search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

asus_kgpe-d16 release v0.3.0 does not boot without TPM #62

Closed mrothfuss closed 4 months ago

mrothfuss commented 2 years ago

Dasharo version asus_kgpe-d16_v0.3.0

Dasharo variant ASUS KGPE-D16

Affected component(s) or functionality System does not boot

Brief summary Flashing the image for this release did not work on a board without a TPM module. vboot aborts and the boot process is terminated.

How reproducible Three out of three boots failed.

How to reproduce

Steps to reproduce the behavior:

  1. Flash image to a board without TPM
  2. Optionally clear the CMOS
  3. Power/boot the machine

Expected behavior The machine boots

Actual behavior The machine does not boot

Screenshots

coreboot-asus_kgpe-d16_v0.3.0 Thu Dec 16 12:42:56 UTC 2021 bootblock starting (log level: 8)...
CPU INIT detected 00000000
VBOOT: Loading verstage.
CBFS: Found 'fallback/verstage' @0x89dc0 size 0xe368 in mcache @0x0004c8fc
FMAP: area COREBOOT found @ c09000 (4157440 bytes)
TPM: Digest of FMAP: COREBOOT CBFS: fallback/verstage to PCR 2 logged

coreboot-asus_kgpe-d16_v0.3.0 Thu Dec 16 12:42:56 UTC 2021 verstage starting (log level: 8)...
VBNV: CMOS invalid, restoring from flash
FMAP: area RW_NVRAM found @ 80000 (16384 bytes)
spi_init: SPI base fec10000
Manufacturer: ef
SF: Detected ef 4018 with sector size 0x1000, total 0x1000000
VBNV: Restore from flash failed
tis_probe: No TPM device found
tlcl_lib_init: tis_init returned error
TPM: Can't initialize.
POST: 0xed
Phase 1
VB2:vb2api_secdata_firmware_check() secdata_firmware: version incompatible
VB2:vb2_secdata_firmware_init() vb2api_secdata_firmware_check(ctx) returned 0x10040002
VB2:vb2api_fail() Need recovery, reason: 0x2b / 0x2
VB2:secdata_kernel_check_v0() secdata_kernel: bad struct_version (0.0)
VB2:vb2_secdata_kernel_init() vb2api_secdata_kernel_check(ctx, &size) returned 0x10040009
VB2:vb2api_fail() Need recovery, reason: 0x5d / 0x9
FMAP: area GBB found @ c05000 (16384 bytes)
VB2:vb2_secdata_firmware_get() get before init
vboot has aborted execution; exit

Additional context Connected hardware: 2x6386 Opteron, 16x16GB RDIMM (M393B2G70BH0-CK0), PIKE2008, 2xMHQJRH Dual M.2 Adapter

Solutions you've tried Building the firmware myself (Debian 11, not docker) without TPM / vboot was able to boot as long as no GPU (dedicated or internal) was connected.

mrothfuss commented 2 years ago

the specific file/release I tried is: asus_kgpe-d16_v0.3.0_16M_vboot_TPM2.0.rom

miczyg1 commented 2 years ago

vboot requires TPM presence for storing the security data (antirollback counters to be precise). This is entirely "normal" behaviour. As all binaries have vboot this makes them entirely useless without TPM module indeed. Disabling vboot should be sufficient to get the platform boot (GPU problems aside).