Hi Timo On Fri, 2022-03-11 at 09:09 +0200, Timo Lindfors wrote: > Hi, > > in https://sourceforge.net/p/tboot/mailman/message/37340469/ there was a > discussion about needing to get grub to accept a patch to reliably support > multiple SINIT modules. Any idea what's the status of this patch? > > Using multiple SINIT modules is useful if you want to have a single image > that works on multiple devices. The intel-acm package in Debian non-free > provides these in /boot and it is very convenient that tboot can > choose the matching SINIT module at runtime.
As I left Intel and nobody has taken care about this patch, it has been abandoned. As far as I remember, there were some minor changes requested by GRUB maintainers, but overall idea has been accepted. > > I was reminded of this issue since I hit it again on different hardware. > > I've attached two serial console logs for tboot mercurial tip > (9c625ab2035b): > > tboot_9c625ab2035b_2_SINIT_working.txt: > - two SINIT ACMs are specified and the system boots correctly. > > tboot_9c625ab2035b_26_SINIT_reboot.txt: > - 26 SINIT ACMs are specified and the system enters an infinïte reboot > loop. > > I do not see this problem on my BIOS system, only UEFI system, but it is > is difficult to say if this is actually related to the issue. > > You can see more logs at > https://lindi.iki.fi/lindi/tboot/smoketest/results.html > The attached logs are all from test run 1646942019. > In few words - when multiple SINITs is loaded, there is a chance that one (or more) of them will be overwritten by some TBOOT data structures that have hardcoded addresses. In most cases it is memory log, but this is not a rule. Everything depends on system memory map and where GRUB decided to put SINITs. On some platforms you can load as many SINTIs as you want, on other - only 2 or 3. So that's platform specific issue, fortunately, I didn't come across a platform where this problem happens even with 1 SINIT loaded. I will try to find some time to dig into grub-devel archive, find the patch, fix it and resubmit it once again. However, it depends on OS vendors when they will merge it to their distro. > As a workaround, would you accept a patch that modifies > tboot/20_linux_tboot to use txt-acminfo to include only matching SINIT > modules in grub configuration? I could make this configurable in > /etc/default/grub-tboot. We could for example support the following three > options: > > GRUB_TBOOT_SINIT=all > - include all SINIT modules that are found, current behavior > > GRUB_TBOOT_SINIT=detect > - use txt-acminfo to find SINIT modules that match the current system. > > GRUB_TBOOT_SINIT_LIST="module1 module2 module3" > - use only the listed SINIT modules. > That's sounds great to me. I am sure that Intel will accept this change. It is much better to select proper SINIT during installation that loads all possible ones every boot, only to always choose the same right one. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
