Talos II - 0.6 - Heads - No flashrom support

[tlaurion]

Dasharo version
0.6

Dasharo variant
Workstation/Server

Affected component(s) or functionality
Flashrom is needed for:

• Internal flashing: new release (manual) future (fwupd)
• ownership: public key injection at OEM factory reset/Re-Ownership / GPG menu -> inject public key. Flashrom is used to dump + inject keyring + trustdb + config.user with cbfs in firmware then flash it back through flashrom
• firmwre upgrage: Heads extracts gpg keyring and trustdb to be injected in new firmware

Brief summary
Without keyring+trustdb injected in ROM:

• USB boot cannot verify ISO against user's detached signed iso.asc file for integrity/authenticity validation.
• /boot digest cannot be detached signed/verified at boot against user's injected in rom gpg public key

How reproducible
100%

How to reproduce

Steps to reproduce the behavior:

1. Flash options don't work
2. Gpg options don't work
3. OEM factory reset/Re-Ownership options don't work
4. Booting options don't work (unless unsafe boot option is chosen for installed disk. or USB boot is against dd'ed image over a thumb drive)

Unsafe boot options (no detach signed digest verification) work.

Expected behavior

• Be able to use detached signature functions for disk boot options
• Be able to use user's detached signed ISO to boot from USB option
• Be able to upgrade firmware through Heads
• Be able to upgrade through fwupd at some point

Actual behavior
flashrom is not available.

So there is no possibility of injecting gpg keyring and trusteddb inside a firmware to be flashed (new or running firmware backup) through GPG options/ownership options nor upgrade firmware internally through Heads.

[tlaurion]

#80 #168 #79 can be closed.

[tlaurion]

#35 is still a thing (as per 0.6 release notes)

[tlaurion]

Absence of TPM is dealt correctly (dynamically turn off TPM support if no TPM is detected) with linuxboot/heads#1002, which release 0.6 was not based on.

[tlaurion]

Question for next steps:
Did you buy https://store.supermicro.com/https-store-supermicro-com-45cm-oculink-to-u2-pcie-power-cable-cbl-sast-0955-html.html and some other adapter to have a working SSD setup?

Or more simply, what are you using for persistent storage option in your setup/tests?

[macpijan]

We used only USB drives according to https://docs.dasharo.com/variants/talos_2/hardware-matrix/

We do not have linked adapter attached.

[SergiiDmytruk]

flashrom is not available.

You did the review :) I think I disabled flashrom initially (over a year ago) after seeing that internal programmer is not available (it doesn't compile with current invocation in modules/flashrom). I thus decided that it's useless for Talos (no SPI access either). However, it's not the case, because mtd programmer probably works fine. I definitely dumped flash using it, but don't remember if I tried writing ROM back (it probably works as well).

[tlaurion]

@SergiiDmytruk

You did the review :)

Well, sorry we missed that.

Heads relies solely on flashrom to persist user config related changes, and have those cbfs files part of what is measured before usage. This is flash.sh, taking CONFIG_FLASHROM_OPTIONS from board config. Then gpg-gui.sh uses flash.sh -r to backup rom if settings are to be injected in running rom, or takes to be flashed rom as input to inject keyring and trust db. Same concept with config-gui.sh but with config.user file override.

Flashrom is needed to save user config overrides: from changing drive boot source (config.user) to inject public key (keyring and trust db) and to keep other config changes overrides after firmware upgrades, with cbfs adding those changes (files) into rom to be flashed and then flashing only the changed blocks back into SPI.

---

@SergiiDmytruk : I confirm that building fails at https://app.circleci.com/pipelines/github/tlaurion/heads/1197/workflows/5cee5383-75d5-47c5-aa0c-ab39e64abb99/jobs/10388 when trying to enable flashrom in Talos II board configs.

mtd programmer probably works fine.

This is great news.

[SergiiDmytruk]

Heads relies solely on flashrom to persist user config related changes, and have those cbfs files part of what is measured before usage. This is flash.sh, taking CONFIG_FLASHROM_OPTIONS from board config. Then gpg-gui.sh uses flash.sh -r to backup rom if settings are to be injected in running rom, or takes to be flashed rom as input to inject keyring and trust db. Same concept with config-gui.sh but with config.user file override.

Flashrom is needed to save user config overrides: from changing drive boot source (config.user) to inject public key (keyring and trust db) and to keep other config changes overrides after firmware upgrades, with cbfs adding those changes (files) into rom to be flashed and then flashing only the changed blocks back into SPI.

Comments like these would make a good documentation about Heads internals, which should also include description of possible CONFIG_* options (I think these are not documented anywhere right now).

[macpijan]

So at first, we need to enable flashrom in the build and see if we can read/write to PNOR via mtd programmer? Then, we need to configure the flashrom parameters for Talos II board if the above works.

[miczyg1]

linuxboot/heads#1222