Hi,
a Debian 12 installation with tboot stopped working when I upgraded BIOS
from version 2.4.2 to version 2.9.0. Instead of a normal boot the system
just resets and BIOS tells me that
"There was an error during TXT SNIT ACM invocation on the previous boot.
Verify that the SINIT ACM used
Hi,
please consider the attached patch. Currently tboot respects CFLAGS and
LDFLAGS from the environment but not CPPFLAGS.
-Timo
# HG changeset patch
# User Timo Lindfors
# Date 1655455151 -10800
# Fri Jun 17 11:39:11 2022 +0300
# Node ID 2bd7c7a33d49ffeb01edd0306b581b9f320316e6
-wise-identical reproducible compilations."
-Timo
# HG changeset patch
# User Timo Lindfors
# Date 1655482017 -10800
# Fri Jun 17 19:06:57 2022 +0300
# Node ID 0d80fadebdf1abd3503a8f4911bfb72de352cd73
# Parent 2bd7c7a33d49ffeb01edd0306b581b9f320316e6
Remove references to __DATE__ t
o
On Mon, 13 Jun 2022, Bhungal, Jeevan S wrote:
Hi Timo,
It is the same license, so no change.
Jeevan Bhungal
Client Security Technologist | CCG-CPE-CCE
CCE Security Champion
D 916.377.1013 | M 530.844.0930
Intel Corporation | intel.com
-Original Message-----
From: Timo Lindfors
Se
Hi,
On Mon, 25 Apr 2022, Jason Andryuk wrote:
https://cdrdv2.intel.com/v1/dl/getContent/630744?explicitVersion=true
Jeevan Bhungal
Great! Yeah, the internal link does not work, but the direct link
does. Thank you, Jeevan.
The direct link works but does not seem to contain any license
in
On Sat, 11 Jun 2022, Tony Camuso wrote:
OK, so something is going wrong with the information that tboot is
forwarding to the kernel launch.
On the efi system, with "noefi" removed from the grub command line,
the system boots.
With "noefi" in the grub command line, Device Mapper cannot find
the
On Fri, 10 Jun 2022, Tony Camuso wrote:
If your system is booting in efi mode, then it needs efi.
If it's booting in legacy bios mode, then it doesn't need efi
Commit https://sourceforge.net/p/tboot/code/ci/aad782103a6e
says that
"Note that booting *without* noefi is a security risk since t
On Fri, 27 May 2022, Randzio, Pawel wrote:
I wish to gladly inform you that I've fixed the bug preventing suspend with
Tboot.
Great news! Has this patch already been sent upstream?
-Timo
___
tboot-devel mailing list
[email protected]
Hi,
On Mon, 25 Apr 2022, Jason Andryuk wrote:
https://cdrdv2.intel.com/v1/dl/getContent/630744?explicitVersion=true
Jeevan Bhungal
Great! Yeah, the internal link does not work, but the direct link
does. Thank you, Jeevan.
Is the plan still to have these listed on
https://www.intel.com/c
Hi,
On Tue, 22 Mar 2022, Łukasz Hawryłko wrote:
On Sat, 2022-03-12 at 09:34 +0200, Timo Lindfors wrote:
On Fri, 11 Mar 2022, Łukasz Hawryłko wrote:
I see that you have quite complex environment for testing tboot, if I
find my old GRUB patch and prepare patch for tboot that combined should
fix
# HG changeset patch
# User Timo Lindfors
# Date 1647554321 -7200
# Thu Mar 17 23:58:41 2022 +0200
# Node ID 94606b71c3dabaabee813971a223686257d65d52
# Parent bcdf58c1d076bfe41c58ac93254914dc0f2fd449
Ignore modules that overlap with internal data structures
Without this patch the system can
# HG changeset patch
# User Timo Lindfors
# Date 1647554330 -7200
# Thu Mar 17 23:58:50 2022 +0200
# Node ID 538c14b1428d0625ebb3f9c3cae21656fd4c3b06
# Parent e45ccbe6bf59ba534ad628f7be45e7c34629e19b
Allow selecting only SINIT modules that match platform
This introduces
# HG changeset patch
# User Timo Lindfors
# Date 1647554325 -7200
# Thu Mar 17 23:58:45 2022 +0200
# Node ID e45ccbe6bf59ba534ad628f7be45e7c34629e19b
# Parent 94606b71c3dabaabee813971a223686257d65d52
Introduce GRUB_TBOOT_SINIT_LIST for selecting SINIT modules to use
Signed-off-by: Timo
On Fri, 11 Mar 2022, Łukasz Hawryłko wrote:
I see that you have quite complex environment for testing tboot, if I
find my old GRUB patch and prepare patch for tboot that combined should
fix the issue, will you be able to run tests?
Yes, I'm happy to run tests :)
___
Hi,
On Fri, 11 Mar 2022, Łukasz Hawryłko wrote:
In few words - when multiple SINITs is loaded, there is a chance that
one (or more) of them will be overwritten by some TBOOT data structures
that have hardcoded addresses. In most cases it is memory log, but this
is not a rule.
This sounds annoy
Hi,
in https://sourceforge.net/p/tboot/mailman/message/37340469/ there was a
discussion about needing to get grub to accept a patch to reliably support
multiple SINIT modules. Any idea what's the status of this patch?
Using multiple SINIT modules is useful if you want to have a single image
On Wed, 9 Mar 2022, Timo Juhani Lindfors wrote:
From: Timo Lindfors
Without this patch
txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN
segfaults. This issue was introduced in
This is not the most beautiful patch I must say but I hope it at least
helps somewhat and does not break anything. I
Hi,
just a quick note: lcp2_crtpollist man page says "algorightm" but should
probably say "algorithm". Thought about sending a patch but it's probably
easier for you to just fix this directly :)
-Timo
___
tboot-devel mailing list
tboot-devel@list
On Wed, 9 Mar 2022, Randzio, Pawel wrote:
First of all - package 1.10.4 is already outdated (I mistakenly made a release
with bugs), I forgot to add packages for 1.10.5.
Thanks for the reminder :)
And as for the key - older packages were signed by Łukasz, and I think I
haven't been instructed
Hi,
I noticed that the tboot-1.10.4.tar.gz.gpg release is signed using key
A16A6B495B7ED435EF129F21FF6B78E7EB6D8A8B. Is this key available from
somewhere? Previously key 5CECC9E12872F424009D0E0B6F2F48CC4E0B23EF was
used.
-Timo
___
tboot-devel ma
On Thu, 26 Aug 2021, Lukasz Hawrylko wrote:
May I ask you to prepare the patch?
I'll look into this. Ideally it would be nice to get rid of including C
files from other C files completely.
-Timo
___
tboot-devel mailing list
[email protected]
On Thu, 26 Aug 2021, Lukasz Hawrylko wrote:
You can check if txt-stat dumps TBOOT log correctly. Nothing else comes
into my mind.
Looks normal to me. I've attached a compressed version to this mail.
-Timo
txt-stat.output.gz
Description: application/gzip
_
Hi,
txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN
segfaults on my system:
Program received signal SIGSEGV, Segmentation fault.
does_acmod_match_platform (hdr=hdr@entry=0x77fc3000) at
../tboot/txt/acmod.c:590
590 txt_heap_t *txt_heap = get_txt_heap();
(gdb) bt
#0 does_acmod_match_platform
On Tue, 24 Aug 2021, Lukasz Hawrylko wrote:
Patch with fix is already prepared, I am waiting for GRUB team to merge
new multiboot2 module tag to publish it.
In meantime, if you have a system when you are able to reproduce this
issue, may I ask you to test the fix?
Sure. I applied these to th
[replying to an old email thread]
On Tue, 7 Apr 2020, Lukasz Hawrylko wrote:
Unfortunately, this bug is not reported anywhere. In real life scenarios
I don't see any benefits of loading multiple SINITs. In most cases you
have one SINIT that is dedicated to the platform.
I am not sure if that is
Hi,
would it be possible to increase the maximum supported framebuffer size
or is memory usage an issue? I don't get any output using the following:
Framebuffer info:
address: 0xc000
pitch: 10240
width: 2560
height: 1440
bpp: 32
type: 1
Not supported framebuffer siz
Hi,
changeset: 620:805285ab8469
user:Lukasz Hawrylko
date:Fri Nov 13 16:09:33 2020 +0100
summary: Move old lcptool to deprecated folder and exclude from build
seems to add some binaries to mercurial version control:
$ hg clone http://hg.code.sf.net/p/tboot/code
tboot-cod
Hi,
tboot is now in Debian unstable: https://tracker.debian.org/pkg/tboot
If you need a backport for Debian 10, please let me know.
As explained in
https://salsa.debian.org/debian/tboot/-/blob/master/debian/README.Debian
you cannot yet use this with normal kernel packages as they lack
CONFIG
Hi,
changeset: 603:e73d11a8a2d6
user:Mateusz Mowka
date:Wed Jul 01 09:08:25 2020 +0200
summary: Update lcptools-v2 to meet requirements from MLE DG rev16.
seems to re-introduce spelling errors that were fixed in
changeset: 590:2fbc7ec3b2c8
user:Timo Juhani Lindf
Hi,
On Mon, 8 Jun 2020, Lukasz Hawrylko wrote:
TBOOT is using hardcoded default policy when TPM is not provisioned.
That policy enforces SHA256 even if TPM1.2 is detected. That leads to
undesirable behaviour.
Thanks, this seems to work!
___
tboot-
Hi,
when I boot current mercurial tip with TPM 1.2 I get the following output:
TBOOT: verifying policy
TBOOT: verifying module "root=UUID=bc701bae-ee9c-4151-a85b-0f5a68212975 ro quiet net.ifnames=0 intel_iommu=on"...
TBOOT: OK : 26 0d 8e 28 3d 24 8b 45 74 92 02 76 50 f4 28 11 2b 6c d5 03 00
On Mon, 1 Jun 2020, Timo Lindfors wrote:
tboot prints
"TBOOT: this routine only prints out multiboot 2"
and never enters the else block where the printk()s are...
This gave me a hint: Using multiboot2/module2 seems to work with cold
boot. This might not mean anything of course if
On Fri, 29 May 2020, Lukasz Hawrylko wrote:
I will setup my environment to test legacy boot and I will check if the
same problem occurs. If it is possible, please try EFI boot on your PC.
I set a Thinkpad T430s (BIOS version 2.69) to UEFI-only mode without CSM
and installed a fresh Debian 10.
Hi,
On Mon, 1 Jun 2020, Lukasz Hawrylko wrote:
On warm boot this prints just
TBOOT: start=0x0x10008 tag_type=17 start->type=3031684 start->size=-2147418113
TBOOT: start=0x0x80020008 tag_type=17 start->type=0 start->size=0
That looks like memory corruption... Does it work when you remove all
On Mon, 1 Jun 2020, Timo Lindfors wrote:
printk(TBOOT_INFO"start=%p tag_type=%d start->type=%d start->size=%d\n",
start,
tag_type,
start->type,
start->size);
On warm boot this prints just
TBOOT: start=0x0x10008 tag_type=17 start->type=303168
On Fri, 29 May 2020, Lukasz Hawrylko wrote:
On Fri, 2020-05-29 at 12:36 +0300, Timo Lindfors wrote:
I see "Failed to get EFI memory map" message, did you configure BIOS to
use legacy boot? "set debug=mmap" should enable EFI memory map print in
grub_efi_mmap_iterate(), but thi
On Thu, 28 May 2020, Timo Lindfors wrote:
If you don't see this dump in failing scenario please add
"set debug=mmap" to grub.cfg, now GRUB should print that.
I added this after the serial console setup but this does not seem to print
anything? I also cannot find it in the gr
On Thu, 28 May 2020, Lukasz Hawrylko wrote:
I understand that still you have the same behaviour - cold boot failing,
reboot after Linux working, correct? Please add "dump_memmap=true" to
TBOOT's command line it should enable dumping of EFI memory map.
Correct. Unfortunately dump_memmap=true d
Hi,
On Mon, 25 May 2020, Timo Lindfors wrote:
I only see the "original e820 map:" listing. I'm trying to get serial console
to make this easier to debug and to compare how warm-boot and cold-boot
differs without having to compare photos from the screen.
I bought a second-han
On Mon, 25 May 2020, Lukasz Hawrylko wrote:
That is a really strange behaviour. I have just build tip from mercurial
and run it on TPM1.2 and TPM2.0 PCs - it works (cold-booted too). Can
you please share me more informations about your test case? Do you see
anything on the screen?
I only see
Hi,
On Sat, 23 May 2020, Timo Lindfors wrote:
boot on Lenovo T430s when I boot the latest code from mercurial. 1.9.12 seems
to boot ok. Commenting out "export CFLAGS" seems to help. How should
I debug this?
Currently it seems that tboot actually only boots properly if I first boot
Hi,
On Tue, 12 May 2020, Timo Lindfors wrote:
On Tue, 12 May 2020, Lukasz Hawrylko wrote:
Thanks for investigating that issue. Fixed in a6180f9e9e86
Thanks, seems to build now.
I said this perhaps bit too soon. I am experiencing tboot getting stuck
at boot on Lenovo T430s when I boot the
On Mon, 18 May 2020, Lukasz Hawrylko wrote:
1.9.12 was released recently, so I don't have right now plans for new
release timeline. There are few more changes that I am working on right
now and I want to include them in next release.
Ok, I can upload a mercurial snapshot as well, no problem.
Hi,
while testing latest tboot with latest debian unstable I noticed that
txt-acminfo reports "ACM does not match platform" for all ACM modules. It
seems that this happens since /dev/cpu/0/msr does not exist by default in
Debian. There is an error "Error: failed to open /dev/cpu/0/msr" but sin
Hi,
On Fri, 15 May 2020, Lukasz Hawrylko wrote:
Done.
Thanks, I'll do some testing and ask for further feedback. Would it be
possible to release a new version after some time with all these
changes so that they would be part of the eventual Debian upload?
Btw, can you recommend some tool fo
Hi,
On Thu, 14 May 2020, Lukasz Hawrylko wrote:
Agree, this should be changed. I have also renamed acminfo to txt-
acminfo, now all these tools has 'txt-' prefix.
Great. I guess you also updated the man pages to refer to these new names?
Also docs/Makefile should list man pages for all comman
Hi,
On Wed, 13 May 2020, Lukasz Hawrylko wrote:
That's strange, however I am not managing that page so I can't fix it by
myself. I have already ask owner for help. Meanwhile, it looks like that
SINIT files exists, when you scroll down to the "Additional Resources"
section you can download all t
Hi,
On Tue, 12 May 2020, Lukasz Hawrylko wrote:
Thanks for investigating that issue. Fixed in a6180f9e9e86
Thanks, seems to build now.
-Timo
___
tboot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listin
Hi,
On Mon, 11 May 2020, Lukasz Hawrylko wrote:
Thank you for patches, I will look at them this week. Next time, please
use 'hg email' if this is not a problem for you, it is easier to
maintain where all patches go through mailing list directly.
Ok, good to know. I'll setup some SMTP stuff to
Hi,
On Mon, 11 May 2020, Lukasz Hawrylko wrote:
It looks like I forget to upload public key to PGP server. I have just
done it: https://pgp.mit.edu/pks/lookup?op=get&search=0x6F2F48CC4E0B23EF
Thanks! I'll add this to the packaging (debian/upstream/signing-key.asc).
-Timo
__
Hi
On Tue, 12 May 2020, Lukasz Hawrylko wrote:
The base TBOOT licence is BSD-3-clause, however some files that comes
from other projects have different licenses (but all of them are
compatible with BSD-3-clause).
I can add information to COPYING file that looks like: "All files that
do not have
Hi,
tboot installs a binary called "parse_err". I realize tboot has been doing
this for a long time but have you considered renaming the binary to
something less generic? Maybe txt_parse_err?
-Timo
___
tboot-devel mailing list
tboot-devel@lists
Hi,
many commands installed by tboot don't seem to have man pages. I did some
detective work based on --help output and source code and wrote the
missing pages. Can you please take a look that they are accurate?
You can find the pages in the feature/add-missing-man-pages-1 branch at
https://
Hi,
currently tboot installs man pages for the following commands that are not
installed:
lcp_crtpconf lcp_crtpol lcp_crtpol2 lcp_crtpolelt lcp_crtpollist
lcp_mlehash
These tools were removed in
commit 225ff1be2e43611d3055b2f02aaa418e47fab0ed
Author: Gang Wei
Date: Fri Nov 30 08:53:10 2
Hi,
I'm planning to package tboot for Debian. As part of the process I went
through all the copyright and license notices in tboot-1.9.12.tar.gz.gpg.
Everything looks pretty smooth but I do have two concerns:
1) lcptools/Linux_LCP_Tools_User_Manual.doc has the paragraph
"This document and th
Hi,
I made some spelling fixes. My mercurial skills are quite rusty but I
think you should be able to access them by pulling the
fix/spelling-fixes-1 branch from https://lindi.iki.fi/lindi/hg/tboot
Should I prefer sending patches over email with "hg email"?
-Timo
_
Hi,
at the moment it seems that the links on
https://software.intel.com/content/www/us/en/develop/articles/intel-trusted-execution-technology.html
under the table "SINIT AC Modules" are all broken and redirect to just
https://www.intel.com/content/www/us/en/404.html
-Timo
___
Hi,
I get the following build failure on debian unstable with GCC 9.3.0:
tar xf tboot-1.9.12.tar.gz
cd tboot-1.9.12/
env CFLAGS="-g" make
...
cc -z noexecstack -z relo -z now -c -o obj/mem_primitives_lib.o
safeclib/mem_primitives_lib.c -g -Wall -Wformat-security -Werror
-Wstrict-prototypes -We
Hi,
where could I get the GPG used for signing releases?
$ gpg tboot-1.9.12.tar.gz.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: Signature made Wed 29 Apr 2020 04:29:59 PM EEST
gpg:using RSA key 5CECC9E12872F424009D0E0B6F2F48CC4E0B23EF
gpg: Can't
On Tue, 14 Apr 2020, Lukasz Hawrylko wrote:
I don't know if that tool exists. Anyway, I will look at that multiple
SINITs bug in TBOOT, when it will be fixed, that kind of tool will not
be required.
True, that would mostly not be needed if tboot worked automatically. I can
think of two use cas
On Tue, 14 Apr 2020, Lukasz Hawrylko wrote:
As KBL SINIT works with both SKL and KBL platforms, the old one,
compatible only with SKL, is not longer supported and may not work with
newer versions of SKL bioses. Recommendation is to use the KBL SINIT for
both KBL and SKL systems.
To avoid possibl
On Wed, 8 Apr 2020, Lukasz Hawrylko wrote:
If you can connect serial port and dump serial logs too that will be
awesome. Dell's docking station has RS232 connector and TBOOT's logs are
printed there (tested on my laptop).
A boot log captured from the monitor using a camera is now available at
On Wed, 8 Apr 2020, Lukasz Hawrylko wrote:
TBOOT has an algorithm that checks if SINIT matches platform. I can't
tell you right now what is wrong here, I need some logs. Please run it
once again, than after reboot, can you launch Linux without TBOOT and
run 'txt-stat' tool that is in TBOOT's re
On Tue, 7 Apr 2020, Lukasz Hawrylko wrote:
Unfortunately, this bug is not reported anywhere. In real life scenarios
I don't see any benefits of loading multiple SINITs. In most cases you
have one SINIT that is dedicated to the platform.
After a closer inspection this might be a different bug as
On Tue, 7 Apr 2020, Lukasz Hawrylko wrote:
Unfortunately, this bug is not reported anywhere. In real life scenarios
I don't see any benefits of loading multiple SINITs. In most cases you
have one SINIT that is dedicated to the platform.
The main benefit is that you can automate installation m
Hi,
On Thu, 2 Apr 2020, Lukasz Hawrylko wrote:
There is a bug in TBOOT that may results in overlapping loaded SINITs by
TBOOT's logs. That problem occurs when you load multiple SINITs in GRUB
and in most cases the last one will be corrupted. That's why, when TBOOT
executes GETSEC[SENTER] CPU fai
s taa itlb_multihit
bogomips: 5424.00
clflush size: 64
cache_alignment: 64
address sizes: 39 bits physical, 48 bits virtual
power management:
ii tboot 1.9.7-0ubuntu1 amd64Trusted Boot (tboot)
best regards,
Timo Lindfors
67 matches
Mail list logo
