On Fri, Jan 24, 2020 at 1:52 PM Christopher Clark <christopher.w.cl...@gmail.com> wrote: > On Tue, Jan 21, 2020 at 12:32 AM Lukasz Hawrylko > <lukasz.hawry...@linux.intel.com> wrote: > > > > On Wed, 2020-01-15 at 18:36 -0800, Christopher Clark wrote: > > > Hello > > > > > > I am trying to boot with tboot and TPM 2.0 on a Dell PowerEdge R730 > > > and encountering reboot at SENTER every time with the following: > > > > > > TBOOT: TXT.ERRORCODE: 0xc0033451 > > > TBOOT: AC module error : acm_type=0x1, progress=0x05, error=0xd > > > > > > which SINIT_Errors-Broadwell-4th-gen.pdf indicates is: Invalid PMR > > > configuration > [...] > > > > Hi Christopher > > > > At first point please ensure that you are using latest SINIT, I know > > that ACM team was working on similar issue, but I don't know if they > > have already released version with the fix. > > > > If problem still exists with latest SINIT, you can try to modify TBOOT > > and check if that helps. Please apply following patch over v1.9.11 > > > > diff -r 003178d05f52 tboot/txt/txt.c > > --- a/tboot/txt/txt.c Tue Jan 14 11:54:11 2020 +0100 > > +++ b/tboot/txt/txt.c Tue Jan 21 09:27:51 2020 +0100 > > @@ -559,6 +559,12 @@ > > if (!vtd_disable_dma_remap(iter)) { > > printk(" vtd_disable_dma_remap failed!\n"); > > } > > + if (!vtd_disable_qie(iter)) { > > + printk(" vtd_disable_qie failed!\n"); > > + } > > + if (!vtd_disable_ire(iter)) { > > + printk(" vtd_disable_ire failed!\n"); > > + } > > } > > } > > > > Hi Lukasz, > > Thanks for your reply and for the patch, and I can confirm that with > the patch applied, tboot does proceed past the previous point it was > triggering reboot and it no longer reports a PMR errorcode 0xc0033451. > > My next encounter was with a different error due to the wrong hash > algorithm being selected by tboot. The TPM 2.0 on this machine (Dell > don't sell TPM 1.2s for it any more) reports availability of both SHA1 > and SHA256, but the BIOS won't allow enabling TXT without configuring > it to use SHA256, and then tboot was picking SHA1, which then tripped > a mismatch failure. > > I've got it all the way to a successful launch with tboot 1.9.11 into > Xen and dom0, once SHA256 is enabled as the hash algorithm with this > basic patch: > > diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c > --- a/tboot/common/tpm_20.c > +++ b/tboot/common/tpm_20.c > @@ -2778,6 +2778,8 @@ static bool tpm20_init(struct tpm_if *ti) > return false; > } > > + ti->cur_alg = TB_HALG_SHA256; > + > if (handle2048 != 0) > goto out;
You might be able to skip the patch by simply specifying an 'extpol' parameter on the tboot command line, for example: "extpol=sha256". The patch linked below also adds support for "extpol=acm" which checks the ACM for supported TPM2 extpol settings and selects one automatically (it gives priority to the embedded policy which should extend both the SHA1 and SHA256 PCR banks). * https://github.com/pcmoore/misc-tboot/commit/130a8cb226d50aaba3f55bd7f0ab6daf25aa0a19 -- paul moore www.paul-moore.com _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel