Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop tboot builderv2 #4

Merged
merged 3 commits into from
Oct 13, 2023
Merged

Drop tboot builderv2 #4

merged 3 commits into from
Oct 13, 2023

Conversation

krystian-hebel
Copy link
Member

No description provided.

@krystian-hebel krystian-hebel force-pushed the drop_tboot_builderv2 branch 23 times, most recently from de4811d to 6a8fa2c Compare October 9, 2023 20:58
@miczyg1
Copy link

miczyg1 commented Oct 10, 2023

It installed well without tboot. The only thing that doesn't work is the grub.cfg generation. It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there @krystian-hebel

@krystian-hebel
Copy link
Member Author

It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there

I guess it has to do with file permissions. I changed https://github.com/TrenchBoot/qubes-antievilmaid/pull/4/files#diff-178386e8f730612b1192d7523b609267412f90efe0feeebf30125657ce74b52dL67, it used to point to non-existing file, and it is later used in few chmod instructions.

@miczyg1
Copy link

miczyg1 commented Oct 10, 2023

@krystian-hebel also what doesn't work is the slaunch_module command. GRUB says that slaunch_module command does not exist. I recall it has been dropped at some point. Can you confirm?

My GRUB menuentry:

menuentry 'TrenchBoot AEM Qubes, with Xen hypervisor' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-/dev/mapper/qubes_dom0-root' {
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos1'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  621aa9eb-a008-43dd-b07e-70bf0f482beb
	else
	  search --no-floppy --fs-uuid --set=root 621aa9eb-a008-43dd-b07e-70bf0f482beb
	fi
	echo	'Slaunch ...'
	slaunch
	echo	'Loading Xen 4.17.2 ...'
        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
            xen_rm_opts=
        else
            xen_rm_opts="no-real-mode edd=off"
        fi
	insmod multiboot2
	multiboot2	/xen-4.17.2.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M ucode=scan smt=off gnttab_max_frames=2048 gnttab_max_maptrack_frames=4096 ${xen_rm_opts}
	echo	'Loading Linux 6.1.43-1.qubes.fc37.x86_64 ...'
	module2	/vmlinuz-6.1.43-1.qubes.fc37.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-e8e8bdd1-ff6a-4053-85db-40ffe7cbc248 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap plymouth.ignore-serial-consoles rd.net.dhcp.vendor-class=anaconda-Linux 6.1.43-1.qubes.fc37.x86_64 x86_64 rd.driver.pre=btrfs rhgb quiet usbcore.authorized_default=1 
	echo	'Loading initial ramdisk ...'
	insmod multiboot2
	module2	--nounzip   /initramfs-6.1.43-1.qubes.fc37.x86_64.img
	echo	'Loading slaunch module SKL_KBL_AML_SINIT_20211019_PRODUCTION_REL_NT_O1_1.10.0.bin ...'
	slaunch_module	/SKL_KBL_AML_SINIT_20211019_PRODUCTION_REL_NT_O1_1.10.0.bin
}

@miczyg1
Copy link

miczyg1 commented Oct 10, 2023

It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there

I guess it has to do with file permissions. I changed https://github.com/TrenchBoot/qubes-antievilmaid/pull/4/files#diff-178386e8f730612b1192d7523b609267412f90efe0feeebf30125657ce74b52dL67, it used to point to non-existing file, and it is later used in few chmod instructions.

When I look at the code before the changes, we had:
/etc/grub.d/19_linux_xen_tboot and
%define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot

Why one has 19 and the others 20? I guess those with 20 come from tboot. Maybe this is related?

/etc/grub.d/19_linux_xen_tboot has 644 permissions, unlike others 755

@krystian-hebel
Copy link
Member Author

It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there

I guess it has to do with file permissions. I changed https://github.com/TrenchBoot/qubes-antievilmaid/pull/4/files#diff-178386e8f730612b1192d7523b609267412f90efe0feeebf30125657ce74b52dL67, it used to point to non-existing file, and it is later used in few chmod instructions.

When I look at the code before the changes, we had: /etc/grub.d/19_linux_xen_tboot and %define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot

Why one has 19 and the others 20? I guess those with 20 come from tboot. Maybe this is related?

Exactly my point. There is no file with 20_ in any of those repositories as far as I can see. I'll debug it further after I'm done with CI.

slaunch_module is valid command, it worked for me, however I built GRUB locally instead of using package from CI. Does it complain on slaunch as well?

@miczyg1
Copy link

miczyg1 commented Oct 10, 2023

Exactly my point. There is no file with 20_ in any of those repositories as far as I can see. I'll debug it further after I'm done with CI.

GRUB has file with 20:

rpm -ql grub2-tools-2.06-2.fc37.x86_64.rpm
/etc/default/grub
/etc/grub.d/00_header
/etc/grub.d/01_users
/etc/grub.d/08_fallback_counting
/etc/grub.d/10_linux
/etc/grub.d/10_reset_boot_success
/etc/grub.d/12_menu_auto_hide
/etc/grub.d/14_menu_show_once
/etc/grub.d/20_linux_xen
/etc/grub.d/30_os-prober
/etc/grub.d/30_uefi-firmware
/etc/grub.d/40_custom
/etc/grub.d/41_custom

slaunch_module is valid command, it worked for me, however I built GRUB locally instead of using package from CI. Does it complain on slaunch as well?

Only on slaunch_module from what I have noticed. Actually on both... So slaunch is not present in module most likely, I will have to check

@miczyg1
Copy link

miczyg1 commented Oct 10, 2023

Ok it seems the packages refuse to be installed because there is the same or newer version currently installed. grub2-pc-modules-2.06-2.fc37.noarch.rpm has slaunch GRUB mod inside. dnf reinstall to the rescue

@miczyg1
Copy link

miczyg1 commented Oct 10, 2023

Ok it seems the packages refuse to be installed because there is the same or newer version currently installed. grub2-pc-modules-2.06-2.fc37.noarch.rpm has slaunch GRUB mod inside. dnf reinstall to the rescue

Even if I reinstall the package the modules are only placed to /usr/lib/grub/i386-pc. They are not installed to /boot/grub2/i386-pc automatically along with the RPM. I had to manually run grub2-install /dev/sda and only then the launch module appeared. Maybe this is intentional, not sure.

@miczyg1
Copy link

miczyg1 commented Oct 10, 2023

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

@krystian-hebel
Copy link
Member Author

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

Have you installed AEM as per https://github.com/QubesOS/qubes-antievilmaid/blob/main/README#L114? There are some steps to be done after RPM package is installed.

anti-evil-maid.spec.in Outdated Show resolved Hide resolved
@krystian-hebel krystian-hebel force-pushed the drop_tboot_builderv2 branch 3 times, most recently from 236902e to 72b1448 Compare October 10, 2023 16:23
@miczyg1
Copy link

miczyg1 commented Oct 11, 2023

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

Have you installed AEM as per https://github.com/QubesOS/qubes-antievilmaid/blob/main/README#L114? There are some steps to be done after RPM package is installed.

I have used anti-evil-maid-tpm-setup -z, my bad I guess... I should have omitted the -z to set up SRK

@krystian-hebel krystian-hebel mentioned this pull request Oct 11, 2023
@miczyg1
Copy link

miczyg1 commented Oct 12, 2023

@krystian-hebel when can I hope for the discussions to be addressed?

@krystian-hebel
Copy link
Member Author

@miczyg1 today, I hope. I need to check why it even worked with tboot in the first place.

@miczyg1
Copy link

miczyg1 commented Oct 12, 2023

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

Have you installed AEM as per https://github.com/QubesOS/qubes-antievilmaid/blob/main/README#L114? There are some steps to be done after RPM package is installed.

I have used anti-evil-maid-tpm-setup -z, my bad I guess... I should have omitted the -z to set up SRK

Confirmed, the -z parameter has to be omitted to setup SRK password.

@miczyg1
Copy link

miczyg1 commented Oct 12, 2023

Ok it seems the packages refuse to be installed because there is the same or newer version currently installed. grub2-pc-modules-2.06-2.fc37.noarch.rpm has slaunch GRUB mod inside. dnf reinstall to the rescue

Even if I reinstall the package the modules are only placed to /usr/lib/grub/i386-pc. They are not installed to /boot/grub2/i386-pc automatically along with the RPM. I had to manually run grub2-install /dev/sda and only then the launch module appeared. Maybe this is intentional, not sure.

Changing the order of the packages passed to the dnf command doesn't help. Actually dnf seems to resolve dependencies across packages and reorders them always the same way. Still slaunch.mod does not get installed

Neither TBoot nor TrenchBoot extend PCR19, which resulted in failure
in sanity check.

Signed-off-by: Krystian Hebel <[email protected]>
@krystian-hebel
Copy link
Member Author

I had to manually run grub2-install /dev/sda and only then the launch module appeared. Maybe this is intentional, not sure.

It seems that legacy boot was not tested when UEFI was developed. There are no calls to grub2-install invoked during RPM installation as far as I can tell. I guess we have to live with doing it manually...

In any case, I modified RPM spec here to hopefully properly call grub2-mkconfig after installation, you can test it as soon as CI finishes building.

@krystian-hebel krystian-hebel marked this pull request as ready for review October 12, 2023 14:39
@krystian-hebel
Copy link
Member Author

Doesn't seem to work 😦 debugging...

While Intel names ACMs more or less consequently, users sometimes
rename those files, especially since those names have to be manually
written into dom0 shell to copy them from another VM.

Signed-off-by: Krystian Hebel <[email protected]>
@krystian-hebel
Copy link
Member Author

Strange, grub.cfg wasn't updated after first install, but all following ones worked properly. They are updated also after anti-evil-maid-install so I think this isn't blocking.

@miczyg1
Copy link

miczyg1 commented Oct 13, 2023

Strange, grub.cfg wasn't updated after first install, but all following ones worked properly. They are updated also after anti-evil-maid-install so I think this isn't blocking.

Yes, anti-evil-maid-install does grub2-mkconfig so we should be alright. One has to remember to perform grub2-install before installing AEM. That's it.

@miczyg1 miczyg1 merged commit 0eba092 into main Oct 13, 2023
1 check passed
@miczyg1 miczyg1 deleted the drop_tboot_builderv2 branch October 13, 2023 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants