On Tue, Jan 21, 2020 at 12:32 AM Lukasz Hawrylko <lukasz.hawry...@linux.intel.com> wrote: > > On Wed, 2020-01-15 at 18:36 -0800, Christopher Clark wrote: > > Hello > > > > I am trying to boot with tboot and TPM 2.0 on a Dell PowerEdge R730 > > and encountering reboot at SENTER every time with the following: > > > > TBOOT: TXT.ERRORCODE: 0xc0033451 > > TBOOT: AC module error : acm_type=0x1, progress=0x05, error=0xd > > > > which SINIT_Errors-Broadwell-4th-gen.pdf indicates is: Invalid PMR > > configuration [...] > > Hi Christopher > > At first point please ensure that you are using latest SINIT, I know > that ACM team was working on similar issue, but I don't know if they > have already released version with the fix. > > If problem still exists with latest SINIT, you can try to modify TBOOT > and check if that helps. Please apply following patch over v1.9.11 > > diff -r 003178d05f52 tboot/txt/txt.c > --- a/tboot/txt/txt.c Tue Jan 14 11:54:11 2020 +0100 > +++ b/tboot/txt/txt.c Tue Jan 21 09:27:51 2020 +0100 > @@ -559,6 +559,12 @@ > if (!vtd_disable_dma_remap(iter)) { > printk(" vtd_disable_dma_remap failed!\n"); > } > + if (!vtd_disable_qie(iter)) { > + printk(" vtd_disable_qie failed!\n"); > + } > + if (!vtd_disable_ire(iter)) { > + printk(" vtd_disable_ire failed!\n"); > + } > } > } >
Hi Lukasz, Thanks for your reply and for the patch, and I can confirm that with the patch applied, tboot does proceed past the previous point it was triggering reboot and it no longer reports a PMR errorcode 0xc0033451. My next encounter was with a different error due to the wrong hash algorithm being selected by tboot. The TPM 2.0 on this machine (Dell don't sell TPM 1.2s for it any more) reports availability of both SHA1 and SHA256, but the BIOS won't allow enabling TXT without configuring it to use SHA256, and then tboot was picking SHA1, which then tripped a mismatch failure. I've got it all the way to a successful launch with tboot 1.9.11 into Xen and dom0, once SHA256 is enabled as the hash algorithm with this basic patch: diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c --- a/tboot/common/tpm_20.c +++ b/tboot/common/tpm_20.c @@ -2778,6 +2778,8 @@ static bool tpm20_init(struct tpm_if *ti) return false; } + ti->cur_alg = TB_HALG_SHA256; + if (handle2048 != 0) goto out; I also needed these two small OpenXT patches applied, for building with gcc 6.4.0 and OpenEmbedded -- I've just posted them as submissions to this list. https://sourceforge.net/p/tboot/mailman/message/36908229/ OpenXT original: https://github.com/OpenXT/xenclient-oe/blob/fc13893594f684baea65b7ee09066a8ddb840b4d/recipes-security/tboot/tboot-1.9.9/0001-config-Allow-build-system-integration.patch https://sourceforge.net/p/tboot/mailman/message/36908230/ OpenXT original: https://github.com/OpenXT/xenclient-oe/blob/fc13893594f684baea65b7ee09066a8ddb840b4d/recipes-security/tboot/tboot-1.9.9/0014-safestringlib-Attend-GCC-warnings.patch Thanks again, Christopher _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel