On Fri, Jan 24, 2020 at 1:52 PM Christopher Clark
<christopher.w.cl...@gmail.com> wrote:
> On Tue, Jan 21, 2020 at 12:32 AM Lukasz Hawrylko
> <lukasz.hawry...@linux.intel.com> wrote:
> >
> > On Wed, 2020-01-15 at 18:36 -0800, Christopher Clark wrote:
> > > Hello
> > >
> > > I am trying to boot with tboot and TPM 2.0 on a Dell PowerEdge R730
> > > and encountering reboot at SENTER every time with the following:
> > >
> > > TBOOT: TXT.ERRORCODE: 0xc0033451
> > > TBOOT: AC module error : acm_type=0x1, progress=0x05, error=0xd
> > >
> > > which SINIT_Errors-Broadwell-4th-gen.pdf indicates is: Invalid PMR
> > > configuration
> [...]
> >
> > Hi Christopher
> >
> > At first point please ensure that you are using latest SINIT, I know
> > that ACM team was working on similar issue, but I don't know if they
> > have already released version with the fix.
> >
> > If problem still exists with latest SINIT, you can try to modify TBOOT
> > and check if that helps. Please apply following patch over v1.9.11
> >
> > diff -r 003178d05f52 tboot/txt/txt.c
> > --- a/tboot/txt/txt.c Tue Jan 14 11:54:11 2020 +0100
> > +++ b/tboot/txt/txt.c Tue Jan 21 09:27:51 2020 +0100
> > @@ -559,6 +559,12 @@
> > if (!vtd_disable_dma_remap(iter)) {
> > printk(" vtd_disable_dma_remap failed!\n");
> > }
> > + if (!vtd_disable_qie(iter)) {
> > + printk(" vtd_disable_qie failed!\n");
> > + }
> > + if (!vtd_disable_ire(iter)) {
> > + printk(" vtd_disable_ire failed!\n");
> > + }
> > }
> > }
> >
>
> Hi Lukasz,
>
> Thanks for your reply and for the patch, and I can confirm that with
> the patch applied, tboot does proceed past the previous point it was
> triggering reboot and it no longer reports a PMR errorcode 0xc0033451.
>
> My next encounter was with a different error due to the wrong hash
> algorithm being selected by tboot. The TPM 2.0 on this machine (Dell
> don't sell TPM 1.2s for it any more) reports availability of both SHA1
> and SHA256, but the BIOS won't allow enabling TXT without configuring
> it to use SHA256, and then tboot was picking SHA1, which then tripped
> a mismatch failure.
>
> I've got it all the way to a successful launch with tboot 1.9.11 into
> Xen and dom0, once SHA256 is enabled as the hash algorithm with this
> basic patch:
>
> diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
> --- a/tboot/common/tpm_20.c
> +++ b/tboot/common/tpm_20.c
> @@ -2778,6 +2778,8 @@ static bool tpm20_init(struct tpm_if *ti)
> return false;
> }
>
> + ti->cur_alg = TB_HALG_SHA256;
> +
> if (handle2048 != 0)
> goto out;
You might be able to skip the patch by simply specifying an 'extpol'
parameter on the tboot command line, for example: "extpol=sha256".
The patch linked below also adds support for "extpol=acm" which checks
the ACM for supported TPM2 extpol settings and selects one
automatically (it gives priority to the embedded policy which should
extend both the SHA1 and SHA256 PCR banks).
*
https://github.com/pcmoore/misc-tboot/commit/130a8cb226d50aaba3f55bd7f0ab6daf25aa0a19
--
paul moore
www.paul-moore.com
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
