On 4/27/21 2:40 AM, Thore Sommer via groups.io wrote: > >> I don't confirm this. I have Linux version 5.12.0-rc5+ installed and I >> see the attached in my binary_bios_measurements (I've run it through >> tpm2-eventlog so you can see the actual events). > Ok that is interesting. > > Here are the steps to reproduce my findings. > Necessary tools: Build chain for edk2, swtpm 0.5.2 and qemu 5.2.0 > > 1. Build OVMF from edk2-stable202102 with > -a X64 -a IA32 \ > -b RELEASE \ > -D NETWORK_IP6_ENABLE \ > -D TPM_ENABLE \
Shouldn't you also have '-D TPM_CONFIG_ENABLE' ? Thanks, Tom > -D FD_SIZE_4MB \ > -D TLS_ENABLE \ > -D HTTP_BOOT_ENABLE \ > -D SECURE_BOOT_ENABLE \ > -D SMM_REQUIRE \ > -D EXCLUDE_SHELL_FROM_FD > > 2. Copy OVMF_CODE.fd and OVMF_VARS.fd into an empty directory > 3. Download Ubuntu 21.04 desktop iso (which has a 5.11 Linux kernel) and > copy it into that directory > (I can provide a custom Debian build with a patched and unpatched vanilla > kernel if needed) > 4. Create dir for swtpm: mkdir mytpm1 > 5. Start swtpm with > swtpm socket \ > --tpm2 \ > --tpmstate dir=mytpm1 \ > --ctrl type=unixio,path=mytpm1/swtpm-sock \ > --log level=4 & > 6. Start qemu with > qemu-system-x86_64 \ > -enable-kvm \ > -machine q35,smm=on \ > -global driver=cfi.pflash01,property=secure,value=on \ > -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \ > -drive if=pflash,format=raw,unit=1,readonly=off,file=OVMF_VARS.fd \ > -chardev socket,id=chrtpm,path=mytpm1/swtpm-sock \ > -tpmdev emulator,id=tpm0,chardev=chrtpm \ > -device tpm-crb,tpmdev=tpm0 \ > -boot d \ > -cdrom "ubuntu-21.04-desktop-amd64.iso" \ > -m 3G \ > -vga virtio > 7. Start Ubuntu normally and choose "Try Ubuntu" > 8. Open a Terminal and check that > "/sys/kernel/security/tpm0/binary_bios_measurements" is empty > >> On my OVMF boot I'm using the direct >> kernel command line and I have secure boot enabled but not activated, >> which is why you only see PCRs 0-7 in the log. > > The Kernel here is loaded by Grub which itself is loaded by Shim. But that > should not make a difference regarding the event log via ACPI right? > > I've attached the event log from a Ubuntu 20.04 machine with a 5.12 > patched kernel and my kernel build config. > > Best regards > Thore Sommer > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74469): https://edk2.groups.io/g/devel/message/74469 Mute This Topic: https://groups.io/mt/82391340/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
