* [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType must be EV_NO_ACTION
@ 2021-04-09 17:25 Kenneth Goldman
0 siblings, 0 replies; 4+ messages in thread
From: Kenneth Goldman @ 2021-04-09 17:25 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1577 bytes --]
The error is basic - it's not a legal TPM 2.0 event log.
The first event (line 0) has to be a EV_NO_ACTION event with a
TCG_EfiSpecIDEvent structure. I have a -nospec option, but that's just to
test incremental logs. It's not intended for a full log.
From the TCG spec:
3. The first event log entry SHALL be a TCG_PCClientPCREvent structure.
See Section 10.2.1 TCG_PCClientPCREvent Structure.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
From: nicolasoliver03(a)gmail.com
To: tpm2(a)lists.01.org
Date: 04/09/2021 12:47 PM
Subject: [EXTERNAL] [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType
must be EV_NO_ACTION
The output of tsseventextend -v is below.
I am getting this same error in 2 servers from different manufacturers.
I may need to cleanup a little before sharing the logs, please bear with
me!
eventextend: line 0
TSS_EVENT_Line_Trace: PCR index 0
TSS_EVENT_EventType_Trace: 00000008 EV_S_CRTM_VERSION
TSS_EVENT_Line_Trace: PCR length 20
c4 2f ed ad 26 82 00 cb 1d 15 f9 78 41 c3 44 e7
9d ae 33 20
TSS_EVENT_Line_Trace: event length 16
1e fb 6b 54 0c 1d 55 40 a4 ad 4e f4 bf 17 b8 3a
eventextend: failed, rc 0000009a
TPM_RC_INSUFFICIENT - the TPM was unable to unmarshal a value because there
were not enough octets in the input buffer Handle number unspecified
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 2571 bytes --]
[-- Attachment #3: graycol.gif --]
[-- Type: image/gif, Size: 105 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType must be EV_NO_ACTION
@ 2021-04-15 19:37 Kenneth Goldman
0 siblings, 0 replies; 4+ messages in thread
From: Kenneth Goldman @ 2021-04-15 19:37 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2188 bytes --]
In theory, the BIOS event log is constructed pre-OS, and certainly the
beginning part should not be affected.
If you're booting two different kernels and the first event changes, my
first guess is that something in the kernel is affecting the pseudo-file
and skipping or deleting the first measurement. "Customized Linux kernel"
sounds suspicious.
I think you might have a better audience on the Linux security mailing
list.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
From: nicolasoliver03(a)gmail.com
To: tpm2(a)lists.01.org
Date: 04/15/2021 02:26 PM
Subject: [EXTERNAL] [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType
must be EV_NO_ACTION
Hello again,
I have been debugging this issue with the manufacturer for a couple of
days, and found something very interesting.
Initially, I thought it was a System Firmware (BIOS) problem, that it was
misbehaving and reporting an invalid log.
But it seems to be a Kernel related problem.
If the system is booted with a customized Linux Kernel 4.19, the TPM Event
Log present in sysfs is invalid: tools fails to parse it, and there are no
SHA256 measurements.
If the system is booted with a vanilla Linux Kernel 5.8.15 (Fedora
Workstation 33 Live), the TPM Event Log is valid, tools can parse it, there
are both SHA1 and SHA256 measurements, and the reconstruction matches
perfectly with the state of the TPM PCRs
This is more evident by comparing the binary_bios_measurements files taken
from both executions. I can see the good one starting with "Spec ID Ev..",
and the bad one directly with "Secure Boot" related info
The git history of the kernel source related to TPM Event Log is available
here
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/tpm/eventlog
.
I will look there to see if something shed some light to this issue.
Any hints are appreciated,
Thank you for your help so far!
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3326 bytes --]
[-- Attachment #3: graycol.gif --]
[-- Type: image/gif, Size: 105 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType must be EV_NO_ACTION
@ 2021-04-15 18:25 nicolasoliver03
0 siblings, 0 replies; 4+ messages in thread
From: nicolasoliver03 @ 2021-04-15 18:25 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1249 bytes --]
Hello again,
I have been debugging this issue with the manufacturer for a couple of days, and found something very interesting.
Initially, I thought it was a System Firmware (BIOS) problem, that it was misbehaving and reporting an invalid log.
But it seems to be a Kernel related problem.
If the system is booted with a customized Linux Kernel 4.19, the TPM Event Log present in sysfs is invalid: tools fails to parse it, and there are no SHA256 measurements.
If the system is booted with a vanilla Linux Kernel 5.8.15 (Fedora Workstation 33 Live), the TPM Event Log is valid, tools can parse it, there are both SHA1 and SHA256 measurements, and the reconstruction matches perfectly with the state of the TPM PCRs
This is more evident by comparing the binary_bios_measurements files taken from both executions. I can see the good one starting with "Spec ID Ev..", and the bad one directly with "Secure Boot" related info
The git history of the kernel source related to TPM Event Log is available here https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/tpm/eventlog.
I will look there to see if something shed some light to this issue.
Any hints are appreciated,
Thank you for your help so far!
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType must be EV_NO_ACTION
@ 2021-04-09 16:47 nicolasoliver03
0 siblings, 0 replies; 4+ messages in thread
From: nicolasoliver03 @ 2021-04-09 16:47 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 677 bytes --]
The output of tsseventextend -v is below.
I am getting this same error in 2 servers from different manufacturers.
I may need to cleanup a little before sharing the logs, please bear with me!
eventextend: line 0
TSS_EVENT_Line_Trace: PCR index 0
TSS_EVENT_EventType_Trace: 00000008 EV_S_CRTM_VERSION
TSS_EVENT_Line_Trace: PCR length 20
c4 2f ed ad 26 82 00 cb 1d 15 f9 78 41 c3 44 e7
9d ae 33 20
TSS_EVENT_Line_Trace: event length 16
1e fb 6b 54 0c 1d 55 40 a4 ad 4e f4 bf 17 b8 3a
eventextend: failed, rc 0000009a
TPM_RC_INSUFFICIENT - the TPM was unable to unmarshal a value because there were not enough octets in the input buffer Handle number unspecified
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-15 19:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-09 17:25 [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType must be EV_NO_ACTION Kenneth Goldman
-- strict thread matches above, loose matches on Subject: below --
2021-04-15 19:37 Kenneth Goldman
2021-04-15 18:25 nicolasoliver03
2021-04-09 16:47 nicolasoliver03
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.