From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.47]) by mx.groups.io with SMTP id smtpd.web09.8566.1619532051995918812 for ; Tue, 27 Apr 2021 07:00:52 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=QwTtygnK; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.92.47, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JbE3nMRGOCRqIGyfd4GbVC1RXXdk/PK17Lzb58cP/5/msLurBSlhK8h4ypbfZd9X/uQVq0T5U0Rip341CQWG3d613QmY2m2Jxjt8T67mvZWKRvoy+dszJXdEfLnZyWMZL2MNAomZuIhYqgJdB4i46ZiS8j5rf2Ms1PVJzTPiz7StqSoS7trqwIfcvF95ab9tGpZ4ds4aCFEdCYcyBzSEN5EP5o0k3r/a66QrKiyNMZIaqono5mV2HsUn5azKGwQW/A7KKtU3W3vC7xy1Zm9PD8RHtDHG/isHt7P0GT45TW/aZxSG8itpbg4QQsO2SBz43kdjk3/mkw9YolwkRnI7+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r9vDaVeQcIlZk01drGY+of0Bd9CHfEEXCZxb22CliwY=; b=h15A/crw09Sg8GZmA/EnPX9EduxHzrXPhQPaRzRzlOjd2mVtR6VotCCJ8laJnsZD9HCwzjsmfthnVeFvges+CLhree+T8ZM0X5MSIg42SKccIDQSV70yulYh2pa++uALERLHrPsSNQUjHp/Xs/s8nMCL2HbYwxJbvjnTkuVkYolRUd2Nj/GJrlHL8Imn4SHIxq/Zw+BWdZGMG+5K9mwKShvlJblyTpC6Yz96bnBfbbEHq2oq2DCUiOVqjX0Ko7InCEtb4+Ar4m1ZUiDG05d70YxZMmZaicfA2KV9P+oy8s+8vtGaontclcQnuj8nwLFpqsQIlcGE7rzf1Wwj0mkU4w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r9vDaVeQcIlZk01drGY+of0Bd9CHfEEXCZxb22CliwY=; b=QwTtygnKtEIAtfV4R27N54+Wf73YIBR9LnSJmubwsUyLhUiUINNa+CKq6UneyaA07JzzsubVdlD6GBmWWDvM0V5dvDnF5KUOd34KwH1LniZZcFsLmF0f64GuvAosuym+xhVYfkk50aTSeysInoivJ2IKpJF8rDgiLSx34uissMw= Authentication-Results: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR12MB1451.namprd12.prod.outlook.com (2603:10b6:4:d::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Tue, 27 Apr 2021 14:00:50 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9%12]) with mapi id 15.20.4065.026; Tue, 27 Apr 2021 14:00:50 +0000 Subject: Re: [edk2-devel] Problem: TPM 2.0 event log by OVMF is shown empty in Linux kernel versions after 5.8 To: devel@edk2.groups.io, public@thson.de, James Bottomley CC: lersek@redhat.com, ardb+tianocore@kernel.org References: <8f68431ac5e7ef1f28037856f92da8327cdfb737.camel@HansenPartnership.com> <76f91d91-9eb9-3e31-b09b-3ecfc0c03a4f@thson.de> From: "Lendacky, Thomas" Message-ID: <2e82d24c-2cf2-1681-646d-3f848818ade8@amd.com> Date: Tue, 27 Apr 2021 09:00:48 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 In-Reply-To: <76f91d91-9eb9-3e31-b09b-3ecfc0c03a4f@thson.de> X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SN6PR16CA0052.namprd16.prod.outlook.com (2603:10b6:805:ca::29) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SN6PR16CA0052.namprd16.prod.outlook.com (2603:10b6:805:ca::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25 via Frontend Transport; Tue, 27 Apr 2021 14:00:49 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2881d172-02a2-47c4-f682-08d90984dd43 X-MS-TrafficTypeDiagnostic: DM5PR12MB1451: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YNGtWMnuWWLV/YCRzx6wLlXOXvug/BAJFMwbZ7nDXTb/guw+rPhvQ3ME4BpjWeL4gO1BrVSTefNFEfhRlfkCv1Dv/D7EQUSO+bIPWwwjQy8KXksQX1lm7ld93A3J/Y+fxSjnVCb+OQuTPELMFE3HZJzjkwxiXkW8hISWBVXM66uNQyvpDXLUAGCcpm7ku3o3qBYvoFcOP9yuy6hf0TT+MSOm2Lp7hxIrZ6NOnSmlnrQfKjGw3b2IAZa5KwFBt+qftGTajSLtUqSN6+TN2OjRynZEA528GWZmL07m3vbHk/JvFmRt3CTC7eNeq8zaLVT2k3Gf7Gp3HXIqK/YUdDlz0NG+BA10jybnruh/yvVSYxa08XKUuiEdfkXQVOZ2qTKuqe7Xw8vf5V0F8stX+xGXmzMynpwiewW93/W9lj8QhQNRAldDScFX8MKbWm/C7sxvWNl/yal/S/yW6SwglvOtr/nrz8V4/m75oNOXP4qkYIGFh632RALNTJ8spcYpTPC4Lr0Im2rwHj/Q0KgICPKG9Qe58xALgu56J2HaDkl4geisO9VVMilI9hHoDFQUm1svFksURARdP2OjHQ0RrUGliJkbw+jski+hOHnFVcq8dUiLgZb5wu/o6A9tZYqe0IbC5oL2nGxCE7v49AN+BmxiRVy4DBcGFhv9c5JjEbntJr6pLpbfwMGz+DOG3mVFAUUo4fvPKr0I6tAF52xMxRIh2cOrVLE9qnv7Fx8nWw/oWmDXz8F7mYFhw5YU+u0wFn9w0T+BjnThLmBg/9pna53ExA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(39860400002)(136003)(366004)(396003)(346002)(6486002)(8936002)(31686004)(86362001)(36756003)(45080400002)(53546011)(83380400001)(2616005)(31696002)(478600001)(66946007)(956004)(316002)(4326008)(26005)(16526019)(6506007)(186003)(6512007)(2906002)(8676002)(6916009)(5660300002)(966005)(38100700002)(66476007)(66556008)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?tv64txurRpwA++wsviZs7Kbc842j4SqFMum2BuYsSsWkYpnGOisYHvZ1FJpb?= =?us-ascii?Q?PtbbwcMnX5nuV/VV/XVhezZv0JSx7FJH1h0CCMNulyFJ+F6GTpCl8ynxH/YA?= =?us-ascii?Q?lEDSso4sUuR4mbCrCGAZgmc1HR9Ro0IhDtVT/xL3OYIDufj2R2c7tfPftPpt?= =?us-ascii?Q?93p09UY478rZ2RrARzawgAvNuz8JrJrSaUPtuxgXvVLrD4E2DFuqD5oOCxWC?= =?us-ascii?Q?YZk5XHrurMHdX46WmA80GrWneNYu10Ej/ammKOGiGUsdR4WFN6rvYwAoDLc7?= =?us-ascii?Q?a0Qqw4wutzh9d4oIPLNX/YLHUCefLMb1iJpUxx6ONAqOAx6XgvYTXNpksI0Y?= =?us-ascii?Q?fkz1NwS+XWmKNKe4Xc9IOwmQ2/Ipp4JFJgFzQ+Jh0XOunVlfgqtjYOzUYCHr?= =?us-ascii?Q?cArQk4QpqWtpfF+mzvhlGQsM8R+xO0QBdS/DR9Y/AILKyUZ+9Cvyww0M5e27?= =?us-ascii?Q?nom0Rj3bRpFCmq9/pxTyF7j/wNdesx/m3H7NDRPuJeCDzztQebnOo7r7vfMU?= =?us-ascii?Q?WvbmRsyvyKyV0uTePKwC/zZ3l/uO/m6X1djvXs+YGiVZ8gKvx3uu5TmU16CB?= =?us-ascii?Q?f+Hcj94mvVb6bUFc3vIBCipQYF79nEZpJf2a6Mm1dN6VaGHMx4UfmAwS2DcP?= =?us-ascii?Q?zZqREfmi4hZNgulrVLu/hU41nFSZ/ADM1OY8Y69jFCr9LXU9WwXOv5rzxY5d?= =?us-ascii?Q?mdxVHd8+Hp/RdLeQK+gBg9Itt7kGhwVjqyBCHCNWgkEn6XUiDDVHkPFq5mC8?= =?us-ascii?Q?snRsrXL3Inf/EDkvOGNX3Mu55bQwy9MgzNk+hrzNYoyZnF3SaGlKWKOXdNeb?= =?us-ascii?Q?yd33uFc2XfEENV9w9x+Un1zpSXyxpoMHMohQUZ/CiS5PKx+e8nJGD3bEDg/6?= =?us-ascii?Q?absXzIPEdPOmbkyBI5Oo29lSu2Z0KTQU3MZKRHCZq4BezEgU7Nc/VgPK80mL?= =?us-ascii?Q?XU6Tdq9qBW0TVk9HGnlmwLAnci1xLN1LwboaVpTCoQiz7yjzywpHmdxlZ7zU?= =?us-ascii?Q?o8ieEs2w895sms0jnsJvvTA5jo7LQwFQBNzgGelWzwIukaNpy1WtnB8Z/bj5?= =?us-ascii?Q?EKK3eSMRAGLImeshCkh6sNaYAEDUfcazPHEqarUJ7GZ7HHQji+kRJMH5xlFG?= =?us-ascii?Q?d9nZ+TRsnwaslNZRaT4dKHApVumvGt+OyqcK/mfwmTi6e07P/tENH/KBhEIj?= =?us-ascii?Q?IEwoPemnjj3uKYNe+SGBnL1U/RVeoynqbOmQEl3qYSCvSJinyJ2ncQ4aTDwF?= =?us-ascii?Q?HdLQswfAzND6V9iYlw4zdVxku8PfIPR89MI4Q3qtAyoNM8+Y95EiVxOqeU04?= =?us-ascii?Q?fViWzbYaURRYA2EV5RE1iPGQ?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2881d172-02a2-47c4-f682-08d90984dd43 X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Apr 2021 14:00:50.4416 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jO6/7TTBPmjem3fQcs4o7AoxxpBjzPRnQPapiMSa/I6e7/S7IlRPJDsIwIf8rUe8EbQjPgAkI6mlUGfIZcq+Lw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1451 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 4/27/21 2:40 AM, Thore Sommer via groups.io wrote: >=20 >> I don't confirm this.=C2=A0 I have Linux version 5.12.0-rc5+ installed = and I >> see the attached in my binary_bios_measurements (I've run it through >> tpm2-eventlog so you can see the actual events). > Ok that is interesting. >=20 > Here are the steps to reproduce my findings. > Necessary tools: Build chain for edk2, swtpm 0.5.2 and qemu 5.2.0 >=20 > 1. Build OVMF from edk2-stable202102 with > -a X64 -a IA32 \ > -b RELEASE \ > -D NETWORK_IP6_ENABLE \ > -D TPM_ENABLE \ Shouldn't you also have '-D TPM_CONFIG_ENABLE' ? Thanks, Tom > -D FD_SIZE_4MB \ > -D TLS_ENABLE \ > -D HTTP_BOOT_ENABLE \ > -D SECURE_BOOT_ENABLE \ > -D SMM_REQUIRE \ > -D EXCLUDE_SHELL_FROM_FD >=20 > 2. Copy OVMF_CODE.fd and OVMF_VARS.fd into an empty directory > 3. Download Ubuntu 21.04 desktop iso (which has a 5.11 Linux kernel) and > copy it into that directory > (I can provide a custom Debian build with a patched and unpatched vanill= a > kernel if needed) > 4. Create dir for swtpm: mkdir mytpm1 > 5. Start swtpm with > swtpm socket \ > =C2=A0=C2=A0=C2=A0=C2=A0--tpm2 \ > =C2=A0=C2=A0=C2=A0=C2=A0--tpmstate dir=3Dmytpm1 \ > =C2=A0=C2=A0=C2=A0=C2=A0--ctrl type=3Dunixio,path=3Dmytpm1/swtpm-sock \ > =C2=A0=C2=A0=C2=A0=C2=A0--log level=3D4 & > 6. Start qemu with > qemu-system-x86_64 \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -enable-kvm \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -machine q35,smm=3Don \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -global driver=3Dcfi.pflash01= ,property=3Dsecure,value=3Don \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -drive if=3Dpflash,format=3Dr= aw,unit=3D0,file=3DOVMF_CODE.fd,readonly=3Don \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -drive if=3Dpflash,format=3Dr= aw,unit=3D1,readonly=3Doff,file=3DOVMF_VARS.fd \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -chardev socket,id=3Dchrtpm,p= ath=3Dmytpm1/swtpm-sock \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -tpmdev emulator,id=3Dtpm0,ch= ardev=3Dchrtpm \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -device tpm-crb,tpmdev=3Dtpm0= \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -boot d \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -cdrom "ubuntu-21.04-desktop-= amd64.iso" \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -m 3G \ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -vga virtio > 7. Start Ubuntu normally and choose "Try Ubuntu" > 8. Open a Terminal and check that > "/sys/kernel/security/tpm0/binary_bios_measurements" is empty >=20 >> On my OVMF boot I'm using the direct >> kernel command line and I have secure boot enabled but not activated, >> which is why you only see PCRs 0-7 in the log. >=20 > The Kernel here is loaded by Grub which itself is loaded by Shim. But th= at > should not make a difference regarding the event log via ACPI right? >=20 > I've attached the event log from a Ubuntu 20.04 machine with a 5.12 > patched kernel and my kernel build config. >=20 > Best regards > Thore Sommer >=20 >=20 >=20 >=20 >=20