On Tue, Jan 21, 2020 at 12:32 AM Lukasz Hawrylko
<lukasz.hawry...@linux.intel.com> wrote:
>
> On Wed, 2020-01-15 at 18:36 -0800, Christopher Clark wrote:
> > Hello
> >
> > I am trying to boot with tboot and TPM 2.0 on a Dell PowerEdge R730
> > and encountering reboot at SENTER every time with the following:
> >
> > TBOOT: TXT.ERRORCODE: 0xc0033451
> > TBOOT: AC module error : acm_type=0x1, progress=0x05, error=0xd
> >
> > which SINIT_Errors-Broadwell-4th-gen.pdf indicates is: Invalid PMR
> > configuration
[...]
>
> Hi Christopher
>
> At first point please ensure that you are using latest SINIT, I know
> that ACM team was working on similar issue, but I don't know if they
> have already released version with the fix.
>
> If problem still exists with latest SINIT, you can try to modify TBOOT
> and check if that helps. Please apply following patch over v1.9.11
>
> diff -r 003178d05f52 tboot/txt/txt.c
> --- a/tboot/txt/txt.c Tue Jan 14 11:54:11 2020 +0100
> +++ b/tboot/txt/txt.c Tue Jan 21 09:27:51 2020 +0100
> @@ -559,6 +559,12 @@
> if (!vtd_disable_dma_remap(iter)) {
> printk(" vtd_disable_dma_remap failed!\n");
> }
> + if (!vtd_disable_qie(iter)) {
> + printk(" vtd_disable_qie failed!\n");
> + }
> + if (!vtd_disable_ire(iter)) {
> + printk(" vtd_disable_ire failed!\n");
> + }
> }
> }
>
Hi Lukasz,
Thanks for your reply and for the patch, and I can confirm that with
the patch applied, tboot does proceed past the previous point it was
triggering reboot and it no longer reports a PMR errorcode 0xc0033451.
My next encounter was with a different error due to the wrong hash
algorithm being selected by tboot. The TPM 2.0 on this machine (Dell
don't sell TPM 1.2s for it any more) reports availability of both SHA1
and SHA256, but the BIOS won't allow enabling TXT without configuring
it to use SHA256, and then tboot was picking SHA1, which then tripped
a mismatch failure.
I've got it all the way to a successful launch with tboot 1.9.11 into
Xen and dom0, once SHA256 is enabled as the hash algorithm with this
basic patch:
diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
--- a/tboot/common/tpm_20.c
+++ b/tboot/common/tpm_20.c
@@ -2778,6 +2778,8 @@ static bool tpm20_init(struct tpm_if *ti)
return false;
}
+ ti->cur_alg = TB_HALG_SHA256;
+
if (handle2048 != 0)
goto out;
I also needed these two small OpenXT patches applied, for building
with gcc 6.4.0 and OpenEmbedded -- I've just posted them as
submissions to this list.
https://sourceforge.net/p/tboot/mailman/message/36908229/
OpenXT original:
https://github.com/OpenXT/xenclient-oe/blob/fc13893594f684baea65b7ee09066a8ddb840b4d/recipes-security/tboot/tboot-1.9.9/0001-config-Allow-build-system-integration.patch
https://sourceforge.net/p/tboot/mailman/message/36908230/
OpenXT original:
https://github.com/OpenXT/xenclient-oe/blob/fc13893594f684baea65b7ee09066a8ddb840b4d/recipes-security/tboot/tboot-1.9.9/0014-safestringlib-Attend-GCC-warnings.patch
Thanks again,
Christopher
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
