[Bug 1929454] Re: Bios measurements do not contain measurements for the kernel binary and kernel signer cert.
I was able to boot the kernel and I was able to validate that the Mok entry does appear. We can close this bug now since its not an issue. Thanks a lot for your help:) -Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1929454 Title: Bios measurements do not contain measurements for the kernel binary and kernel signer cert. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1929454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1929454] Re: Bios measurements do not contain measurements for the kernel binary and kernel signer cert.
Hi Steve, What about the scenario where the signers are different for kernel and grub? For example, if the kernel is signed using a self signed cert and loaded using MOK. I am trying to do that right now but the kernel fails to load when signed with a MOK key. -Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1929454 Title: Bios measurements do not contain measurements for the kernel binary and kernel signer cert. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1929454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1929454] [NEW] Bios measurements do not contain measurements for the kernel binary and kernel signer cert.
Public bug reported: On Ubuntu 20.04, the binary_bios_measurements do NOT contain the measurements for the kernel binary and the kernel signer cert that is typically measured by the shim. This is behavior is NOT consistent with Ubuntu 18.04 where the measurements are present. Attaching the measurements from Ubuntu 20.04 for reference. ** Affects: shim-signed (Ubuntu) Importance: Undecided Status: New ** Attachment added: "Bios measurements for Ubuntu 20.04" https://bugs.launchpad.net/bugs/1929454/+attachment/5499988/+files/ascii_bios_measurements_Ubuntu2004Apr21 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1929454 Title: Bios measurements do not contain measurements for the kernel binary and kernel signer cert. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1929454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1896288] [NEW] Event hash and digest mismatch for event logged by shim - Binary BIOS Measurements
Public bug reported: In the binary bios measurements, the hash of the event measured by shim does not match the event digest in the measurements. This is due to an extra zero byte in the event that is not accounted for in the data that is measured to the PCR. https://github.com/rhboot/shim/commit/8a27a4809a6a2b40fb6a4049071bf96d ** Affects: shim (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1896288 Title: Event hash and digest mismatch for event logged by shim - Binary BIOS Measurements To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1896288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1867218] [NEW] Ubuntu 18.04 running 5.0.0.23 kernel contains bios measurements in SHA1 instead of SHA256
Public bug reported: Ubuntu18.04 running Linux Kernel 5.0.0.23 logs bios measurements in SHA1 instead of SHA256. OS attestation mechanisms that we are working on expect the bios measurements to have SHA256 digests. Is it possible to make sure that the measurements are SHA256 instead of SHA1. ** Affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867218 Title: Ubuntu 18.04 running 5.0.0.23 kernel contains bios measurements in SHA1 instead of SHA256 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1867218/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Marcelo, I tested the Linux-azure-edge kernel at my end and I was able to verify that the PCR value 0 through 7 match. Thanks a lot for your help and support. Thanks Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1864545] Re: Expose TCG log when secure boot is disabled
*** This bug is a duplicate of bug 1864533 *** https://bugs.launchpad.net/bugs/1864533 ** Description changed: - Currently TCG log is not exposed when secure boot is disabled. Because - of this attestation service doesn't know if TCG log was missing or - secureboot was disabled. Ask here is to expose TCG log even if secure - boot is disabled. As part of this we also discussed GRUB changes to - ensure it uses UEFI boot path even when secure boot is disabled. + Currently TCG log is not exposed when secure boot is disabled. In order + to attest to a system state, we need tcg logs to be present even when + secure boot is turned off. In the absence of tcg logs, we are unable to + determine if the tcg logs are missing or secure boot is turned off. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864545 Title: Expose TCG log when secure boot is disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1864545/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1864545] [NEW] Expose TCG log when secure boot is disabled
Public bug reported: Currently TCG log is not exposed when secure boot is disabled. Because of this attestation service doesn't know if TCG log was missing or secureboot was disabled. Ask here is to expose TCG log even if secure boot is disabled. As part of this we also discussed GRUB changes to ensure it uses UEFI boot path even when secure boot is disabled. ** Affects: ubuntu Importance: Undecided Status: New ** Tags: bot-comment -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864545 Title: Expose TCG log when secure boot is disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1864545/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
That sounds good. I will try and test it at end too. Thanks a lot for your help :) -Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Marcelo, I am facing the same issue as I was with the .deb packages. When I run "sudo apt install Linux-azure-edge" and reboot, the kernel does not boot. I am able to boot into the Linux 5.3.040-generic kernel but not the azure edge kernel. That said, I tried it on both the physical machine and Hyper v with secure boot enabled. The kernel boots fine on Hyper V but not on the physical machine. Did you get a chance to test it on a physical machine? -Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Marcelo, Thanks for the information. I will try and validate the Linux-azure-edge kernel. Regarding your test environment, there are no issues. This is the expected environment for the guest OS. -Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Marcelo, I am trying to load the kernel on an x86_64 physical machine. Here is how I installed the .deb pkg on the machine. "sudo dpkg -i linux- modules-4.15.0-1066-azure_4.15.0-1066.71+lp1838796.2_amd64.deb" "sudo dpkg -i linux-image- unsigned-4.15.0-1066-azure_4.15.0-1066.71+lp1838796.2_amd64.deb" I rebooted the system after this and tried to select the kernel from the grub menu. I am not sure what I am missing. Here is the output of the os-release file on the machine. NAME="Ubuntu" VERSION="18.04.4 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.4 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic Also, the targeted environment will be Hyper V. We are running into some Hyper V issues and thus I am trying to validate the kernel on a physical machine. -Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Marcelo, I tried to validate the test kernel provided by you in comment 23. I am not able to load the kernel. When I select the kernel from the grub menu, the loading gets stuck at "Loading initial ramdisk". I tried it with secure boot disabled too, just to be sure we are not making any mistakes with the signing part. I am not sure if I am missing something here. Can you please help resolve this? Thanks Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Marcelo, Can you please let us know when you are with the tests on your side? We can then go ahead and validate the test kernel at our end. -Vinay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Chris, There are few observations we made while testing. 1. On baseline Ubuntu, we see a PCR7 mismatch. Could you please confirm if this is a known issue and what is the reason for this mismatch? 2. We were able to validate that there were duplicate entries in the TCG logs with the test kernel and extending those entries in the PCR matched the TCG log PCR values. But the same is not true for the baseline Ubuntu, we did not see duplicate values in the baseline Ubuntu measurements. Does the test kernel try to fix the PCR7 mismatch too and also introduces a regression because of duplicate entries? 3. We also noticed that there are no bios measurements exposed by the kernel when secure boot is turned off. Is it possible to get bios measurements in that scenario, indicating that secure boot is turned off? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
Hi Chris, Can you please point me to the parser tool that you used to parse the binary_bios_measurements? We can try that tool at our end to see if the our tool has a bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838796] Re: TPM event log does not contain events measured after ExitBootServices
I have verified the kernel image provided above. The PCR5 values in the TCG logs and in the TPM match. I have also verified that the ExitBootServices event is present in the binary_bios_measurements. However, I see there is a mismatch for PCR4 and PCR7 between the TCG logs and the TPM values. I am not sure if that is expected or is it something to be concerned about. PCR4 logs the EFI Service Application events. Attaching screenshots of the PCR values and PCR4 log events for your reference. ** Attachment added: "Zip file containing PCR value screenshots from the TCG logs and the TPM" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+attachment/5306971/+files/PCR-Values.zip -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838796 Title: TPM event log does not contain events measured after ExitBootServices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
