TPM PCR0 reconstruction fails with Boot Guard enabled

[mkopec]

Component

Dasharo firmware

Device

NovaCustom V54 14th Gen

Dasharo version

v1.0.0-rc4

Dasharo Tools Suite version

n/a

Test case ID

No response

Brief summary

Running fwupdtool security on a btg-provisioned laptop results in a failure to reconstruct PCR0 merasurements:

HSI-2
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard:               Enabled
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✘ Intel BootGuard OTP fuse:      Invalid
✘ TPM PCR0 reconstruction:       Invalid

Context: #463 (comment)

How reproducible

No response

How to reproduce

Run fwupdtool security

Expected behavior

PCR0 reconstruction passes

Actual behavior

PCR0 reconstruction fails

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

[SergiiDmytruk]

Which PCR banks are active? If more than one or one which doesn't match what coreboot uses, the outcome is expected. fwupd wants all active PCR banks to match, but coreboot can deal with at most one at the moment. Without cbmem log or at least TPM event log, we have no idea what coreboot has actually done during the boot.

[mkopec]

@SergiiDmytruk Here are the CBMEM log and event log, along with actual PCR measurements

evlog_pcr0.log
cbmem_pcr0.log

  sha1:
  sha256:
    0 : 0x014E65868B809D93BC60B6BCE3FDE0E67E5191E7B6AD834997425055647D17B8
    1 : 0x05D280FBF4F9DF99C182BFE471FC0179B951B1580155CFCFED3A1ACB86D39B99
    2 : 0xDCF110E7ABD8B05FA2F60CEB793E6B64709EF28C3B43778A2B9A4990E392FB72
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0x62F0D6DEF64DD65390A676A82C9F03CEB677ADD1CD86A374699B81F951BC9C61
    5 : 0xA5CEB755D043F32431D63E39F5161464620A3437280494B5850DC1B47CC074E0
    6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    7 : 0x9E9D0E9062554F386B701EB29C00BD54A2806583AF4881EC6E44DCE496F75FD0
    8 : 0x0000000000000000000000000000000000000000000000000000000000000000
    9 : 0x3788EF47C4D50F461A705752DCC9E2445DD6D529A2E7F1AE77BFD763C887AB0C
    10: 0xDC54F29F4BF4C7584A8D9915B09359959F8E13F13009C1EAB4B00C21B85F1930
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000
  sha384:

[SergiiDmytruk]

Thanks, this does look like a bug then. There are 6 fields in PCR0_DATA, we should probably hexdump the data buffer into log and try adjusting the fields based on the code/specs until we get the right value of PCR-0. Although logging can actually be skipped, CBNT_BIOSACM_POLICY_STS is there, but need the matching provisioned image to get ACM, KM and BPM. Also, won't hurt to check that PCR-0 isn't changed by a reboot, otherwise some uninitialized data may be used.

[miczyg1]

There is a field in IBB segment element flags called SRTM AC. When set, it says that variable content of ACM_POLICY_STATUS register is masked off, which probably has some impact on how PCR0 is extended.

What it does is: ACM_POLICY_STATUS is being masked out with the value 0x20FFF based on the SRTM_AC status of IBB segment element flag

It might be worth to enable it.

[SergiiDmytruk]

@miczyg1, that helped, thanks. The rest is correct, although checking for this also depends on the versions of tools.

Minimal versions for correctly replaying PCR-0 measurements that do not start in locality 0:

• tpm2_eventlog: v5.6 because 576a31bcc910da517067b29667f45fbe78e812e0 is what adds support for non-0 startup locality
• fwupd: v1.8.0 because 0812ce5d20cad3ba0f4a40e1be697ecf0ebe30b5 adds the same

Both tools are of lower versions in the latest DTS v2.6.0:

• v5.5 for tpm2_eventlog
• 1.7.3-71-g1ad6f5156 for fwupd.

In this case v5.5 or an older one was used for tpm2_eventlog output, since it didn't ignore EV_NO_ACTION (actually extended zeroes) and also used initial PCR value for locality 0 (locality Y starts with the last byte set to 0x0Y).

Dasharo/coreboot#740 adds support for SRTM_AC flag which also needs to be set during provisioning. I've tested it on Odroid and got PCR-0 validated with enabled BootGuard. Output of tpm2_eventlog also agrees with tpm2_pcrread if new enough versions are used.

[pietrushnic]

@miczyg1 IIUC there are consequences for DS09SBL? @DaniilKl, I think you should know about the too-low version problem in v2.6.1