WIP: Don't fail boot process if no TPM is available

[ts468]

Hi!

I'm trying to adapt TrustedGRUB2 so that the boot process does not fail if no TPM is available. If the boot process fails if no TPM is available, then accidentally installing TrustedGRUB2 breaks systems without a TPM. That's not an acceptable default that would allow to safely integrate TrustedGRUB2 into a Linux distribution.

The current PR is my miserably failing attempt to make TrustedGRUB2 boot without TPM. I hoped that by masking every call into the API exposed through tpm.h with grub_TPM_isAvailable would be enough. But unfortunately, it isn't, and I don't find a way to debug it. Adding -DTGRUB_DEBUG as compile time option does not lead to any debug output.

So I wanted to ask for help! Could someone maybe have a quick look at my changes and suggest me how to proceed?

Many thanks!

[neusdan]

I agree with you. Booting should be possible even without TPM in the default configuration. Nevertheless i want to have a compile time flag to activate a "works with TPM only mode".

Can you explain what error message you are receiving?

[neusdan]

At least in this version: a0ee0d6
it was working without TPM

[ts468]

@neusdan Thanks for getting back to me! Sure, a compile time flag is absolutely fine. I just thought adding a the flag would be the last step ;).

About the error, the system showed something like TrustedGRUB [No TPM detected] loading and then stopped loading. Unfortunately, I couldn't get more information out of the system. But it might also be related to TrustedGRUB 1.2.1 itself. I've got a system that works fine with 1.2.0 but loops constantly with 1.2.1, booting up to TrustedGRUB loading and then re-starts the system. Maybe that helps?

[ts468]

Yes, I've found a0ee0d6, but it wasn't so easy to cherry-pick the right parts out of it. Things changed quite a bit in TrustedGRUB since then.

[neusdan]

I think i've found the issue here.

You have to append --no-rs-codes to grub-install (already in readme, but not that obvious to see)

This parameter is necessary since the HP workaround. I should add a compile time flag also for this workaround, so that it is not necessary to append the --no-rs-codes parameter in default mode.

[ts468]

@neusdan Thanks a lot for the hint! I've missed that. Do you already know when you're planning to release a version of TrustedGRUB2 where the workaround is masked with a compile time flag, or where at least the default behavior of grub-install is changed so that you only have to append the parameter if you need the HP workaround?

[securitykernel]

Thanks for your contribution! Unfortunately, we decided to deprecate and no longer maintain this project. I will be closing this issue.