Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Matthew Garrett <mjg59@google.com>
To: "Safford, David (GE Global Research, US)" <david.safford@ge.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"jarkko.sakkinen@linux.intel.com"
	<jarkko.sakkinen@linux.intel.com>,
	"Wiseman, Monty (GE Global Research, US)" <monty.wiseman@ge.com>
Subject: Re: [PATCH] tpm_crb - workaround broken ACPI tables
Date: Fri, 12 Jul 2019 11:24:13 -0700
Message-ID: <CACdnJutmhRyGjiumXbzai1fTNqcYMRthzTfMsiQgzKFtu3+teA@mail.gmail.com> (raw)
In-Reply-To: <BCA04D5D9A3B764C9B7405BBA4D4A3C035EF7E2A@ALPMBAPA12.e2k.ad.ge.com>

On Fri, Jul 12, 2019 at 5:42 AM Safford, David (GE Global Research,
US) <david.safford@ge.com> wrote:
> Thanks - that was very helpful.
> All of my misbehaving systems are AMD - mostly Ryzen and Threadripper towers,
> of various motherboard OEMs. One system is a 3rd gen Ryzen laptop (Asus FX505dy).

I suspect the issue comes from AMD's reference code rather than
multiple vendors all having made the same mistake. Unfortunate.

> But the laptop shows a new layout:
> [    2.069539] tpm_crb MSFT0101:00: can't request region for resource
> [mem 0xbd11f000-0xbd122fff]
> [    2.069543] tpm_crb: probe of MSFT0101:00 failed with error -16
> [    2.177663] ima: No TPM chip found, activating TPM-bypass!
>
> bbc64000-bd14afff : Reserved
>   bd11f000-bd11ffff : MSFT0101:00
>   bd123000-bd123fff : MSFT0101:00
> bd14b000-bd179fff : ACPI Tables
> bd17a000-bd328fff : ACPI Non-volatile Storage

Hmm, that's interesting. Is this a UEFI or BIOS system? Can you
provide the e820 data from dmesg?

> Have you looked at the sequencing during suspend/restore?
> If ACPI is the last to save, and first to restore, the TPM's use may
> still be safe. I'll try to run some tests along those lines, and look
> at the nvs driver.

The NVS stuff was largely implemented by attempting to identify what
Windows was doing and duplicating that, so it's kind of dangerous to
rely on its ordering - there's a risk it might end up changing
suddenly in order to mimic Windows' behaviour more closely.

  parent reply index

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-11 12:29 Safford, David (GE Global Research, US)
2019-07-11 14:10 ` Jarkko Sakkinen
2019-07-11 14:58 ` Jason Gunthorpe
2019-07-11 16:44   ` Safford, David (GE Global Research, US)
2019-07-11 18:50     ` Jason Gunthorpe
2019-07-11 19:31       ` Safford, David (GE Global Research, US)
2019-07-11 20:33         ` Matthew Garrett
2019-07-12 12:41           ` Safford, David (GE Global Research, US)
2019-07-12 15:06             ` Jason Gunthorpe
2019-07-12 15:48               ` Jarkko Sakkinen
2019-07-12 18:24             ` Matthew Garrett [this message]
2019-07-12 19:05               ` Safford, David (GE Global Research, US)
2019-07-12 20:36                 ` Matthew Garrett
2019-07-14 19:28                   ` Safford, David (GE Global Research, US)
2019-07-14 23:48                     ` Matthew Garrett
2019-07-15 19:44                       ` Matthew Garrett
2019-07-11 19:16 ` Jarkko Sakkinen

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACdnJutmhRyGjiumXbzai1fTNqcYMRthzTfMsiQgzKFtu3+teA@mail.gmail.com \
    --to=mjg59@google.com \
    --cc=david.safford@ge.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=jgg@ziepe.ca \
    --cc=linux-integrity@vger.kernel.org \
    --cc=monty.wiseman@ge.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org linux-integrity@archiver.kernel.org
	public-inbox-index linux-integrity


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/ public-inbox