search

TrenchBoot / trenchboot-issues

This repository is to centralize issues and development progress tracking for the TrenchBoot project.
3 stars 1 forks source link

Test TrenchBoot support on AMD hardware with TPM 2.0 and TPM 1.2 with legacy boot mode #23

Closed BeataZdunczyk closed 3 months ago

BeataZdunczyk commented 1 year ago

Is your feature request related to a problem? Please describe.

After the implementation of the updated TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader, it is necessary to test the solution on AMD hardware with TPM 2.0 and TPM 1.2 with legacy boot mode to ensure proper functionality.

Is your feature request related to a new idea or technology that would benefit the project? Please describe.

This issue is required to ensure that the TrenchBoot support for AMD platforms with TPM 2.0 and TPM 1.2 with legacy boot mode works properly after the implementation of the updated TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader.

Describe the solution you'd like

Test the TrenchBoot support on AMD hardware with TPM 2.0 and TPM 1.2 with legacy boot mode to ensure proper functionality after the implementation of the updated TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 4 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A

miczyg1 commented 7 months ago

Proposed hardware:

krystian-hebel commented 3 months ago 
* KGPE-D16 - legacy boot with TPM 1.2 and TPM 2.0 (two board available in 3dmeb lab, one with TPm 1.2 and the other one with TPM 2.0)

One doesn't work, the other works only until HVM is started. Some limited testing was done by starting with spec-ctrl=no-ibpb-entry - this is not safe, but allowed to show that AEM works on multi-node system.

* Supermicro M11SDV-4C-LN4F - UEFI boot with TPM 2.0 (can also be swapped with a TPM 1.2 to test TPM 1.2 in UEFI mode, may also be used to test legacy boot mode with CSM)

Doesn't work, CPU can't send DRTM sequence to TPM properly.

Most of the tests were performed on HP t630 platforms, one with TPM 1.2 and the other with TPM 2.0. Other platforms were too problematic, be it because of bad firmware (vendor firmware on KGPE doesn't support TPM 2.0, and coreboot doesn't work reliably) or hardware issues (CPU on Supermicro, IBPB on KGPE, problems with KVM everywhere) not directly linked to AEM.

Proof of installation and execution with TPM 2.0: Screenshot_2024-04-11_10-14-40 Screenshot_2024-04-16_08-59-18 Screenshot_2024-04-16_08-59-43

Execution with TPM 1.2:

Screenshot_2024-05-17