Received: by 10.223.185.111 with SMTP id b44csp90803wrg; Fri, 9 Mar 2018 01:31:44 -0800 (PST) X-Google-Smtp-Source: AG47ELtwdYWrSHqeOOAVkEBCXX/KUcBAx/6QTRfbwz5/O3P12x85K5DbKZ7t9QMFfC02bkl0hQQf X-Received: by 2002:a17:902:7e44:: with SMTP id a4-v6mr19217016pln.392.1520587904530; Fri, 09 Mar 2018 01:31:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520587904; cv=none; d=google.com; s=arc-20160816; b=MAfxfopkZjBenfWGz0ZfDxUTFEpitIJVi6kyLtejUfTqbp+P+RVCRTCD4kcbKW58Xo mUoZT5eT5CFmfhAM5lDIYQCpWd7bMJQiClB0OZadSJJWa1z6wI1C4dARmG3O6q9d/YZu vYZQbCLQMuJDUU6a+vPNpfaUc+EWvAwFYs+GQSQLD19lXwcRygqeOCC7Ws2vzHUJ0x7E GZ3teyQrLToevSXKMio6nUF0UdzfXBwnmSPsQYdzUouE6LIvjgeGb44V1xU30SQvEzHt atIMy8FZmAsTr7cvCkBwEaUE+Wqp8R761WE2dK97XTJnRfRr5WgZnpHdmf/HlWyLJ8Et BLXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:arc-authentication-results; bh=tkYLy5DuwuceusiMoZVcgshtlyyyjcRnnDM+BKENSfc=; b=b56ST5C4HdULZiB48M+heL59Ym4CEcWMnSkVdJpk86Rlg9h/6We0A+fDu7/TdX2/ot ygE9IhcgTHvJy8YRzEuIsbXP+12WOTfLkodN7CkJg/sFZs0WDRLmhcvb4yd3x/sRM+mt LHng9aSQ5JklaTcA08J0TUyEB+1+nYpFecmGan5vdp15Acb0o/XzOdRI7Dcab6GQLk7o H8JZCAzoUdnNhBoh78r9CEOyOtXZkBpv/2sAaWyBcm6KOQAhvQKdutMrQVH9O1mQG5oq 7UIDV+NzyMkZqhJ25qBi3mpK2Hos6nniPUwulpLOp/iHFtdOwibK+6FivNXViE4eFH99 yxxw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u13-v6si520141plq.823.2018.03.09.01.31.29; Fri, 09 Mar 2018 01:31:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751167AbeCIJ3L (ORCPT + 99 others); Fri, 9 Mar 2018 04:29:11 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:33305 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751056AbeCIJ3I (ORCPT ); Fri, 9 Mar 2018 04:29:08 -0500 Received: by mail-wm0-f66.google.com with SMTP id s206so2643617wme.0 for ; Fri, 09 Mar 2018 01:29:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=tkYLy5DuwuceusiMoZVcgshtlyyyjcRnnDM+BKENSfc=; b=b5WvDRmyDCAn7f7mQEyn5ZvGqLYelozrd5RrioKEof6WwfVPMyP9DrkjSLSAFYH+3t s+qrfOMFHed3JiELt4KR133fyAX/3YXF4W/p9tkpYfhQzDo7h5LQL32Q+pokB96f9oJs Wewc78Sb7ZvJDdb2ONHF6+33hH8Z2Gg9aFLGjWYZPlNWpnw/C5DFjMLF9yssbHqluRRH 5if+J/lxNReYcmsvIYxyjxY9DVvNGZ8pRPLqmAwOj9hsjs2g/xlE+l0UW/sZB7ROkMde AKzYcBsA9T0yyaSp4Eanea9P8aN+jS6mjEsQGzQUOy1T9iJ4gPNIlYIVwDjW8mx8SLBG 1x7g== X-Gm-Message-State: APf1xPAT7MER7Y8jpbVRj+hniKa/K0uMJzzdSf99Fy5OPBBNB9GOWCAh /bz+5cu1E/LEeFj1O14XCWEB14Zuqwg= X-Received: by 10.80.195.137 with SMTP id h9mr37216446edf.232.1520587746124; Fri, 09 Mar 2018 01:29:06 -0800 (PST) Received: from shalem.localdomain (546A5441.cm-12-3b.dynamic.ziggo.nl. [84.106.84.65]) by smtp.gmail.com with ESMTPSA id y3sm624742edb.92.2018.03.09.01.29.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Mar 2018 01:29:05 -0800 (PST) Subject: Re: Regression from efi: call get_event_log before ExitBootServices To: Jeremy Cline , Javier Martinez Canillas , Thiebaud Weksteen , Jarkko Sakkinen , linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org, tpmdd-devel@lists.sourceforge.net, Linux Kernel Mailing List References: <01000161fc0b4755-df0621f4-ab5d-479a-b425-adf98427a308-000000@email.amazonses.com> <0100016206a68850-bd5c96b3-f275-46ea-98b1-1317e02a5d6e-000000@email.amazonses.com> From: Hans de Goede Message-ID: <29c1640a-cf19-ca19-7de9-96f202edfb5a@redhat.com> Date: Fri, 9 Mar 2018 10:29:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <0100016206a68850-bd5c96b3-f275-46ea-98b1-1317e02a5d6e-000000@email.amazonses.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 08-03-18 18:26, Jeremy Cline wrote: > On 03/08/2018 11:50 AM, Hans de Goede wrote: >> > added these now> >> >> Hi, >> >> On 07-03-18 12:34, Javier Martinez Canillas wrote: > > > >>> Are you also able to read the TPM event logs? >>> >>> $ hexdump /sys/kernel/security/tpm0/binary_bios_measurements >> >> Yes for me that outputs a lot of hex :) > > For me, /sys/kernel/security/tmp0 doesn't exist on 4.15.6 or 4.16 with > the patch reverted. Hmm, have you re-enabled the TPM in the BIOS? >>> The UEFI firmware does some measurements and so does shim. So you should >>> have some event logs. What version of shim are you using? And also would >>> be good to know if it's the same shim version that Jeremy is using. >> >> That is a very good question, I'm using: shim-ia32-13-0.7.x86_64, which is >> the last version for F27 AFAICT. > > All my tablet has installed is shim-0.8-10.x86_64, no shim-ia32. Yes my bad, although if the kernel changes break booting on systems without the shim that is still good to know and something which we probably ought to fix. >> But Jeremy's tablet might very well be not using the shim at all, as >> I manually installed Fedora 25 on the tablet he now has, before Fedora >> supported >> machines with 32 bit EFI. I then later did a "dnf distro-sync" to >> Fedora-27. >> >> Jeremy might also very well still be booting using a grub binary I build >> manually back then, without any shim being involved. >> >> Jeremy what does efibootmgr -v output on your device ? > > # efibootmgr -v > BootCurrent: 0003 > Timeout: 4 seconds > BootOrder: 0003,0000,0001,2001,2002,2003 > Boot0000* Android X64 OS > HD(1,GPT,215e6cf3-e97d-4735-9c4e-7338c8f5a645,0x800,0x32000)/File(\EFI\BOOT\bootx64.efi)RC > Boot0001* Internal EFI Shell > FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(c57ad6b7-0515-40a8-9d21-551652854e37)RCM&". > Boot0003* Fedora > HD(1,GPT,215e6cf3-e97d-4735-9c4e-7338c8f5a645,0x800,0x32000)/File(\EFI\fedora\grubx64.efi) > Boot2001* EFI USB Device RC > Boot2002* EFI DVD/CDROM RC > Boot2003* EFI Network RC > Boot8087* Udm > FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9a9ab4c1-ee1b-488b-b300-24544a7bd418) > > I think you're right about it using the old grub binary. I'm > embarrassingly unfamiliar with both UEFI and grub, but I'm guessing you > set the location of grub.cfg at compile time? When I boot > \EFI\fedora\grubx64.efi, it's pulling the grub.cfg from > \EFI\redhat\grub.cfg. Ah yes, so I did not build my own grub I took one from RHEL as that had 32 bit UEFI support before Fedora got it and as I was lazy I copied the 32 bit binary over the 64 bit one, so don't let the filename fool you. What you could do is install grub2-efi-ia32 from the Fedora 27 repos and then use efibootmgr to add an entry pointing to \EFI\fedora\grubia32.efi note that one will look at \EFI\fedora\grub.cfg . Then see if the problem persists. A second step would be to also install shim-ia32 and point to that... Regards, Hans