| View previous topic :: View next topic |
| Author |
Message |
tithom
n00b
Joined: 19 Nov 2022
Posts: 24
|
 Posted: Sun Aug 04, 2024 8:23 pm Post subject: Missing TPM event log with Grub + secure boot |
 |
|
Hi all,
I have noted something on my Gentoo setup. I want to use secure boot, use shim to sign grub and use grub's ability to check gpg sigs of everything to ensure integrity of the initram in particular (booting into a LUKS encrypted root fs with a TPM unlock with PIN to simplify things somewhat).
So all works, but I have noted that when I turn on secure boot in a Qemu VM, the directory /sys/kernel/security/tpm0 disappears and so the TPM event log usually in this folder is also not present. It's not critical but I have relied on it quite a lot in the past to figure out why some PCRs were changing.
I think that I've narrowed it down to a possible issue between Grub 2.12 and secure boot. For this I have disabled secure boot checks in the shim with mokutil --disable-validation do that I can use the "stock" grub install which I re-installed with grub-install --target=x86_64-efi --efi-directory=/efi and used the dist-kernel for this test.
- Secure boot disabled in the firmware: tpm0 folder present in /sys/kernel/security
- Secure boot enabled in the firmware: no tpm0 folder in /sys/kernel/security
TPM emulation is software, the VM is set up with Q35 UEFI (edk2-20240524-4)
For what it's worth, I have 3 VMs I'm building the exact same way, I have seen the same issue with Arch but not with Fedora (grub 2.06 with 300+ patches...). I have come across only one other post with similar sorts of issues on Stack Exchange which seems to be the same, tpm0 disappear with custom keys (so I suppose with secure boot on) and re-appears after clearing custom keys (so I suppose when secure boot is off / in setup mode).
I'd appreciate any pointer or if I'm missing anything. |
|
| Back to top |
|
 |
nvaert1986
Tux's lil' helper
Joined: 05 May 2019
Posts: 124
|
| Posted: Mon Aug 05, 2024 11:42 am Post subject: |
|
|
| I've seen the exact same behavior on my old Lenovo ThinkPad P52 with custom keys too when using Grub on both Gentoo and Arch, but not on Ubuntu and / or Fedora. Seems that Arch / Gentoo are missing patches indeed. Reverting back to the original keys resolves the issue. What brand of device and type are you using? |
|
| Back to top |
|
|
tithom
n00b
Joined: 19 Nov 2022
Posts: 24
|
| Posted: Tue Aug 06, 2024 8:57 pm Post subject: |
|
|
I'm trying things out on a virtual machine with libvirt 10.1 and a software TPM (not passthrough).
As compared to what you describe, I'm not enrolling my keys in the firmware but only in the shim. I don't know the efi variables enough to know if that ends up in the same variables but I suppose that db and MOK would be separated. So somehow grub is affected by custom keys in either location and does not pass the tpm event log over to the kernel during boot?
I have built custom grub images on all systems and a grub image self built on Fedora with
| Code: | | grub2-mkimage -O x86_64-efi -o /boot/efi/EFI/fedora/grubx64.efi --sbat /usr/share/grub/sbat.csv -m "${memdisk}" -c "${grubcfg}" -p "${grub_prefix}" ${grub_modules} |
And with the following on Arch and Gentoo
| Code: | | grub-mkimage -O x86_64-efi -o /efi/EFI/gentoo/grubx64.efi --sbat /usr/share/grub/sbat.csv -m "${memdisk}" -c "${grubcfg}" -p "${grub_prefix}" ${grub_modules} |
With the same memdisk, prefix, and modules gives the same issues, eg. Fedora's shows the event log in /sys/kernel/security/tpm0 with secure boot while Arch's and Gentoo's do not. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
