From: Kenneth Goldman <kgoldman at us.ibm.com>
To: tpm2@lists.01.org
Subject: [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType must be EV_NO_ACTION
Date: Thu, 15 Apr 2021 15:37:23 -0400 [thread overview]
Message-ID: <OF390046DF.F4A70955-ON002586B8.006B4F6E-852586B8.006BCB08@notes.na.collabserv.com> (raw)
In-Reply-To: 20210415182554.2848.69001@ml01.vlan13.01.org
[-- Attachment #1: Type: text/plain, Size: 2188 bytes --]
In theory, the BIOS event log is constructed pre-OS, and certainly the
beginning part should not be affected.
If you're booting two different kernels and the first event changes, my
first guess is that something in the kernel is affecting the pseudo-file
and skipping or deleting the first measurement. "Customized Linux kernel"
sounds suspicious.
I think you might have a better audience on the Linux security mailing
list.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
From: nicolasoliver03(a)gmail.com
To: tpm2(a)lists.01.org
Date: 04/15/2021 02:26 PM
Subject: [EXTERNAL] [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType
must be EV_NO_ACTION
Hello again,
I have been debugging this issue with the manufacturer for a couple of
days, and found something very interesting.
Initially, I thought it was a System Firmware (BIOS) problem, that it was
misbehaving and reporting an invalid log.
But it seems to be a Kernel related problem.
If the system is booted with a customized Linux Kernel 4.19, the TPM Event
Log present in sysfs is invalid: tools fails to parse it, and there are no
SHA256 measurements.
If the system is booted with a vanilla Linux Kernel 5.8.15 (Fedora
Workstation 33 Live), the TPM Event Log is valid, tools can parse it, there
are both SHA1 and SHA256 measurements, and the reconstruction matches
perfectly with the state of the TPM PCRs
This is more evident by comparing the binary_bios_measurements files taken
from both executions. I can see the good one starting with "Spec ID Ev..",
and the bad one directly with "Secure Boot" related info
The git history of the kernel source related to TPM Event Log is available
here
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/tpm/eventlog
.
I will look there to see if something shed some light to this issue.
Any hints are appreciated,
Thank you for your help so far!
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3326 bytes --]
[-- Attachment #3: graycol.gif --]
[-- Type: image/gif, Size: 105 bytes --]
next reply other threads:[~2021-04-15 19:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 19:37 Kenneth Goldman [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-04-15 18:25 [tpm2] Re: tpm2_eventlog ERROR: SpecID eventType must be EV_NO_ACTION nicolasoliver03
2021-04-09 17:25 Kenneth Goldman
2021-04-09 16:47 nicolasoliver03
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=OF390046DF.F4A70955-ON002586B8.006B4F6E-852586B8.006BCB08@notes.na.collabserv.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.