These are very likely to be OEM BIOS bugs - if you escalate to your server OEM,
they can create fixes. We started testing TXT on enterprise clients almost 10
years ago. It took a while for OEMs (Dell, Lenovo, HP) to roll out TXT fixes,
but they all did eventually. Server and workstation TXT may need a similar
test-fix-test cycle.
OEMs sometimes don't have an easy way to repro TXT issues, which is why the
industry needs an open-source test suite for SRTM and DRTM. Now that Windows
10 is adding DRTM features, OEM testing of TXT will hopefully improve. Each
separate customer report will help TXT fixes to be prioritized, especially when
the issue is easy to repro.
Rich
> On Feb 26, 2018, at 16:59, Jan Schermer <j...@schermer.cz> wrote:
>
> My HP z240 workstation occassionaly refuses to boot at all if I yank out the
> power cable while in TXT mode.
> Solution: leave power disconnected for >5 minutes, then reset BIOS (yes,
> really).
>
> I had similiar issues with Lenovo system.
>
> I don’t think OEMs test anything...
>
> Jan
>
>> On 26 Feb 2018, at 22:52, Rich Persaud <pers...@gmail.com> wrote:
>>
>> On TXT-enabled vPro client devices (e.g. Dell 7040) that have been tested
>> with OpenXT, Xen and OpenEmbedded measured launch [1], if you use the
>> hardware power switch to perform a non-graceful shutdown of an operating
>> system that was booted with TXT, the following will occur:
>>
>> (a) User presses hardware power button to turn on the device.
>> (b) Device powers on for a few seconds, then powers back off (TXT reset).
>> (c) User presses hardware power button to turn on the device.
>> (d) Device powers on normally, OS successfully completes measured launch.
>>
>> Your issue sounds like a device-specific OEM BIOS defect, have you tried
>> contacting the OEM? Does it happen on servers from a different OEM? Which
>> CPU generation?
>>
>> If there is interest in collaborating on OE/Yocto layers for TXT, TPM,
>> SecureBoot, we can arrange a conference call or ELC BoF.
>>
>> Rich
>>
>> [1]
>> https://openxt.atlassian.net/wiki/spaces/DC/pages/81035265/Measured+Launch+SRTM+and+DRTM
>>
>>
>>> On Feb 22, 2018, at 15:54, Nasim, Kam <kam.na...@windriver.com> wrote:
>>>
>>> Hi folks,
>>>
>>> We’ve been trying to integrate Tboot in our Boot sequence and have it
>>> working fine for the most part. We specify a default ANY Launch Control
>>> Policy (LCP) as main intention is to capture boot measurements in TPM PCRs
>>> and not really enforce a boot halt action.
>>>
>>> I noticed that when I power cycle the node or any other kind of
>>> non-graceful restart, it stops at the Boot menu with the following Error:
>>>
>>> Message
>>> An issue is observed in the previous invocation of TXT SINIT Authenticated
>>> Code Module (ACM) because the TXT information stored in the TPM chip may be
>>> corrupted.
>>> Detailed Description
>>> An issue in observed in the previous invocation of TXT SINIT Authenticated
>>> Code Module (ACM) because the TXT information stored in the TPM chip may be
>>> corrupted.
>>> Recommended Response Action
>>> Do one of the following: 1) Update the BIOS firmware. 2) Go to System Setup
>>> > System Security page, click the "Clear" option under TPM command. Restart
>>> the system, go to System Setup > System Security page, click the "Activate"
>>> option under TPM command, and then enable TXT.
>>>
>>>
>>> I am able to continue past this but was wondering if there is any way to
>>> disable this. We don’t want to be manually doing this for all of our
>>> servers after a Power Cycle event.
>>>
>>> Have others seen this? Is this a form of corruption in the ACM? How do I
>>> flush that state on a power cycle?
>>>
>>>
>>> Thanks,
>>> Kam
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> tboot-devel mailing list
>>> tboot-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org!
>> http://sdm.link/slashdot_______________________________________________
>> tboot-devel mailing list
>> tboot-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
