On 04/27/21 01:44, James Bottomley wrote: > On Mon, 2021-04-26 at 21:56 +0200, Thore Sommer wrote: >> Dear Maintainers, >> >> during my testing with OVMF and swtpm I found out that kernel >> versions newer than 5.8 don't show any information in >> "/sys/kernel/security/tpm0/binary_bios_measurements" if swtpm >> emulates a TPM 2.0 device. The file is still created but is empty. >> The expected result would be that >> "/sys/kernel/security/tpm0/binary_bios_measurements" contains the >> TPM event log. TPM 1.2 devices are not affected. > > I don't confirm this. I have Linux version 5.12.0-rc5+ installed and I > see the attached in my binary_bios_measurements (I've run it through > tpm2-eventlog so you can see the actual events). > >> With the help of git bisect I found out that the breaking kernel >> commit is 85467f63a05c43364ba0b90d0c05bb89191543fa. >> Reverting this on top the 5.12 release restores the expected >> functionality. >> >> Thanks to apalos and leiflindholm on the #edk2 IRC channel for >> helping me with that. >> >> I don't know if this is a bug in OVMF or in the Linux kernel, because >> on a real device with a TPM 2.0 the output was as expected. >> >> Tested with edk2-ovmf 202102, swtpm 0.5.2 and qemu 5.2.0 on Ubuntu >> 20.04. >> >> If further information is needed to resolve this problem, I'd be >> happy to provide them. > > What that commit did was to allow the event log to be provided by the > ACPI table if one existed rather than always defaulting to it being > provided by the EFI configuration table. What I suspect has happened > from this: > >> [ 0.017358] ACPI: Reserving TPM2 table memory at [mem >> 0x7eb77000-0x7eb7704b] > > Is that somehow you've got an empty TPM2 table installed in ACPI but I > don't know how you've done this. On my OVMF boot I'm using the direct > kernel command line and I have secure boot enabled but not activated, > which is why you only see PCRs 0-7 in the log.
IIRC the QEMU ACPI linker/loader exposes a TPM2 ACPI table as well; maybe that conflicts with the edk2 TPM2 machinery built into OVMF, somehow. An OVMF log (enabling DEBUG_VERBOSE) might help. Running acpidump + iasl in the guest might help as well (for determining some inconsistency). My gut feeling is that it's a fight between QEMU's ACPI generator and the edk2 TPM infrastructure, over the ownership of the TPM-related ACPI table(s). Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74531): https://edk2.groups.io/g/devel/message/74531 Mute This Topic: https://groups.io/mt/82391340/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-