Closed krystian-hebel closed 1 week ago
macpijan
commented
1 week ago If we replace URL from: https://github.com/Dasharo/open-source-firmware-validation/pull/318/files#diff-69e6355529b2609a8ddcccd04f8cd299d0fe65c19c246c853a31b9eb96fe6818R194 with the build to be tested, it should pass?
krystian-hebel
commented
1 week ago It should, although I haven't tested it, I always had coreboot.rom in place when running qemu-run.sh.
krystian-hebel
commented
1 week ago Secure Boot test resets the platform before settings are actually saved to flash in suite setup (causing first test to fail if platform hasn't SB in default state on entry) and teardown (which causes following test to fail). I'm working on fix/workaround.
m-iwanicki
commented
1 week ago @krystian-hebel Not sure if it's problem or not but I noticed that I can't set active PCR banks in BIOS when running QEMU from your branch. In TCG2 Configuration menu both TPM2 Active PCR Hash Algorithm and TPM Hardware Supported Hash Algorithm is [Unknown] and there is no option to choose active PCR banks.
I can set sha256 banks to be active by using tpm2_pcrallocate in Ubuntu and from what I can see after doing it once both SHA1 and SHA256 are active even after starting QEMU again (shouldn't all configuration reset to default between launches?).
In image below top row is QEMU from this branch and below is QEMU from develop
macpijan
commented
1 week ago Related to: https://github.com/Dasharo/dasharo-issues/issues/521 ?
m-iwanicki
commented
1 week ago Related to: Dasharo/dasharo-issues#521 ?
@macpijan not exactly because I don't even have possibility to change active PCR bank. In issue you linked it was possible to change active PCR in BIOS but changes weren't applied.
SergiiDmytruk
commented
1 week ago Looks like with rebased EDK and DasharoPayloadPkg Tpm2GetCapabilityPcrs() succeeds in PEI but fails in DXE with "Unsupported" error, but works fine with OvmfPkg. Maybe coreboot leaves TPM is some weird state.
krystian-hebel
commented
1 week ago OVMF used LAPIC for a timer, DasharoPkg uses HPET. This makes booting much longer and may also cause timeouts, because the only source of interrupts that is enabled at some points is the RTC, once a second. Using OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf instead of HPET makes it boot faster, but it also makes the delays shorter, up to a point where tests can't traverse iPXE menu before autoboot, which should normally take 3 seconds. It may be controlled by modifying gEfiMdePkgTokenSpaceGuid.PcdFSBClock (MdePkg defines it as 200M, while most of OVMF platforms use 1G), however I haven't tested how it would work on real hardware.
krystian-hebel
commented
1 week ago after starting QEMU again
@m-iwanicki how do you start it, using qemu-run.sh or manually? Can you check if TPM settings are restored after removing /tmp/osfv/tpm?
m-iwanicki
commented
1 week ago how do you start it, using qemu-run.sh or manually? Can you check if TPM settings are restored after removing /tmp/osfv/tpm?
@krystian-hebel By using qemu-run.sh. Yes, after deleting /tmp/osfv/tpm settings go back to default (all PCR banks enabled).
Just checked and the same thing happens on develop branch, I just assumed that state should return to same default state each time QEMU is started.
SergiiDmytruk
commented
1 week ago @krystian-hebel I've added https://github.com/Dasharo/edk2/pull/129/commits/b5eca829af8a64b9bbe739c59683b66b6b89129b that resolves the issue pointed out by @m-iwanicki above.
@macpijan any idea how to coordinate merging of all moving parts? CI here won't pass until release is published, but should the release be published before tests for it are merged?