannot seal
@Chris
I deleted and re-enrolled PK on another intel platform, EHL, and still saw same
error message.
For details, please refer to [1].
---
[1] https://bugs.launchpad.net/intel/+bug/1939505/comments/3
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
@Chris
Are deleting and re-enrolling PK necessary?
I installed test image on another x86 machine successfully and just enrolled
"KEK" and "Signature".
It looks like comment#31 is a BIOS issue.
Could you give me some guidance on where to add debug message for clarifying
this issue?
--
You
Enroll KEK and Signature via BIOS settings but still get the same error message
(comment#31).
But, I can install the test image on another x86 machine and FDE is enabled
successfully.
Here are steps:
1. Remove key enrolled by mokutil
2. Re-flash uc20 test image
3. Enroll KEK and Signature via
@ethan.hsieh That error message is unexpected, but it doesn't matter too
much anyway - there's no support at all for computing PCR digests for
systems that boot kernels that are verified with a MOK. The only way to
test kernels signed with non-production keys is to take control of the
device's
That is what I was told to do in the past.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on
TGL-H
To manage
@sachinmokashi
Are steps in comment#32 the correct way to clear TPM?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on
Still can reproduce the issue in comment#31 after cleaning TPM with
following steps:
1. Go to BIOS settings
2. [Intel Advanced Menu][TPM Configuration][TCG2 Configuration][TPM2 Operation]
3. Select [TPM2 ClearControl(NO) + Clear]
4. Press F4 to save changes
5. Reboot device
--
You received this
@Chris
The encrypted partition is created after I enroll the signing key by
mokutil and enable secure boot.
But, I get new error message (For details, please refer to attached photo):
taskrunner.go: 271: [change 2 "Setup system for run mode" task] failed: cannot
make system runnable: cannot
@Chris
I backported your patches to secboot[1] and go-tpm2[2] which are currently
used[3] by snapd.
With test image which includes your patches, I can install uc20 when the hash
algorithm SM3 is enabled in BIOS.
But, the encrypted partition is still not created successfully because the test
Both https://github.com/canonical/go-
tpm2/commit/96eb110220ece5922dc7b691422fff12735f1880 and
https://github.com/snapcore/secboot/pull/166 are intended to resolve the
issue in this bug report.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
+ Adding Intel TPM Expert
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on
TGL-H
To manage notifications about
I've not read every comment in detail, but I think there is a bit of
misunderstanding about what the firmware options discussed here actually
do.
Disabling the SM3_256 PCR bank will stop the firmware measuring events
to the TPM using SM3_256 and will omit SM3_256 digests from the event
log. I
@sachinmokashi,
SM3 is forbidden to ship to some countries. Why Intel will not provide
the option to disable it in BIOS?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel]
@sachinmokashi
I see. I'm trying to enable SM3 on go-tpm2.
Fixing the issue on crypto package, go-tpm2, and secboot is the right way to go.
But, It may take several weeks to enable it.
That is why I'm seeking for a short-term solution, having a BIOS option for
disabling SM3".
--
You received
@ethan.hsieh @ivan.hu,
Response from our BIOS/TPM Engineers:
"Hash Algorithm Bitmap is set in BIOS and it’s based on build
configuration PCD and active PCR’s supported."
This BIOS is also distributed as reference BIOS for IBVs and hence
disabling SM3 would break functionality on other
** Also affects: snapd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during
** Changed in: ubuntu
Assignee: Ivan Hu (ivan.hu) => ethan.hsieh (ethan.hsieh)
** Changed in: ubuntu
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
** Description changed:
Installed focal-iotg-core-20210722.img on the TGL-H.
Boot process stops after it gets errors from TPM and fails to start an
emergency shell (see screen shot.)
I also tried to go into the BIOS to clear TPM, as this worked for the
EHL board but it still
The setting,
Go to Advanced menu> TPM configuration > TCG2 Configuration > enable PCR Bank
PCR Bank: SM3_256 [x ]
is for PCR Bank supported Hash Algorithm.
Here, what Ethan mentioned is for remove the SM3_256 supported for the
platform, not only the PCR bank SM3_256 supported.
--
You
@sachinmokashi
There are two fields in BIOS:
1. Hash Algorithm Bitmap
2. Active PCR Banks
The one you mentioned in comment#21 is "Active PCR Banks".
But, what I want to disable is "Hash Algorithm".
Current BIOS doesn't has an option to disable Hash Algorithm SM3 256.
Could Intel build a BIOS
Hi @ethan.hsieh,
As mentioned in comment #5 above, there is an option to disable SM3 256
algorithm. Please check #5 for a screenshot of the BIOS option
Please give a try and uncheck SM3_256 using below BIOS settings:
Go to Advanced menu> TPM configuration > TCG2 Configuration > enable PCR
Bank
@sachinmokashi
Could Intel build a BIOS with an option for disabling hash algorithm SM3
256?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
[intel] [tgl-h][iotg] [hwe-tpm] Ubuntu
** Attachment added: "error_message.jpg"
https://bugs.launchpad.net/intel/+bug/1938678/+attachment/5517831/+files/error_message.jpg
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938678
Title:
** Patch added: "0001-Add-support-for-hash-algorithm-SM3-256.patch"
https://bugs.launchpad.net/intel/+bug/1938678/+attachment/5517830/+files/0001-Add-support-for-hash-algorithm-SM3-256.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
The latest go-tpm2[1] seems to support SM3_256.
I tried to build test snapd and kernel snaps but got a dependency issue.
The latest secboot[2] still uses old go-tpm2 API.
I applied the attached patch in comment#17 to go-tpm2[3] which is currently
used by snapd.
And, I built a test image with
** Description changed:
Installed focal-iotg-core-20210722.img on the TGL-H.
Boot process stops after it gets errors from TPM and fails to start an
emergency shell (see screen shot.)
I also tried to go into the BIOS to clear TPM, as this worked for the
EHL board but it still
Snapd is not using the tpm2-tss, so it is not the same as mentioned in
https://bugs.launchpad.net/intel/+bug/1936899/comments/10.
Instead, snapd is using go-tpm2 from comment#15.
Per talk to Ethan, he is building newer version which has some defined values
of SM3_256 for testing, let's wait for
https://github.com/canonical/go-
tpm2/commit/bd7cad4936577a496ebfca7272fef34c32e3bc0b
commit bd7cad4936577a496ebfca7272fef34c32e3bc0b
Author: Chris Coulson
Date: Tue Aug 10 17:46:55 2021 +0100
Use HashAlgorithmId instead of crypto.Hash in various places
Some recent commits
** Description changed:
Installed focal-iotg-core-20210722.img on the TGL-H.
Boot process stops after it gets errors from TPM and fails to start an
emergency shell (see screen shot.)
I also tried to go into the BIOS to clear TPM, as this worked for the
EHL board but it still
** Summary changed:
- [intel] [tgl-h] [ehl][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on
TGL-H and EHL
+ [intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on TGL-H
** Description changed:
Installed focal-iotg-core-20210722.img on the TGL-H.
Boot process stops after
** Also affects: ubuntu
Importance: Undecided
Status: New
** Changed in: ubuntu
Assignee: (unassigned) => Ivan Hu (ivan.hu)
** Summary changed:
- [intel] [tgl-h] [iotg] [hwe-tpm] Ubuntu Core hangs during bootup on TGL-H and
EHL
+ [intel] [tgl-h] [ehl][iotg] [hwe-tpm] Ubuntu Core
46 matches
Mail list logo
