subject:"\[tboot\-devel\] TXT SINIT ACM failure on power\-cycling node"

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

2018-02-28 Thread Nasim, Kam

Thank you folks for your responses.

Yes it appears to be an issue with the specific version of Firmware and BIOS on 
our Dell PowerEdge R430s. We did a similar test on an HP 800G3 and it was fine.

Will reach out to OEM if they have specific updates to address these. If 
anybody is aware of a specific BIOS update from Dell that addresses this then I 
could get that a try


Regards,
Kam


From: Rich Persaud [mailto:pers...@gmail.com]
Sent: Monday, February 26, 2018 5:22 PM
To: Jan Schermer
Cc: Nasim, Kam; Ashfield, Bruce; tboot-devel@lists.sourceforge.net
Subject: Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

These are very likely to be OEM BIOS bugs - if you escalate to your server OEM, 
they can create fixes.  We started testing TXT on enterprise clients almost 10 
years ago.  It took a while for OEMs (Dell, Lenovo, HP) to roll out TXT fixes, 
but they all did eventually.  Server and workstation TXT may need a similar 
test-fix-test cycle.

OEMs sometimes don't have an easy way to repro TXT issues, which is why the 
industry needs an open-source test suite for SRTM and DRTM.  Now that Windows 
10 is adding DRTM features, OEM testing of TXT will hopefully improve.  Each 
separate customer report will help TXT fixes to be prioritized, especially when 
the issue is easy to repro.

Rich

On Feb 26, 2018, at 16:59, Jan Schermer 
<j...@schermer.cz<mailto:j...@schermer.cz>> wrote:
My HP z240 workstation occassionaly refuses to boot at all if I yank out the 
power cable while in TXT mode.
Solution: leave power disconnected for >5 minutes, then reset BIOS (yes, 
really).

I had similiar issues with Lenovo system.

I don’t think OEMs test anything...

Jan


On 26 Feb 2018, at 22:52, Rich Persaud 
<pers...@gmail.com<mailto:pers...@gmail.com>> wrote:

On TXT-enabled vPro client devices (e.g. Dell 7040) that have been tested with 
OpenXT, Xen and OpenEmbedded measured launch [1], if you use the hardware power 
switch to perform a non-graceful shutdown of an operating system that was 
booted with TXT, the following will occur:

 (a)  User presses hardware power button to turn on the device.
 (b)  Device powers on for a few seconds, then powers back off (TXT reset).
 (c)  User presses hardware power button to turn on the device.
 (d)  Device powers on normally, OS successfully completes measured launch.

Your issue sounds like a device-specific OEM BIOS defect, have you tried 
contacting the OEM? Does it happen on servers from a different OEM? Which CPU 
generation?


If there is interest in collaborating on OE/Yocto layers for TXT, TPM, 
SecureBoot, we can arrange a conference call or ELC BoF.

Rich

[1] 
https://openxt.atlassian.net/wiki/spaces/DC/pages/81035265/Measured+Launch+SRTM+and+DRTM


On Feb 22, 2018, at 15:54, Nasim, Kam 
<kam.na...@windriver.com<mailto:kam.na...@windriver.com>> wrote:
Hi folks,

We’ve been trying to integrate Tboot in our Boot sequence and have it working 
fine for the most part. We specify a default ANY Launch Control Policy (LCP) as 
main intention is to capture boot measurements in TPM PCRs and not really 
enforce a boot halt action.

I noticed that when I power cycle the node or any other kind of non-graceful 
restart, it stops at the Boot menu with the following Error:

Message
An issue is observed in the previous invocation of TXT SINIT Authenticated Code 
Module (ACM) because the TXT information stored in the TPM chip may be 
corrupted.
Detailed Description
An issue in observed in the previous invocation of TXT SINIT Authenticated Code 
Module (ACM) because the TXT information stored in the TPM chip may be 
corrupted.
Recommended Response Action
Do one of the following: 1) Update the BIOS firmware. 2) Go to System Setup > 
System Security page, click the "Clear" option under TPM command. Restart the 
system, go to System Setup > System Security page, click the "Activate" option 
under TPM command, and then enable TXT.


I am able to continue past this but was wondering if there is any way to 
disable this. We don’t want to be manually doing this for all of our servers 
after a Power Cycle event.

Have others seen this? Is this a form of corruption in the ACM? How do I flush 
that state on a power cycle?


Thanks,
Kam
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! 
http://sdm.link/slashdot
___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net<mailto:tboot-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/tboot-devel
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! 
http://sdm.link/slashdot_

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

2018-02-26 Thread Rich Persaud

These are very likely to be OEM BIOS bugs - if you escalate to your server OEM, 
they can create fixes.  We started testing TXT on enterprise clients almost 10 
years ago.  It took a while for OEMs (Dell, Lenovo, HP) to roll out TXT fixes, 
but they all did eventually.  Server and workstation TXT may need a similar 
test-fix-test cycle.

OEMs sometimes don't have an easy way to repro TXT issues, which is why the 
industry needs an open-source test suite for SRTM and DRTM.  Now that Windows 
10 is adding DRTM features, OEM testing of TXT will hopefully improve.  Each 
separate customer report will help TXT fixes to be prioritized, especially when 
the issue is easy to repro.

Rich

> On Feb 26, 2018, at 16:59, Jan Schermer  wrote:
> 
> My HP z240 workstation occassionaly refuses to boot at all if I yank out the 
> power cable while in TXT mode.
> Solution: leave power disconnected for >5 minutes, then reset BIOS (yes, 
> really).
> 
> I had similiar issues with Lenovo system.
> 
> I don’t think OEMs test anything...
> 
> Jan
> 
>> On 26 Feb 2018, at 22:52, Rich Persaud  wrote:
>> 
>> On TXT-enabled vPro client devices (e.g. Dell 7040) that have been tested 
>> with OpenXT, Xen and OpenEmbedded measured launch [1], if you use the 
>> hardware power switch to perform a non-graceful shutdown of an operating 
>> system that was booted with TXT, the following will occur:
>> 
>>  (a)  User presses hardware power button to turn on the device.
>>  (b)  Device powers on for a few seconds, then powers back off (TXT reset).
>>  (c)  User presses hardware power button to turn on the device.
>>  (d)  Device powers on normally, OS successfully completes measured launch.
>> 
>> Your issue sounds like a device-specific OEM BIOS defect, have you tried 
>> contacting the OEM? Does it happen on servers from a different OEM? Which 
>> CPU generation?
>> 
>> If there is interest in collaborating on OE/Yocto layers for TXT, TPM, 
>> SecureBoot, we can arrange a conference call or ELC BoF.
>> 
>> Rich
>> 
>> [1] 
>> https://openxt.atlassian.net/wiki/spaces/DC/pages/81035265/Measured+Launch+SRTM+and+DRTM
>> 
>> 
>>> On Feb 22, 2018, at 15:54, Nasim, Kam  wrote:
>>> 
>>> Hi folks,
>>>  
>>> We’ve been trying to integrate Tboot in our Boot sequence and have it 
>>> working fine for the most part. We specify a default ANY Launch Control 
>>> Policy (LCP) as main intention is to capture boot measurements in TPM PCRs 
>>> and not really enforce a boot halt action.
>>>  
>>> I noticed that when I power cycle the node or any other kind of 
>>> non-graceful restart, it stops at the Boot menu with the following Error:
>>>  
>>> Message
>>> An issue is observed in the previous invocation of TXT SINIT Authenticated 
>>> Code Module (ACM) because the TXT information stored in the TPM chip may be 
>>> corrupted. 
>>> Detailed Description
>>> An issue in observed in the previous invocation of TXT SINIT Authenticated 
>>> Code Module (ACM) because the TXT information stored in the TPM chip may be 
>>> corrupted. 
>>> Recommended Response Action
>>> Do one of the following: 1) Update the BIOS firmware. 2) Go to System Setup 
>>> > System Security page, click the "Clear" option under TPM command. Restart 
>>> the system, go to System Setup > System Security page, click the "Activate" 
>>> option under TPM command, and then enable TXT.
>>>  
>>>  
>>> I am able to continue past this but was wondering if there is any way to 
>>> disable this. We don’t want to be manually doing this for all of our 
>>> servers after a Power Cycle event.
>>>  
>>> Have others seen this? Is this a form of corruption in the ACM? How do I 
>>> flush that state on a power cycle?
>>>  
>>>  
>>> Thanks,
>>> Kam
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> tboot-devel mailing list
>>> tboot-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! 
>> http://sdm.link/slashdot___
>> tboot-devel mailing list
>> tboot-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/tboot-devel
> 
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

2018-02-26 Thread Jan Schermer

My HP z240 workstation occassionaly refuses to boot at all if I yank out the 
power cable while in TXT mode.
Solution: leave power disconnected for >5 minutes, then reset BIOS (yes, 
really).

I had similiar issues with Lenovo system.

I don’t think OEMs test anything...

Jan

> On 26 Feb 2018, at 22:52, Rich Persaud  wrote:
> 
> On TXT-enabled vPro client devices (e.g. Dell 7040) that have been tested 
> with OpenXT, Xen and OpenEmbedded measured launch [1], if you use the 
> hardware power switch to perform a non-graceful shutdown of an operating 
> system that was booted with TXT, the following will occur:
> 
>  (a)  User presses hardware power button to turn on the device.
>  (b)  Device powers on for a few seconds, then powers back off (TXT reset).
>  (c)  User presses hardware power button to turn on the device.
>  (d)  Device powers on normally, OS successfully completes measured launch.
> 
> Your issue sounds like a device-specific OEM BIOS defect, have you tried 
> contacting the OEM? Does it happen on servers from a different OEM? Which CPU 
> generation?
> 
> If there is interest in collaborating on OE/Yocto layers for TXT, TPM, 
> SecureBoot, we can arrange a conference call or ELC BoF.
> 
> Rich
> 
> [1] 
> https://openxt.atlassian.net/wiki/spaces/DC/pages/81035265/Measured+Launch+SRTM+and+DRTM
>  
> 
> 
> 
> On Feb 22, 2018, at 15:54, Nasim, Kam  > wrote:
> 
>> Hi folks,
>>  
>> We’ve been trying to integrate Tboot in our Boot sequence and have it 
>> working fine for the most part. We specify a default ANY Launch Control 
>> Policy (LCP) as main intention is to capture boot measurements in TPM PCRs 
>> and not really enforce a boot halt action.
>>  
>> I noticed that when I power cycle the node or any other kind of non-graceful 
>> restart, it stops at the Boot menu with the following Error:
>>  
>> Message
>> An issue is observed in the previous invocation of TXT SINIT Authenticated 
>> Code Module (ACM) because the TXT information stored in the TPM chip may be 
>> corrupted. 
>> Detailed Description
>> An issue in observed in the previous invocation of TXT SINIT Authenticated 
>> Code Module (ACM) because the TXT information stored in the TPM chip may be 
>> corrupted. 
>>  <>Recommended Response Action
>> Do one of the following: 1) Update the BIOS firmware. 2) Go to System Setup 
>> > System Security page, click the "Clear" option under TPM command. Restart 
>> the system, go to System Setup > System Security page, click the "Activate" 
>> option under TPM command, and then enable TXT.
>>  
>>  
>> I am able to continue past this but was wondering if there is any way to 
>> disable this. We don’t want to be manually doing this for all of our servers 
>> after a Power Cycle event.
>>  
>> Have others seen this? Is this a form of corruption in the ACM? How do I 
>> flush that state on a power cycle?
>>  
>>  
>> Thanks,
>> Kam
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org ! 
>> http://sdm.link/slashdot 
>> ___
>> tboot-devel mailing list
>> tboot-devel@lists.sourceforge.net 
>> https://lists.sourceforge.net/lists/listinfo/tboot-devel 
>> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org ! 
> http://sdm.link/slashdot___ 
> 
> tboot-devel mailing list
> tboot-devel@lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/tboot-devel 
> 
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

2018-02-23 Thread Sun, Ning

If those messages were from the platform itself, it is better to follow the 
instructions to restart the system, as the BIOS detected something wrong with 
the platform to do a TXT boot.

No modifications are needed from TXT SINIT, TPM, tboot for this situation.

This issue is vendor specific, just try to avoid non-graceful powercycle.

Hope this helps...

-Ning

From: Nasim, Kam [mailto:kam.na...@windriver.com]
Sent: Thursday, February 22, 2018 12:54 PM
To: tboot-devel@lists.sourceforge.net
Subject: [tboot-devel] TXT SINIT ACM failure on power-cycling node

Hi folks,

We've been trying to integrate Tboot in our Boot sequence and have it working 
fine for the most part. We specify a default ANY Launch Control Policy (LCP) as 
main intention is to capture boot measurements in TPM PCRs and not really 
enforce a boot halt action.

I noticed that when I power cycle the node or any other kind of non-graceful 
restart, it stops at the Boot menu with the following Error:

Message
An issue is observed in the previous invocation of TXT SINIT Authenticated Code 
Module (ACM) because the TXT information stored in the TPM chip may be 
corrupted.
Detailed Description
An issue in observed in the previous invocation of TXT SINIT Authenticated Code 
Module (ACM) because the TXT information stored in the TPM chip may be 
corrupted.
Recommended Response Action
Do one of the following: 1) Update the BIOS firmware. 2) Go to System Setup > 
System Security page, click the "Clear" option under TPM command. Restart the 
system, go to System Setup > System Security page, click the "Activate" option 
under TPM command, and then enable TXT.


I am able to continue past this but was wondering if there is any way to 
disable this. We don't want to be manually doing this for all of our servers 
after a Power Cycle event.

Have others seen this? Is this a form of corruption in the ACM? How do I flush 
that state on a power cycle?


Thanks,
Kam
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

[tboot-devel] TXT SINIT ACM failure on power-cycling node

2018-02-22 Thread Nasim, Kam

Hi folks,

We've been trying to integrate Tboot in our Boot sequence and have it working 
fine for the most part. We specify a default ANY Launch Control Policy (LCP) as 
main intention is to capture boot measurements in TPM PCRs and not really 
enforce a boot halt action.

I noticed that when I power cycle the node or any other kind of non-graceful 
restart, it stops at the Boot menu with the following Error:

Message
An issue is observed in the previous invocation of TXT SINIT Authenticated Code 
Module (ACM) because the TXT information stored in the TPM chip may be 
corrupted.
Detailed Description
An issue in observed in the previous invocation of TXT SINIT Authenticated Code 
Module (ACM) because the TXT information stored in the TPM chip may be 
corrupted.
Recommended Response Action
Do one of the following: 1) Update the BIOS firmware. 2) Go to System Setup > 
System Security page, click the "Clear" option under TPM command. Restart the 
system, go to System Setup > System Security page, click the "Activate" option 
under TPM command, and then enable TXT.


I am able to continue past this but was wondering if there is any way to 
disable this. We don't want to be manually doing this for all of our servers 
after a Power Cycle event.

Have others seen this? Is this a form of corruption in the ACM? How do I flush 
that state on a power cycle?


Thanks,
Kam
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node

[tboot-devel] TXT SINIT ACM failure on power-cycling node

5 matches

Site Navigation

Mail list logo

Footer information