Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test TrenchBoot support on AMD hardware with TPM 2.0 and TPM 1.2 with legacy boot mode #23

Closed
BeataZdunczyk opened this issue Apr 3, 2023 · 2 comments
Closed

Test TrenchBoot support on AMD hardware with TPM 2.0 and TPM 1.2 with legacy boot mode #23

BeataZdunczyk opened this issue Apr 3, 2023 · 2 comments
Assignees
@krystian-hebel
Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: feature request Type: feature reguest. A new feature for the project. W: done Workflow: done. This issue is done/close.
Milestone
Phase 4: AMD supp...

Comments

@BeataZdunczyk
Copy link
Member

Is your feature request related to a problem? Please describe.

After the implementation of the updated TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader, it is necessary to test the solution on AMD hardware with TPM 2.0 and TPM 1.2 with legacy boot mode to ensure proper functionality.

Is your feature request related to a new idea or technology that
would benefit the project? Please describe.

This issue is required to ensure that the TrenchBoot support for AMD platforms with TPM 2.0 and TPM 1.2 with legacy boot mode works properly after the implementation of the updated TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader.

Describe the solution you'd like

Test the TrenchBoot support on AMD hardware with TPM 2.0 and TPM 1.2 with legacy boot mode to ensure proper functionality after the implementation of the updated TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 4 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A
@BeataZdunczyk BeataZdunczyk added T: feature request Type: feature reguest. A new feature for the project. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. W: todo Workflow: todo. The issue is in the initial to do state. labels Apr 3, 2023
@miczyg1
Copy link

miczyg1 commented Jan 4, 2024

Proposed hardware:

  • KGPE-D16 - legacy boot with TPM 1.2 and TPM 2.0 (two board available in 3dmeb lab, one with TPm 1.2 and the other one with TPM 2.0)
  • Supermicro M11SDV-4C-LN4F - UEFI boot with TPM 2.0 (can also be swapped with a TPM 1.2 to test TPM 1.2 in UEFI mode, may also be used to test legacy boot mode with CSM)

@krystian-hebel
Copy link
Member 

* KGPE-D16 - legacy boot with TPM 1.2 and TPM 2.0 (two board available in 3dmeb lab, one with TPm 1.2 and the other one with TPM 2.0)

One doesn't work, the other works only until HVM is started. Some limited testing was done by starting with spec-ctrl=no-ibpb-entry - this is not safe, but allowed to show that AEM works on multi-node system.

* Supermicro M11SDV-4C-LN4F - UEFI boot with TPM 2.0 (can also be swapped with a TPM 1.2 to test TPM 1.2 in UEFI mode, may also be used to test legacy boot mode with CSM)

Doesn't work, CPU can't send DRTM sequence to TPM properly.

Most of the tests were performed on HP t630 platforms, one with TPM 1.2 and the other with TPM 2.0. Other platforms were too problematic, be it because of bad firmware (vendor firmware on KGPE doesn't support TPM 2.0, and coreboot doesn't work reliably) or hardware issues (CPU on Supermicro, IBPB on KGPE, problems with KVM everywhere) not directly linked to AEM.

Proof of installation and execution with TPM 2.0:
Screenshot_2024-04-11_10-14-40
Screenshot_2024-04-16_08-59-18
Screenshot_2024-04-16_08-59-43

Execution with TPM 1.2:

Screenshot_2024-05-17

@BeataZdunczyk BeataZdunczyk added W: done Workflow: done. This issue is done/close. and removed W: todo Workflow: todo. The issue is in the initial to do state. labels May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@krystian-hebel krystian-hebel

Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: feature request Type: feature reguest. A new feature for the project. W: done Workflow: done. This issue is done/close.
Projects
None yet
Milestone
Phase 4: AMD support for Qubes OS AEM...
Development

No branches or pull requests
3 participants
@miczyg1 @krystian-hebel @BeataZdunczyk