Closed dgsiegel closed 1 year ago
hughsie
commented
1 year ago Maybe a big ask, but could you compile fwupd and then run sudo ./plugins/tpm/fwupdtpmevlog --pcr 0? @superm1 maybe we should install that binary into /usr/libexec/fwupd for this kind of debugging?
dgsiegel
commented
1 year ago Maybe a big ask, but could you compile fwupd and then run
sudo ./plugins/tpm/fwupdtpmevlog --pcr 0?
No worries! Here's the output:
$ sudo build/plugins/tpm/fwupdtpmevlog --pcr 0
PCR: BIOS (0)
Type: 0x8
Description: EV_S_CRTM_VERSION
ChecksumSha256: 265ffa8ec06a229d4e03172d6630916179c3625744f56890847331b4b7cde7d4
BlobStr: UgAyADIARQBUADUANQBXACAAAAA=
PCR: BIOS (0)
Type: 0x80000008
Description: EV_EFI_PLATFORM_FIRMWARE_BLOB
ChecksumSha256: 0d0d9517da007bc0450fdef51e98a8448c6d1ba5f7ae694d7139508c787f2879
BlobStr: AADACQAAAAAAABoAAAAAAA==
PCR: BIOS (0)
Type: 0x1
Description: EV_POST_CODE
ChecksumSha256: 7faa18ccd6074fff7900f48242d2ff322343d07354633c519850674d8f003d80
BlobStr: QUNQSSBEQVRB
PCR: BIOS (0)
Type: 0x1
Description: EV_POST_CODE
ChecksumSha256: 608072d8953921f15718897cbb0a47623e0c29fa7286d20beb0d733756acb643
BlobStr: QUNQSSBEQVRB
PCR: BIOS (0)
Type: 0x4
Description: EV_SEPARATOR
ChecksumSha256: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
BlobStr: AAAAAA==
Reconstructed PCRs:
PCR 0: SHA256(6a9848d0a7fb307084845a69ea3b0825d6e2430bf2879d23cb97b4eba7c72f13)
superm1
commented
1 year ago @superm1 maybe we should install that binary into /usr/libexec/fwupd for this kind of debugging?
I don't think generally that makes sense. The bugs in our reconstruction comparison are so sparse now, it's usually firmware bugs now isn't it?
I guess let's see what the outcome of this particular issue is to decide.
mrhpearson
commented
1 year ago I'll flag this to the FW team - but as a note it is likely to be a slow burner. I've got a similar issue flagged on the X1Carbon9 and trying to review with the TPM team but it's slow going (but not dead!)
superm1
commented
1 year ago This may be a duplicate of https://github.com/fwupd/fwupd/issues/5344#event-8063641475
Can you please try a snapshot of main?
If you need an rpm I'll volunteer @hughsie to build you one 😜.
dgsiegel
commented
1 year ago @superm1 no worries, I can build the project on my own :)
Although the main branch (https://github.com/fwupd/fwupd/tree/main) still produces the same result:
$ sudo build/plugins/tpm/fwupdtpmevlog --pcr 0
PCR: BIOS (0)
Type: 0x8
Description: EV_S_CRTM_VERSION
ChecksumSha256: 265ffa8ec06a229d4e03172d6630916179c3625744f56890847331b4b7cde7d4
BlobStr: UgAyADIARQBUADUANQBXACAAAAA=
PCR: BIOS (0)
Type: 0x80000008
Description: EV_EFI_PLATFORM_FIRMWARE_BLOB
ChecksumSha256: 0d0d9517da007bc0450fdef51e98a8448c6d1ba5f7ae694d7139508c787f2879
BlobStr: AADACQAAAAAAABoAAAAAAA==
PCR: BIOS (0)
Type: 0x1
Description: EV_POST_CODE
ChecksumSha256: 7faa18ccd6074fff7900f48242d2ff322343d07354633c519850674d8f003d80
BlobStr: QUNQSSBEQVRB
PCR: BIOS (0)
Type: 0x1
Description: EV_POST_CODE
ChecksumSha256: 608072d8953921f15718897cbb0a47623e0c29fa7286d20beb0d733756acb643
BlobStr: QUNQSSBEQVRB
PCR: BIOS (0)
Type: 0x4
Description: EV_SEPARATOR
ChecksumSha256: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
BlobStr: AAAAAA==
Reconstructed PCRs:
PCR 0: SHA256(6a9848d0a7fb307084845a69ea3b0825d6e2430bf2879d23cb97b4eba7c72f13)
Does the security command still fail though?
dgsiegel
commented
1 year ago Does the security command still fail though?
That I couldn't test as I would have to install the daemon as well, otherwise I'll get a version mismatch.
superm1
commented
1 year ago That's the part that should work now if you can please try.
dgsiegel
commented
1 year ago This might be due to the way I installed it locally, but it doesn't seem to be able to find TPM at all:
Host Security ID: HSI:0 (v1.8.9)
HSI-1
✔ Supported CPU: Valid
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
✘ TPM v2.0: Not found
HSI-2
✔ BIOS rollback protection: Enabled
✘ IOMMU: Not found
HSI-3
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ Linux kernel: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ fwupd plugins: UntaintedThis is the output of the installed fwupd (1.8.8):
Host Security ID: HSI:1 (v1.8.8)
HSI-1
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ BIOS rollback protection: Enabled
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ SPI write protection: Enabled
✘ TPM PCR0 reconstruction: Invalid
HSI-3
✔ Pre-boot DMA protection: Enabled
✔ SPI replay protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ Encrypted RAM: Encrypted
✔ Processor rollback protection: Enabled
Runtime Suffix -!
✔ Linux kernel: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ fwupd plugins: UntaintedCould you please share a verbose log from sudo fwupdtool security --verbose 2>&1
dgsiegel
commented
1 year ago Here you go: fwupdtool.log
I'm quite sure an RPM would make things way easier at this point :)
superm1
commented
1 year ago 14:52:04.215 FuConfig trying to load config values from /tmp/fwupd/build/var/etc/fwupd/daemon.conf 14:52:04.215 FuConfig failed to read UpdateMotd key: Key file does not have group “fwupd”
This is probably the root cause of some weird abnormalities. Did this conffile not get populated? Or is it in the wrong place? @hughsie I think in general we might want to consider making sure that everything in the daemon/fwupdtool works the same with default conffile and no conffile. That's a bit unexpected to me that the test plugin for example is enabled by default..
BestDevice: /dev/urandom
The test plugin is enabled, it shouldn't be.
I'm quite sure an RPM would make things way easier at this point :)
@hughsie can you help with that?
hughsie
commented
1 year ago Here is the git main branch from today: https://copr.fedorainfracloud.org/coprs/rhughes/fwupd/
dgsiegel
commented
1 year ago Thanks @hughsie!
@superm1 you were right, the git main branch now lists everything as valid:
$ sudo fwupdmgr security
Host Security ID: HSI:4 (v1.8.9)
HSI-1
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ BIOS rollback protection: Enabled
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ SPI write protection: Enabled
✔ TPM PCR0 reconstruction: Valid
HSI-3
✔ Pre-boot DMA protection: Enabled
✔ SPI replay protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ Encrypted RAM: Encrypted
✔ Processor rollback protection: Enabled
Runtime Suffix -!
✔ Linux kernel: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ fwupd plugins: UntaintedThanks!
superm1
commented
1 year ago Great thanks!
@hughsie I don't know about you but this is the first time I've seen a full "4" in the wild 😜
hughsie
commented
1 year ago this is the first time I've seen a full "4" in the wild
I saw one the other day which exposed a bug in the GNOME panel that was only ever tested up to HSI 3 :)
Describe the bug fwupd reports that the TPM PCR0 reconstruction is invalid.
Steps to Reproduce
fwupdmgr securityIf I run
fwupdtool security --force -vI can find the following output:FuPluginTpm comparing TPM 6a9848d0a7fb307084845a69ea3b0825d6e2430bf2879d23cb97b4eba7c72f13 and EVT 6a9848d0a7fb307084845a69ea3b0825d6e2430bf2879d23cb97b4eba7c72f13Expected behavior No such warning, because this is a brand-new system with a fresh installation of Fedora 37.
fwupd version information
Installed via
dnf.**fwupd device information**
Please provide the output of the fwupd devices recognized in your system. ```shell LENOVO 21CMCTO1WW │ ├─Unknown Device: │ Device ID: f685512aa07369c9e77742acef941d779d31e766 │ GUID: 37b440a9-2473-5087-a39b-db84f32a8ed8 ← GPIO\ID_AMDI0030:00 │ ├─Fingerprint Sensor: │ Device ID: 0d5d05911800242bb1f35287012cdcbd9b381148 │ Summary: Match-On-Chip fingerprint sensor │ Current version: 01000300 │ Vendor: Goodix (USB:0x27C6) │ Install Duration: 10 seconds │ Serial Number: UID3D39D704_XXXX_MOC_B0 │ GUIDs: 14450e82-8667-54c3-98e1-098d8c6dc3b8 ← USB\VID_27C6&PID_6594 │ 6322b4f7-0571-5f07-8538-e041bbc70677 ← USB\VID_27C6&PID_6594&REV_0100 │ Device Flags: • Updatable │ • Device can recover flash failures │ • Signed Payload │ ├─Integrated Camera: │ Device ID: 91c9a317b30acf7c0cd967f2ce6925d518ef19a7 │ Current version: 10.22 │ Vendor: (USB:0x174F) │ Serial Number: 0001 │ GUIDs: 0cf3aef8-c29e-5cb8-997c-d498ed52b666 ← USB\VID_174F&PID_1812 │ da6609bb-ca33-5ab4-aba3-a28b193c1d9d ← USB\VID_174F&PID_1812&REV_1022 │ Device Flags: • Updatable │ ├─MZVL21T0HCLR-00BL7: │ Device ID: 03281da317dccd2b18de2bd1cc70a782df40ed7e │ Summary: NVM Express solid state drive │ Current version: CL2QGXA7 │ Vendor: Samsung (NVME:0x144D) │ Serial Number: S64PNX0T909746 │ GUIDs: bec63ed7-a95f-54fe-b8cc-8e9fee64ba5a ← NVME\VEN_144D&DEV_A80A │ 60c89aac-f321-515b-b419-3cf02aa9d375 ← NVME\VEN_144D&DEV_A80A&REV_00 │ 310f81b5-6fce-501e-acfb-487d10501e78 ← NVME\VEN_144D&DEV_A80A&SUBSYS_144DA801 │ 4d7a2791-106b-5e72-9cfb-8ea3d89f5421 ← NVME\VEN_144D&DEV_A80A&SUBSYS_144DA801&REV_00 │ c0e40d86-e47a-57fe-8ed1-453e6d83a586 ← SAMSUNG MZVL21T0HCLR-00BL7 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Supported on remote server │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Signed Payload │ ├─Ryzen 7 PRO 6850U with Radeon Graphics: │ │ Device ID: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027 │ │ Current version: 0x0a404102 │ │ Vendor: AMD │ │ GUIDs: b9a2dd81-159e-5537-a7db-e7101d164d3f ← cpu │ │ 22f9ecf4-588d-5c0a-8326-6ebff3655c6d ← CPUID\PRO_0&FAM_19 │ │ 52f8f9af-1ca9-5352-bef4-ceb232c888a5 ← CPUID\PRO_0&FAM_19&MOD_44 │ │ e94372a3-3ffb-5d1c-a579-c415b7313e52 ← CPUID\PRO_0&FAM_19&MOD_44&STP_1 │ │ Device Flags: • Internal device │ │ │ └─Secure Processor: │ Device ID: c54ab0237d7a8db8c717b68e0be78e4374a2a079 │ Vendor: AMD (PCI:0x1022) │ GUIDs: 9844da3e-1df2-52fe-9413-d4378af6221e ← PCI\VEN_1022&DEV_1649 │ 2f07ce4f-42d2-5848-a963-a58e6fcad38e ← PCI\VEN_1022&DEV_1649&REV_00 │ fbbfd456-73f4-5488-a520-f5e4aaa5b9e1 ← PCI\VEN_1022&DEV_1649&SUBSYS_17AA50B4 │ d71b44e0-1975-5614-91d1-d244b10f97ce ← PCI\VEN_1022&DEV_1649&SUBSYS_17AA50B4&REV_00 │ Device Flags: • Internal device │ ├─System Firmware: │ │ Device ID: 2292ae5236790b47884e37cf162dcf23bfcd1c60 │ │ Summary: UEFI ESRT device │ │ Current version: 0.1.25 │ │ Vendor: Lenovo (DMI:LENOVO) │ │ Update State: Success │ │ GUIDs: 6ab943b7-f4d4-aaa1-2f40-cb03a0c8cf3c │ │ 230c8b18-8d9b-53ec-838b-6cfc0383493a ← main-system-firmware │ │ Device Flags: • Internal device │ │ • Updatable │ │ • System requires external power source │ │ • Supported on remote server │ │ • Needs a reboot after installation │ │ • Cryptographic hash verification is available │ │ • Device is usable for the duration of the update │ │ │ ├─UEFI Platform Key: │ │ Device ID: 6924110cde4fa051bfdc600a60620dc7aa9d3c6a │ │ Summary: Lenovo Ltd. PK CA 2012 │ │ Vendor: Lenovo Ltd. │ │ GUID: 71599d14-9b31-5270-b3bd-74c494585820 ← UEFI\CRT_9AEF2123F4DE7C19AFABD909BB2C8CAC4411E07E │ │ │ └─UEFI dbx: │ Device ID: 362301da643102b9f38477387e2193e57abaa590 │ Summary: UEFI revocation database │ Current version: 217 │ Minimum Version: 217 │ Vendor: UEFI:Linux Foundation │ Install Duration: 1 second │ GUIDs: 14503b3d-73ce-5d06-8137-77c68972a341 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649 │ 5971a208-da00-5fce-b5f5-1234342f9cf7 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649&ARCH_X64 │ c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503 │ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 │ Device Flags: • Internal device │ • Updatable │ • Supported on remote server │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Only version upgrades are allowed │ • Signed Payload │ ├─TPM: │ Device ID: c6a80ac3a22083423992a3cb15018989f37834d6 │ Current version: 1.512.0.0 │ Vendor: ST Microelectronics (TPM:STM) │ GUIDs: ff71992e-52f7-5eea-94ef-883e56e034c6 ← system-tpm │ 84df3581-f896-54d2-bd1a-372602f04c32 ← TPM\VEN_STM&DEV_0001 │ bfaed10a-bbc1-525b-a329-35da2f63e918 ← TPM\VEN_STM&MOD_ │ 70b7b833-7e1a-550a-a291-b94a12d0f319 ← TPM\VEN_STM&DEV_0001&VER_2.0 │ 06f005e9-cb62-5d1a-82d9-13c534c53c48 ← TPM\VEN_STM&MOD_&VER_2.0 │ Device Flags: • Internal device │ ├─UEFI Device Firmware: │ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f │ Summary: UEFI ESRT device │ Current version: 4130 │ Minimum Version: 1 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 37176ab3-1c3f-4164-be2c-d3512d5ba15e │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ ├─UEFI Device Firmware: │ Device ID: 349bb341230b1a86e5effe7dfe4337e1590227bd │ Summary: UEFI ESRT device │ Current version: 3344935 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 023a338b-246f-47e0-b4e5-304203184ec1 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ ├─UEFI Device Firmware: │ Device ID: f95c9218acd12697af946874bfe4239587209232 │ Summary: UEFI ESRT device │ Current version: 1 │ Minimum Version: 1 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 75d78aef-5e7f-0afe-b68a-aef4c52ccddd │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ ├─UEFI Device Firmware: │ Device ID: d96de5c124b60ed6241ebcb6bb2c839cb5580786 │ Summary: UEFI ESRT device │ Current version: 65557 │ Minimum Version: 65557 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 66d6a3ef-a771-4302-9cd0-d062c79c5ef2 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ ├─UEFI Device Firmware: │ Device ID: f37fb01122dd62c773f4e84ec89737e059712d59 │ Summary: UEFI ESRT device │ Current version: 16777221 │ Minimum Version: 1 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 82b32ab0-b999-4fea-9cbd-668a9580004b │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ ├─UEFI Device Firmware: │ Device ID: 36efb79c255f402f619fa9eb53cd659db51f2a04 │ Summary: UEFI ESRT device │ Current version: 66048 │ Minimum Version: 66048 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 9b7ef120-9e99-404e-8cad-0aeca4d09ee6 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ └─USB4 host controller: Device ID: fba88f7dbbd16af1e2d4f10000f897b67774f5d8 Summary: Unmatched performance for high-speed I/O GUID: e72e778e-94f7-5ed2-b560-1c1262ee217c ← TBT-fixed Device Flags: • Internal device • System requires external power source ```Additional questions