lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <cec36124-0950-6ad9-58a8-9bd69e63aa04@redhat.com>
Date:   Thu, 8 Mar 2018 17:50:23 +0100
From:   Hans de Goede <hdegoede@...hat.com>
To:     Javier Martinez Canillas <javierm@...hat.com>,
        Jeremy Cline <jeremy@...ine.org>,
        Thiebaud Weksteen <tweek@...gle.com>,
        Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        linux-efi@...r.kernel.org, linux-integrity@...r.kernel.org,
        tpmdd-devel@...ts.sourceforge.net,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: Regression from efi: call get_event_log before ExitBootServices

<somehow this part of the thread was missing some email addresses, I've added these now>

Hi,

On 07-03-18 12:34, Javier Martinez Canillas wrote:
> On 03/07/2018 12:10 PM, Hans de Goede wrote:

<snip>

>> Both according to the BIOS and to the /sys/class/tpm/tpm0/device/description
>> file it is a TPM 2.0.
>>
> 
> I see, so you can choose enabling the TPM 1.2 or TPM 2.0 device? At least that's
> the case on my X1 Carbon laptop. I've both a hardware TPM 1.2 and a firmware TPM
> 2.0 that's implemented as an Intel ME application (AFAIU).

This device only has the firmware TPM 2.0 implementation.

<snip>

>> I'm actually amazed that this machine has a TPM at all, a quick internet
>> search shows that it is a software implemented TPM running as part of the
>> TXE firmware.
>>
> 
> A quick search suggests that it comes with Windows 10?

Yes, it comes with Windows 10.

>>> For start, can you please check if you can boot a v4.16-rcX kernel with the
>>> TPM device enabled? That way we will know that at least that it consistently
>>> fails on this machine and is not and isolated issue.
>>
>> I just tried and v4.16-rc3 boots fine for me, repeatedly.
>>
> 
> That's an interesting data point.
> 
>> I guess Jeremy's model may actually have something in the TPM log
> 
> I don't think so. The UEFI firmware already does some measurements and also
> does shim. So you *should* have some logs.
> 
>> while my TPM log is empty... Is there anyway to make sure the TPM
>> log has some info to retreive?
>>
> 
> Are you also able to read the TPM event logs?
> 
> $ hexdump /sys/kernel/security/tpm0/binary_bios_measurements

Yes for me that outputs a lot of hex :)

> The UEFI firmware does some measurements and so does shim. So you should
> have some event logs. What version of shim are you using? And also would
> be good to know if it's the same shim version that Jeremy is using.

That is a very good question, I'm using: shim-ia32-13-0.7.x86_64, which is
the last version for F27 AFAICT.

But Jeremy's tablet might very well be not using the shim at all, as
I manually installed Fedora 25 on the tablet he now has, before Fedora supported
machines with 32 bit EFI. I then later did a "dnf distro-sync" to Fedora-27.

Jeremy might also very well still be booting using a grub binary I build
manually back then, without any shim being involved.

Jeremy what does efibootmgr -v output on your device ?

Regards,

Hans

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ