Dell PowerEdge Server: Construction of PCR0 using TPM event log is failing

[prbinu]

Describe the bug Background: https://github.com/tpm2-software/tpm2-tools/issues/1975#issuecomment-666719973

The construction of PCR0 using TPM event log in a tool called fwupdtpmevelog.

Steps to Reproduce

$ sudo fwupdmgr security --force
Host Security ID: HSI:0+! (v1.5.0)

HSI-1
✔ AMT manufacturing mode:        Locked
✔ AMT override:                  Locked
✔ Intel DCI debugger:            Disabled
✔ SPI BIOS region:               Locked
✔ SPI lock:                      Enabled
✔ SPI write:                     Disabled
✔ TPM v2.0:                      Found
✘ UEFI dbx:                      Not found: https://github.com/fwupd/fwupd/wiki/Missingdbx

HSI-2
✔ Intel BootGuard:               Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard OTP fuse:      Valid
✔ Intel BootGuard verified boot: Valid
✘ IOMMU:                         Not found
✘ Intel DCI debugger:            Unlocked
✘ TPM PCR0 reconstruction:       Not found

HSI-3
✔ Intel BootGuard error policy:  Valid
✔ Suspend-to-ram:                Disabled
✘ Intel CET Enabled:             Not supported
✘ Pre-boot DMA protection:       Disabled
✘ Suspend-to-idle:               Disabled

HSI-4
✔ Intel SMAP:                    Enabled
✘ Encrypted RAM:                 Not supported

This system has HSI runtime issues.
 » https://github.com/fwupd/fwupd/wiki/Host-security-ID-runtime-issues

$ sudo  tsseventextend -sim -if /sys/kernel/security/tpm0/binary_bios_measurements 
eventextend: failed, rc 0000009a
TPM_RC_INSUFFICIENT - the TPM was unable to unmarshal a value because there were not enough octets in the input buffer Handle number unspecified

Expected behavior

The construction of PCR0 using TPM event log should match actual digest in TPM PCR0

fwupd version information Please provide the version of the daemon and client.

$ fwupdmgr --version
client version: 1.3.11
compile-time dependency versions
    gusb:   0.3.4
    efivar: 37
daemon version: 1.3.11

Please note how you installed it (apt, dnf, pacman, source, etc):

fwupd device information Please provide the output of the external fwupd devices recognized in your system.

$ fwupdmgr get-devices --filter=~internal
PowerEdge R740

Dock SKU Please mention which module is installed in your WD19.

• [ ] WD19 (Single-C)
• [ ] WD19TB (Thunderbolt)
• [ ] WD19DC (Dual-C)

Peripherals connected to the dock No

Verbose daemon logs First enable daemon verbose logs collection.

fwupdmgr modify-config "VerboseDomains" "*"

Then try to reproduce the issue. Even if it doesn't reproduce, please attach the daemon verbose logs collected from the system journal.

journalctl -b -u fwupd.service

Additional questions

• Operating system and version: Ubuntu 20-04
• Have you tried unplugging the dock or any peripherals from your machine? No
• Have you tried to power cycle the dock from the AC adapter? No
• Is this a regression?

[prbinu]

Also noticed "Firmware Bug" on that host.

$ dmesg | grep -i  tpm
[    0.000000] efi:  ACPI=0x6fffe000  ACPI 2.0=0x6fffe014  SMBIOS=0x69359000  SMBIOS 3.0=0x69357000  MEMATTR=0x6520c020  TPMEventLog=0x5020b020
[    0.000000] [Firmware Bug]: TPM Final Events table missing or invalid
[    0.009453] ACPI: SSDT 0x000000006FFFC000 0005F8 (v02 DELL   Tpm2Tabl 00001000 INTL 20180508)
[    0.009455] ACPI: TPM2 0x000000006FFFB000 000038 (v04 DELL   PE_SC3   00000002      01000013)
[    4.056503] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 4)

[hughsie]

@superm1

[superm1]

@charles-rose can you look at this one?

[prbinu]

Just checking to see if there any update on this issue

[superm1]

@prbinu Nothing right now. I'm going to transfer it to the project that has various firmware issues. If we conclude it's a fwupd issue we'll transfer it back.

[charles-rose]

I just got a system to recreate this issue. I will update this tracker what I find.

[prbinu]

Observed this error, so sharing it: " Update Error: UEFI Capsule updates not available or enabled"

$ fwupdmgr get-devices
PowerEdge R740
│...
│
└─System Firmware:
      Device ID:           123fd4143619569d8ddb6ea47d1d3911eb5ef07a
      Current version:     2.5.4
      Vendor:              Dell Inc.
      Update Error:        UEFI Capsule updates not available or enabled
      GUID:                230c8b18-8d9b-53ec-838b-6cfc0383493a
      Device Flags:        • Internal device
                           • Requires AC power
                           • Needs a reboot after installation```

[charles-rose]

Observed this error, so sharing it: " Update Error: UEFI Capsule updates not available or enabled"

$ fwupdmgr get-devices
PowerEdge R740
│...
│
└─System Firmware:
      Device ID:           123fd4143619569d8ddb6ea47d1d3911eb5ef07a
      Current version:     2.5.4
      Vendor:              Dell Inc.
      Update Error:        UEFI Capsule updates not available or enabled
      GUID:                230c8b18-8d9b-53ec-838b-6cfc0383493a
      Device Flags:        • Internal device
                           • Requires AC power
                           • Needs a reboot after installation```

Dell Servers do not support Capsule updates. So this is expected.

[charles-rose]

@prbinu Here is an interim update: I do not see the issue with tsseventextend when I set TPM to SHA256 in the BIOS setup. The default is SHA1 which seems to result in the TPM_RC_INSUFFICIENT error.

[prbinu]

Thanks @charles-rose. Changing TPM from SHA1 to SHA256 resolve that issue. I can now parse the event log. However when I tried to reconstruct and compare PCRs, I've observed that the computed value doesn't match with the PCR0 value. But rest of the PCRs are matching. Wondering what could go wrong here. Appreciate if you can guide us in right direction.

% sudo fwupd.fwupdtpmevlog -p 0
...
Reconstructed PCRs:
  PCR 0:                 SHA256(8027c3c86acfbb3f4710e45a66490ea660b1d587584d3cacefb72e188ba099f5)
  PCR 1:                 SHA256(10c6791fade2dc87c0208870837f5dd71611ebb257d2b878abcbb08b994e8f89)
  PCR 2:                 SHA256(e819672462843544d1d7c0f775b0d8e31cbd5f1c78bf1cb2d1b9ad570c53adce)
  PCR 3:                 SHA256(3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969)
  PCR 4:                 SHA256(c180eddf42eec74d21ae6f982413d9fb4bfa884eaf1f08fae2f76b6265550be8)
  PCR 5:                 SHA256(21938ffb3bc66d9c0a33d1592af8cf3a5b940e2eb138eeb45525e2237446e84a)
  PCR 6:                 SHA256(3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969)
  PCR 7:                 SHA256(f27be99e5d689a39134a2cbce032aa31ca5ce723531f50e1c4963e4b74c4e20f)
  PCR 8:                 SHA256(1abdd7000c35168d31bfc91c74630cc2313b2090bacdb1d81eb3c57af3416f31)
  PCR 9:                 SHA256(30136f90173eac52040cee846191681d621f84f83ca1f0caad35afae0432b02c)

% sudo TPM2TOOLS_TCTI=device:/dev/tpmrm0 tpm2_pcrread sha256:0,1,2,3,4,5,6,7,8,9,10
sha256:
  0 : 0x85BB2804189A1BF4C6228C90FCB8345102C938FA06092855AB22D56E1B04F2A0
  1 : 0x10C6791FADE2DC87C0208870837F5DD71611EBB257D2B878ABCBB08B994E8F89
  2 : 0xE819672462843544D1D7C0F775B0D8E31CBD5F1C78BF1CB2D1B9AD570C53ADCE
  3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  4 : 0xC180EDDF42EEC74D21AE6F982413D9FB4BFA884EAF1F08FAE2F76B6265550BE8
  5 : 0x21938FFB3BC66D9C0A33D1592AF8CF3A5B940E2EB138EEB45525E2237446E84A
  6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  7 : 0xF27BE99E5D689A39134A2CBCE032AA31CA5CE723531F50E1C4963E4B74C4E20F
  8 : 0x1ABDD7000C35168D31BFC91C74630CC2313B2090BACDB1D81EB3C57AF3416F31
  9 : 0x30136F90173EAC52040CEE846191681D621F84F83CA1F0CAAD35AFAE0432B02C
  10: 0x0B73040EFF3E51712C605856191FB7BD26B985D9103890202A8B9CEAFE26CE96

[freedge]

Same here. It first failed because sha1 is the default (so I changed to sha256 in the BIOS). now tpm2_eventlog is working, but there is an issue with pcr0. I notice this warning:

- EventNum: 3
  PCRIndex: 0
  EventType: EV_S_CRTM_CONTENTS
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "3b607ac1051c9f694a8983a68c9578ee1e5fedeeb8b1b9d8f8780068b7d10016"
  EventSize: 27
  Event:
    BlobBase: 0x61754720746f6f42
    BlobLength: 0x757361654d206472
- EventNum: 4
  PCRIndex: 0
  EventType: EV_S_CRTM_VERSION
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "ea7e50af2e8075aedecda37e783a583b0b4895dddf98140e9d92a052ace32a2d"
WARN: Event 4's digest does not match its payload
  EventSize: 14
  Event: "32002e00310034002e0032000000"

[tomoveu]

@prbinu , @freedge could it be that PCR0 is mismatching because you changed your UEFI settings (sha1 to sha256) ...

... and now the CRTM measurement is failing because it is hashing the UEFI settings that have been modified from the default?

[freedge]

(I have opened a case to Dell about this, but I'm not too sure it will reach the right team as it is very specific and probably far from what the L1 support gets usually) I note that 32002e00310034002e0032000000 is "2.14.2" in ASCII which matches the BIOS version, and I can understand that people could want a stable PCR0 even if the BIOS is upgraded.

If you have any idea of a test I can run I can do that (but tpm2_eventlog is broken when sha1is selected)