From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 838327803E0 for ; Mon, 6 May 2024 09:10:47 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Q+pojEUb8R1h08W1erdbwiEnBGrQxQG5qE5oQy/DDl4=; c=relaxed/simple; d=groups.io; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type; s=20240206; t=1714986646; v=1; b=e6YM7tG5S8KarQ3XuX6ivhVVm3SnMVsvfYzdbCUUTgcDxcXGok3IZyKvykqUcu1u9RkB9QZa sdtKGIiwEzdo5FRk1uIXldTfaOQuYwVFA2RAX/uAXJZeXxdptSKoZ9Gz5XWB0Y3yQLXVqQZLqk7 /3cC4WVgTwGvnL+MJicgkdGyZCc7oT2QyTDh8tp2VsgjFbLSonPY37BBFtSTxs5mxvvlk4JM+V8 WT9CnFOVKOUPnLVF9XDQok1R5xFp8FF6MrUr/FOIhIkN3yI5wQHfYUPQBjLMwUWdYqYq6RkfjHl XBPmmWOeZK3RscZkcCd3ntRn9F/quYSJHfeB6o9a2IoQA== X-Received: by 127.0.0.2 with SMTP id LLzrYY7687511xQMl53lEski; Mon, 06 May 2024 02:10:46 -0700 X-Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by mx.groups.io with SMTP id smtpd.web11.16227.1714986644320150168 for ; Mon, 06 May 2024 02:10:45 -0700 X-Received: from mail.maildlp.com (unknown [172.19.163.48]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4VXwXX2zsxzvRyL; Mon, 6 May 2024 17:07:24 +0800 (CST) X-Received: from canpemm100006.china.huawei.com (unknown [7.192.104.17]) by mail.maildlp.com (Postfix) with ESMTPS id ACFFB180065; Mon, 6 May 2024 17:10:41 +0800 (CST) X-Received: from canpemm500001.china.huawei.com (7.192.104.163) by canpemm100006.china.huawei.com (7.192.104.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 6 May 2024 17:10:41 +0800 X-Received: from canpemm500001.china.huawei.com ([7.192.104.163]) by canpemm500001.china.huawei.com ([7.192.104.163]) with mapi id 15.01.2507.035; Mon, 6 May 2024 17:10:41 +0800 From: "Zhoujian (jay) via groups.io" To: "devel@edk2.groups.io" , "jiewen.yao@intel.com" , "rebecca@bsdio.com" , "corvink@freebsd.org" CC: "zhengyaohui (A)" , "Wangxin (Alexander)" , "Zhoujian (jay)" Subject: Re: [edk2-devel] [Question] VM failed to start with secure boot and TPM 2.0 Thread-Topic: [Question] VM failed to start with secure boot and TPM 2.0 Thread-Index: AdqZ6oVEwzyZmpA5RHKIe2tsitMDSQFmJ9Ug Date: Mon, 6 May 2024 09:10:41 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.125.127] MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 06 May 2024 02:10:45 -0700 Resent-From: jianjay.zhou@huawei.com Reply-To: devel@edk2.groups.io,jianjay.zhou@huawei.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: lJiwl3IQ3tECkV6yTiTJGoOsx7686176AA= Content-Language: zh-CN Content-Type: multipart/alternative; boundary="_000_dd23e51f0b554f488f1de176240ef49fhuaweicom_" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=e6YM7tG5; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io --_000_dd23e51f0b554f488f1de176240ef49fhuaweicom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Add Maintainers and Reviewers: Jiewen Yao > Rebecca Cran > Corvin K=F6hne > Could you give us some advice? Thanks From: Zhoujian (jay) Sent: Monday, April 29, 2024 12:07 PM To: 'devel@edk2.groups.io' Cc: zhengyaohui (A) ; Wangxin (Alexander) Subject: [Question] VM failed to start with secure boot and TPM 2.0 Hi all, We encountered a problem that the virtual machine failed to start. Our Configuration is as follows: 1. Use qemu 4.1.0 and edk2 202011 for x86 test, and qemu 7.1.0 and edk2 202= 011 for arm test 2. Enable secure boot and TPM 2.0. 3. Import the PK [1]\KEK [2]\db [3]\dbx [4]certificates. 4. VM started with 60 disks and 7 network cards The log of serial port reported the errors: ``` Could not create MokListRT: Volume full Could not create MokListXRT: Volume full Could not create SbatlevelRT: Volume full Could not create MokListTrustedRT: Volume full Something has gone seriously wrong: import_mok_state() failed : Volume Full ``` TPM measures part of UEFI variables, include PK/KEK/db/dbx, BootOrder and s= o on. It calls Tcg2HashLogExtendEvent (edk2 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c= ) to write to event log. Currently the event log length is 64 KB, if full, Tcg2HashLogExtendEvent returned EFI_VOLUME_FULL which caused the VM failed to start. I found some description about variable area length and event log area leng= th. After using tpm2-tool to parse the event logs, we found that event log of a variable contains variable data. Theoretically, the variable size can excee= d 64KB, as long as it does not exceed 256KB. Maybe event log area length should be greater than variable area length ? In section 9.2 of TCG PC Client Platform Firmware Profile Specification [5]= : ``` The Log Area Minimum Length for the TCG event log MUST be at least 64KB. ``` In source code [6] of edk2: ``` ## This PCD defines minimum length(in bytes) of the system preboot TCG even= t log area(LAML). # For PC Client Implementation spec up to and including 1.2 the minimum log= size is 64KB. # @Prompt Minimum length(in bytes) of the system preboot TCG event log area= (LAML). gEfiSecurityPkgTokenSpaceGuid.PcdTcgLogAreaMinLen|0x10000|UINT32|0x00010017 ``` In source code [7] of edk2: ``` !if $(FD_SIZE_IN_KB) =3D=3D 4096 <- - - - - - # it is true in our conf= iguration # Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSi= ze) - # 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) =3D 0x3ffb8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xFF, 0x03, 0x00, !endif ``` Based on the above analysis, We tried two solutions: 1. We modify the TcgCommLogEvent function in edk2 to ignore the EFI_VOLUME_FULL error, return EFI_SUCCESS but not write event log. This ide= a refers to [8]. 2. We increase the value of PcdTcgLogAreaMinLen because TCG only defines minimum length. And tpm2-tools has supported event logs longer than 64KB [9= ]. Both solutions can make the virtual machine start successfully but not sure= if they introduce other problems. For the first solution, we are worried that the missing part of the event log will affect the TPM's function. For the second solution, we are not sure if this change will have any impact on oth= er components. Could you give us some advices? Thanks References: [1] https://go.microsoft.com/fwlink/?linkid=3D2255361 [2] https://go.microsoft.com/fwlink/p/?linkid=3D321185 [3] https://go.microsoft.com/fwlink/?LinkId=3D321192 [4] https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin [5] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-= firmware-profile-specification/ [6] https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.d= ec [7] https://github.com/tianocore/edk2/blob/master/OvmfPkg/Bhyve/VarStore.fd= f.inc [8] https://github.com/rhboot/shim/pull/657 [9] https://github.com/tpm2-software/tpm2-tools/pull/2683 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118590): https://edk2.groups.io/g/devel/message/118590 Mute This Topic: https://groups.io/mt/105797435/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --_000_dd23e51f0b554f488f1de176240ef49fhuaweicom_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Add Maintainers and Reviewers:<= o:p>

Jiewen Yao <jiewen.yao@intel.com>

Rebecca Cran <rebecca@bsdio.com>

Corvin K=F6hne <corvink@freebsd.org>

 

Could you give us some advice?<= o:p>

 

Thanks

 

From: Zhoujian (jay)
Sent: Monday, April 29, 2024 12:07 PM
To: 'devel@edk2.groups.io' <devel@edk2.groups.io>
Cc: zhengyaohui (A) <zhengyaohui1@huawei.com>; Wangxin (Alexan= der) <wangxinxin.wang@huawei.com>
Subject: [Question] VM failed to start with secure boot and TPM 2.0<= o:p>

 

Hi all,

 

We encountered a problem that t= he virtual machine failed to start. Our

Configuration is as follows: 1. Use qemu 4.1.0 and edk2 202011 for x86 test, and qemu 7.1.0 and edk2 202= 011

for arm test
2. Enable secure boot and TPM 2.0.
3. Import the PK [1]\KEK [2]\db [3]\dbx [4]certificates.
4. VM started with 60 disks and 7 network cards

 

The log of serial port reported= the errors:
```
Could not create MokListRT: Volume full
Could not create MokListXRT: Volume full
Could not create SbatlevelRT: Volume full
Could not create MokListTrustedRT: Volume full
Something has gone seriously wrong: import_mok_state() failed : Volume Full=
```

TPM measures part of UEFI variables, include PK/KEK/db/dbx, BootOrder and s= o

on. It calls Tcg2HashLogExtendE= vent (edk2 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c)

to write to event log. Currentl= y the event log length is 64 KB, if full,

Tcg2HashLogExtendEvent returned= EFI_VOLUME_FULL which caused the VM

failed to start.


I found some description about variable area length and event log area leng= th.

After using tpm2-tool to parse = the event logs, we found that event log of a

variable contains variable data= . Theoretically, the variable size can exceed

64KB, as long as it does not ex= ceed 256KB. Maybe event log area length

should be greater than variable= area length ?

 

In section 9.2 of TCG PC Client= Platform Firmware Profile Specification [5]:
```
The Log Area Minimum Length for the TCG event log MUST be at least 64KB. ```


In source code [6] of edk2:

```
## This PCD defines minimum length(in bytes) of the system preboot TCG even= t log area(LAML).
# For PC Client Implementation spec up to and including 1.2 the minimum log= size is 64KB.
# @Prompt Minimum length(in bytes) of the system preboot TCG event log area= (LAML).
gEfiSecurityPkgTokenSpaceGuid.PcdTcgLogAreaMinLen|0x10000|UINT32|0x00010017=
```


In source code [7] of edk2:

```
!if $(FD_SIZE_IN_KB) =3D=3D 4096     <- - - - - -&nb= sp; # it is true in our configuration
# Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSi= ze) -
# 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) =3D 0x3ffb8
# This can speed up the Variable Dispatch a bit.
0xB8, 0xFF, 0x03, 0x00,
!endif
```

Based on the above analysis, We tried two solutions:
1. We modify the TcgCommLogEvent function in edk2 to ignore the<= /span>

EFI_VOLUME_FULL error, return E= FI_SUCCESS but not write event log. This idea

refers to [8].
2. We increase the value of PcdTcgLogAreaMinLen because TCG only defines

minimum length. And tpm2-tools = has supported event logs longer than 64KB [9].

Both solutions can make the virtual machine start successfully but not sure= if

they introduce other problems. = For the first solution, we are worried that

the missing part of the event l= og will affect the TPM’s function. For the

second solution, we are not sur= e if this change will have any impact on other

components. <= /p>

 

Could you give us some advices?=

 

Thanks

 

References:

[1] https://go.microsoft.com/fwlink/?linkid=3D2255361

[2] https://go.microsoft.com/fwlink/p/?linkid=3D321185

[3] https://go.microsoft.com/fwlink/?LinkId=3D321192

[4] https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin

[5] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firm= ware-profile-specification/

[6] https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.dec

[7] https://github.com/tianocore/edk2/blob/master/OvmfPkg/Bhyve/VarStore.fdf.in= c

[8] https://github.com/rhboot/shim/pull/657

[9] https://github.com/tpm2-software/tpm2-tools/pull/2683=

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#118590) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--_000_dd23e51f0b554f488f1de176240ef49fhuaweicom_--