Closed hairongchen closed 1 year ago
@hairongchen Could you please check whether there are more EV_NO_ACTION_EVENTS in the log:
tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements | grep NO_ACTION
There is a fix #3230 if beside the first specid event there are more EV_NO_ACTION events which should not be extended to PCR0.
Hi, there are two of them in the beginning of the result: tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements | grep NO_ACTION EventType: EV_NO_ACTION EventType: EV_NO_ACTION
version: 1 events:
@hairongchen Thank you for the information. That explains the out of syn. If you could compile and install the current master the error should not occur.
@hairongchen Thank you for the information. That explains the out of syn. If you could compile and install the current master the error should not occur.
The fix would work, Thanks!
ENV: uname -a Linux dev 5.19.0-38-generic #39~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 21:16:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux root@dev:~# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"
Tools apt-get install libtss2-dev tpm2-tools tpm2-abrmd libtss2-esys-3.0.2-0
result from tpm2_pcrread sha1: sha256: 0 : 0xB0D493459184236DADF51D4DBF4769F943B0D4364F87ACDFB097D548CD9B87C0 1 : 0x8C0C8C1443D860B479E7CFBF42CDE85B986E4246E94D79081FC9A082A349500D 2 : 0xCD358F93E85D6F951A94F94CBC92F62261CFC6B5C1DCE9394835FB3B9DBF0079 3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 4 : 0x269593C7F7B58605D251EE80B2B2640B8A48E6E90176AE78B09797DF34FA2717 5 : 0xB52A399392B949AD53AD34C51014DFED4BA848022E47B85BBE592151E296FBF4 6 : 0x35330F15D00EAB64B106A410C877CE36938A6D155D4B0F31BC9120220818A38E 7 : 0x6492D93B6D2ACA03973EAE023F57E1B840734130363F411CE5AD8F8CDA5A328E 8 : 0x9D11C53C98D29201AAC0EF7E599B1A629C6A2FC3E8F1E880C69574724DF0DF17 9 : 0x4B4F39CEF208081E246B3A1C3ACAA31B8EC0E60BF9BD2AD8DDFB9BC2B1FDE28D 10: 0x3197092C9B41DEEEC0C0047ED61BAFF525B2021DB93D82F785547BE490DC4665 11: 0x0000000000000000000000000000000000000000000000000000000000000000 12: 0x0000000000000000000000000000000000000000000000000000000000000000 13: 0x0000000000000000000000000000000000000000000000000000000000000000 14: 0x306F9D8B94F17D93DC6E7CF8F5C79D652EB4C6C4D13DE2DDDC24AF416E13ECAF 15: 0x0000000000000000000000000000000000000000000000000000000000000000 16: 0x0000000000000000000000000000000000000000000000000000000000000000 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23: 0x0000000000000000000000000000000000000000000000000000000000000000 sha384:
result from tpm2_eventlog tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
version: 1 events:
EventNum: 0 PCRIndex: 0 EventType: EV_NO_ACTION Digest: "0000000000000000000000000000000000000000" EventSize: 33 SpecID:
EventNum: 136 PCRIndex: 5 EventType: EV_EFI_ACTION DigestCount: 1 Digests:
fwupdmgr security --force
Host Security ID: HSI:1! (v1.7.9)
HSI-1 ✔ CSME manufacturing mode: Locked ✔ CSME override: Locked ✔ CSME v0:15.0.21.1549: Valid ✔ Intel DCI debugger: Disabled ✔ SPI BIOS region: Locked ✔ SPI lock: Enabled ✔ SPI write: Disabled ✔ TPM empty PCRs: Valid ✔ TPM v2.0: Found ✔ UEFI platform key: Valid
HSI-2 ✔ Intel BootGuard: Enabled ✔ Intel BootGuard ACM protected: Valid ✔ Intel BootGuard OTP fuse: Valid ✔ Intel BootGuard verified boot: Valid ✔ Intel DCI debugger: Locked ✔ TPM PCR0 reconstruction: Valid ✘ IOMMU: Not found
HSI-3 ✔ Intel BootGuard error policy: Valid ✔ Pre-boot DMA protection: Enabled ✘ Intel CET Enabled: Not supported ✘ Suspend-to-idle: Disabled ✘ Suspend-to-ram: Enabled
HSI-4 ✔ Intel SMAP: Enabled ✘ Encrypted RAM: Not supported
Runtime Suffix -! ✔ Linux kernel: Untainted ✔ Linux kernel lockdown: Enabled ✔ fwupd plugins: Untainted ✘ Linux swap: Unencrypted
This system has HSI runtime issues. » https://github.com/fwupd/fwupd/wiki/Host-security-ID-runtime-issues