cbmem should be available under dom0 (ideally as part of coreboot-tools)

tlaurion commented 9 months ago

The problem you're addressing (if any)

cbmem is coreboot memory console tool, permitting to get access and output important information provided by coreboot through coreboot tables.

If not installed by default, it should be an easy opt-in option for users deploying on top of coreboot based firmwares.

The solution you'd like

Being able to sudo qubes-dom0-update cbmem. Better: sudo qubes-dom0-update coreboot-tools should be possible for end-users, with cbmem added in the provided coreboot-tools (util/cbmem is not packed under coreboot-tools). Be able to run cbmem from dom0.

The value to a user, and who that user might be

cbmem gives boot time tracing information for each coreboot stages up to jumping into the coreboot's payload
cbmem -1 provides firmware last boot log, including TPM event log
cbmem -L gives TPM event log information. That is: measured boot firmware stages and blobs checksums, which should match final PCR value when introspected (simulating PCR initialized at 0 should match final PCR content).
if flashrom, cbfs and cbmem were provided (coreboot-tools provides all but cbmem as of now) then a pre-skylake user could backup rom (but not write to SPI) and introspect firmware stages and match cbmem reported TPM event log measurements.

marmarek commented 9 months ago

I'm okay with including coreboot-tools package in dom0 repository, but it looks like generally it isn't popular thing to package. Any idea why? Is it problematic to package?

tlaurion commented 9 months ago

I'm okay with including coreboot-tools package in dom0 repository, but it looks like generally it isn't popular thing to package. Any idea why? Is it problematic to package?

No, basically this is to be built with HOST build utils, so that would target dom0's fc37 and needs to call make under util/cbmem directory.

I just checked and posted at https://matrix.to/#/!WtRrlYUTHOQjqGcSnn:invisiblethingslab.com/$PBRRZhtqmlSKDSc5g68B7Pim0yD6yhzrDDrxhjh6u5c?via=invisiblethingslab.com&via=matrix.org&via=nitro.chat

CONFIG_GOOGLE_COREBOOT_TABLE=y
CONFIG_GOOGLE_MEMCONSOLE_COREBOOT=y

We have FB_EFI but nothing else coreboot related to make dom0 aware of coreboot (outside of xen maybe being in the way, just like for dom0 firing efi to drive display prior of i915 driver kicking it after plymouth as previously discussed, but lost track of past attempts. When my qubesbuilder-v2 fu will get better, I will try things of my own but still stocked with me bees attempt at https://forum.qubes-os.org/t/bees-and-brtfs-deduplication/20526 for now)

tlaurion commented 9 months ago

Might be related to https://github.com/linuxboot/heads/issues/1611 for cbmem to actually work under dom0

QubesOS / qubes-issues