TPM2 support

[osresearch]

This is very preliminary support for the tpm2-tools linked against musl and running in the initrd. This brings in some heavy weight dependencies, like openssl, so it requires a large flash to put into firmware. Temporarily I've disabled a few features in the coreboot-qemu config to make it fit , although my plan is to use the Heads kernel and initrd as a UEFI or PXE bootloader as part of https://safeboot.dev, which doesn't have the same size restrictions.

I also added code to the qemu make run target that sets up an emulated tpm2 for testing against, which might be a useful example for other targets as well.

[tlaurion]

@osresearch why not simply make romsize bigger instead of deactivating tools?

[tlaurion]

@osresearch : please apply the following patch for CI to build safeboot on top of master

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 06800a3..2bade75 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -240,6 +240,26 @@ jobs:
       - store-artifacts:
           path: build/qemu-coreboot
 
+      - run:
+          name: safeboot
+          command: |
+            rm -rf build/safeboot/* build/log/* && make CPUS=4 V=1 BOARD=safeboot || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Output safeboot hashes
+          command: |
+             cat build/safeboot/hashes.txt \
+      - run:
+          name: Archiving build logs for safeboot
+          command: |
+             tar zcvf build/safeboot/logs.tar.gz build/log/*
+      - store-artifacts:
+          path: build/safeboot
+
       - run:
           name: qemu-coreboot-fbwhiptail
           command: |

[tlaurion]

Small change required.

[osresearch]

I'm not sure how 55a147d ended up in this patch series. Possibly a messed up rebase on my part. Fixed with a rebase.

I'm also working on untangling the mess that I made in boards/qemu-coreboot/qemu-coreboot.config and initrd/init since they end up where they started. Squashed a bunch of commits and the changes are no longer in the timeline.

At this point it boots under coreboot or OVMF and is able to perform a remote attestation to a remote server using tpm2-attest from the safeboot tree. I need to test serving it via PXE, which is the end goal.

[osresearch]

I'll need to rebase and sign all of the commits when I'm back at a machine with my key. Didn't bring the hardware token with me this week.

[tlaurion]

@osresearch CI build fails

Unpacked and patched ... ok
Building packages ...
Skipping IASL v20180531 for host as it is already built
Packages built ... ok
Copied EDK2 tools template ... ok
Cleaning up temporary files... ok

You can now run IASL ACPI compiler from /root/project/build/coreboot-4.8.1/util/crossgcc/xgcc.
make[1]: Leaving directory '/root/project/build/coreboot-4.8.1'
2020-11-06 22:13:39+00:00 CONFIG coreboot
mkdir -p /root/project/build/coreboot-4.8.1/safeboot && cp /root/project/config/coreboot-qemu.config /root/project/build/coreboot-4.8.1/safeboot/.config && echo 'CONFIG_LOCALVERSION=Heads-v0.2.0-954-g03de89e' >> /root/project/build/coreboot-4.8.1/safeboot/.config && echo 'CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME=safeboot' >> /root/project/build/coreboot-4.8.1/safeboot/.config && make olddefconfig -C /root/project/build/coreboot-4.8.1 obj=/root/project/build/coreboot-4.8.1/safeboot DOTCONFIG=/root/project/build/coreboot-4.8.1/safeboot/.config BUILD_TIMELESS=1 CFLAGS_x86_32=-fdebug-prefix-map=/root/project=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned CFLAGS_x86_64=-fdebug-prefix-map=/root/project=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned 
make[1]: Entering directory '/root/project/build/coreboot-4.8.1'
gcc -g -I/root/project/build/coreboot-4.8.1/util/kconfig -Isafeboot/util/kconfig -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DCURSES_LOC="<ncurses.h>" -DNCURSES_WIDECHAR=1 -DLOCALE  -c -o safeboot/util/kconfig/conf.o /root/project/build/coreboot-4.8.1/util/kconfig/conf.c
cp /root/project/build/coreboot-4.8.1/util/kconfig/zconf.tab.c_shipped safeboot/util/kconfig/zconf.tab.c
cp /root/project/build/coreboot-4.8.1/util/kconfig/zconf.lex.c_shipped safeboot/util/kconfig/zconf.lex.c
cp /root/project/build/coreboot-4.8.1/util/kconfig/zconf.hash.c_shipped safeboot/util/kconfig/zconf.hash.c
gcc -g -I/root/project/build/coreboot-4.8.1/util/kconfig -Isafeboot/util/kconfig -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DCURSES_LOC="<ncurses.h>" -DNCURSES_WIDECHAR=1 -DLOCALE  -c -o safeboot/util/kconfig/zconf.tab.o safeboot/util/kconfig/zconf.tab.c
gcc -g -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DCURSES_LOC="<ncurses.h>" -DNCURSES_WIDECHAR=1 -DLOCALE  -o safeboot/util/kconfig/conf safeboot/util/kconfig/conf.o safeboot/util/kconfig/zconf.tab.o
safeboot/util/kconfig/conf --olddefconfig src/Kconfig
/root/project/build/coreboot-4.8.1/safeboot/.config:21:notice: override: reassigning to symbol MAINBOARD_SMBIOS_PRODUCT_NAME
#
# configuration written to /root/project/build/coreboot-4.8.1/safeboot/.config
#
make[1]: Leaving directory '/root/project/build/coreboot-4.8.1'
2020-11-06 22:13:39+00:00 CONFIG linux
mkdir -p /root/project/build/linux-5.4.69/linux-safeboot && cp /root/project/config/linux-safeboot.config /root/project/build/linux-5.4.69/linux-safeboot/.config && make -C .. CROSS_COMPILE=/root/project/crossgcc/bin/x86_64-linux-musl- O=/root/project/build/linux-5.4.69/linux-safeboot olddefconfig 
make[1]: Entering directory '/root/project/build/linux-5.4.69'
make -C /root/project/build/linux-5.4.69/linux-safeboot -f /root/project/build/linux-5.4.69/Makefile olddefconfig
make[2]: Entering directory '/root/project/build/linux-5.4.69/linux-safeboot'
if [ -f ../.config -o \
	 -d ../include/config -o \
	 -d ../arch/x86/include/generated ]; then \
	echo >&2 "***"; \
	echo >&2 "*** The source tree is not clean, please run 'make mrproper'"; \
	echo >&2 "*** in /root/project/build/linux-5.4.69";\
	echo >&2 "***"; \
	false; \
fi
ln -fsn .. source
sh ../scripts/mkmakefile ..
  GEN     Makefile
test -e .gitignore || \
{ echo "# this is build directory, ignore it"; echo "*"; } > .gitignore
make -f ../scripts/Makefile.build obj=scripts/basic
  gcc -Wp,-MD,scripts/basic/.fixdep.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89       -I ./scripts/basic   -o scripts/basic/fixdep ../scripts/basic/fixdep.c   
rm -f .tmp_quiet_recordmcount
make -f ../scripts/Makefile.build obj=scripts/kconfig olddefconfig
  gcc -Wp,-MD,scripts/kconfig/.conf.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89       -I ./scripts/kconfig -c -o scripts/kconfig/conf.o ../scripts/kconfig/conf.c
  gcc -Wp,-MD,scripts/kconfig/.confdata.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89       -I ./scripts/kconfig -c -o scripts/kconfig/confdata.o ../scripts/kconfig/confdata.c
  gcc -Wp,-MD,scripts/kconfig/.expr.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89       -I ./scripts/kconfig -c -o scripts/kconfig/expr.o ../scripts/kconfig/expr.c
  flex -oscripts/kconfig/lexer.lex.c -L ../scripts/kconfig/lexer.l
  bison -o scripts/kconfig/parser.tab.c --defines=scripts/kconfig/parser.tab.h -t -l ../scripts/kconfig/parser.y
  gcc -Wp,-MD,scripts/kconfig/.lexer.lex.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89      -I ../scripts/kconfig -I ./scripts/kconfig -c -o scripts/kconfig/lexer.lex.o scripts/kconfig/lexer.lex.c
  gcc -Wp,-MD,scripts/kconfig/.parser.tab.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89      -I ../scripts/kconfig -I ./scripts/kconfig -c -o scripts/kconfig/parser.tab.o scripts/kconfig/parser.tab.c
  gcc -Wp,-MD,scripts/kconfig/.preprocess.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89       -I ./scripts/kconfig -c -o scripts/kconfig/preprocess.o ../scripts/kconfig/preprocess.c
  gcc -Wp,-MD,scripts/kconfig/.symbol.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89       -I ./scripts/kconfig -c -o scripts/kconfig/symbol.o ../scripts/kconfig/symbol.c
  gcc   -o scripts/kconfig/conf scripts/kconfig/conf.o scripts/kconfig/confdata.o scripts/kconfig/expr.o scripts/kconfig/lexer.lex.o scripts/kconfig/parser.tab.o scripts/kconfig/preprocess.o scripts/kconfig/symbol.o   
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
make[2]: Leaving directory '/root/project/build/linux-5.4.69/linux-safeboot'
make[1]: Leaving directory '/root/project/build/linux-5.4.69'
2020-11-06 22:13:42+00:00 MAKE linux
make -C "/root/project/build/linux-5.4.69/linux-safeboot" O=/root/project/build/linux-5.4.69/linux-safeboot CROSS_COMPILE=/root/project/crossgcc/bin/x86_64-linux-musl- AFLAGS_KERNEL=-fdebug-prefix-map=/root/project=heads -gno-record-gcc-switches CFLAGS_KERNEL=-fdebug-prefix-map=/root/project=heads -gno-record-gcc-switches CFLAGS_MODULE=-fdebug-prefix-map=/root/project=heads -gno-record-gcc-switches KBUILD_BUILD_USER=linux-safeboot.config KBUILD_BUILD_HOST=linuxboot KBUILD_BUILD_TIMESTAMP=1970-00-00 KBUILD_BUILD_VERSION=0  
make[1]: Entering directory '/root/project/build/linux-5.4.69/linux-safeboot'
make -C /root/project/build/linux-5.4.69/linux-safeboot -f /root/project/build/linux-5.4.69/Makefile 
if [ -f ../.config -o \
	 -d ../include/config -o \
	 -d ../arch/x86/include/generated ]; then \
	echo >&2 "***"; \
	echo >&2 "*** The source tree is not clean, please run 'make mrproper'"; \
	echo >&2 "*** in /root/project/build/linux-5.4.69";\
	echo >&2 "***"; \
	false; \
fi
ln -fsn .. source
sh ../scripts/mkmakefile ..
  GEN     Makefile
test -e .gitignore || \
{ echo "# this is build directory, ignore it"; echo "*"; } > .gitignore
make -f ../scripts/Makefile.build obj=arch/x86/entry/syscalls all
  sh '../arch/x86/entry/syscalls/syscalltbl.sh' ../arch/x86/entry/syscalls/syscall_32.tbl arch/x86/include/generated/asm/syscalls_32.h
  sh '../arch/x86/entry/syscalls/syscallhdr.sh' '../arch/x86/entry/syscalls/syscall_32.tbl' 'arch/x86/include/generated/asm/unistd_32_ia32.h' 'i386' 'ia32_' ''
  sh '../arch/x86/entry/syscalls/syscallhdr.sh' '../arch/x86/entry/syscalls/syscall_64.tbl' 'arch/x86/include/generated/asm/unistd_64_x32.h' 'x32' 'x32_' ''
  sh '../arch/x86/entry/syscalls/syscalltbl.sh' ../arch/x86/entry/syscalls/syscall_64.tbl arch/x86/include/generated/asm/syscalls_64.h
  sh '../arch/x86/entry/syscalls/syscallhdr.sh' '../arch/x86/entry/syscalls/syscall_32.tbl' 'arch/x86/include/generated/uapi/asm/unistd_32.h' 'i386' '' ''
  sh '../arch/x86/entry/syscalls/syscallhdr.sh' '../arch/x86/entry/syscalls/syscall_64.tbl' 'arch/x86/include/generated/uapi/asm/unistd_64.h' 'common,64' '' ''
  sh '../arch/x86/entry/syscalls/syscallhdr.sh' '../arch/x86/entry/syscalls/syscall_64.tbl' 'arch/x86/include/generated/uapi/asm/unistd_x32.h' 'common,x32' '' '__X32_SYSCALL_BIT'
make -f ../scripts/Makefile.build obj=scripts/basic
rm -f .tmp_quiet_recordmcount
make -f ../scripts/Makefile.build obj=arch/x86/tools relocs
  gcc -Wp,-MD,arch/x86/tools/.relocs_32.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./arch/x86/tools -c -o arch/x86/tools/relocs_32.o ../arch/x86/tools/relocs_32.c
  gcc -Wp,-MD,arch/x86/tools/.relocs_64.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./arch/x86/tools -c -o arch/x86/tools/relocs_64.o ../arch/x86/tools/relocs_64.c
  gcc -Wp,-MD,arch/x86/tools/.relocs_common.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./arch/x86/tools -c -o arch/x86/tools/relocs_common.o ../arch/x86/tools/relocs_common.c
  gcc   -o arch/x86/tools/relocs arch/x86/tools/relocs_32.o arch/x86/tools/relocs_64.o arch/x86/tools/relocs_common.o   
make -f ../scripts/Makefile.build obj=scripts/dtc
make -f ../scripts/Makefile.build obj=scripts
  gcc -Wp,-MD,scripts/.bin2c.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/bin2c ../scripts/bin2c.c   
  gcc -Wp,-MD,scripts/.kallsyms.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/kallsyms ../scripts/kallsyms.c   
  gcc -Wp,-MD,scripts/.conmakehash.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/conmakehash ../scripts/conmakehash.c   
  gcc -Wp,-MD,scripts/.sortextable.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include -I../tools/include -I ./scripts   -o scripts/sortextable ../scripts/sortextable.c   
  gcc -Wp,-MD,scripts/.asn1_compiler.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include -I../include -I ./scripts   -o scripts/asn1_compiler ../scripts/asn1_compiler.c   
  gcc -Wp,-MD,scripts/.sign-file.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/sign-file ../scripts/sign-file.c   -lcrypto
../scripts/sign-file.c:25:10: fatal error: openssl/opensslv.h: No such file or directory
 #include <openssl/opensslv.h>
          ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [scripts/Makefile.host:107: scripts/sign-file] Error 1
make[2]: *** [/root/project/build/linux-5.4.69/Makefile:1123: scripts] Error 2
make[1]: *** [../Makefile:179: sub-make] Error 2
make[1]: Leaving directory '/root/project/build/linux-5.4.69/linux-safeboot'
tail /root/project/build/log/linux.log
-----
  gcc -Wp,-MD,arch/x86/tools/.relocs_32.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./arch/x86/tools -c -o arch/x86/tools/relocs_32.o ../arch/x86/tools/relocs_32.c
  gcc -Wp,-MD,arch/x86/tools/.relocs_64.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./arch/x86/tools -c -o arch/x86/tools/relocs_64.o ../arch/x86/tools/relocs_64.c
  gcc -Wp,-MD,arch/x86/tools/.relocs_common.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./arch/x86/tools -c -o arch/x86/tools/relocs_common.o ../arch/x86/tools/relocs_common.c
  gcc   -o arch/x86/tools/relocs arch/x86/tools/relocs_32.o arch/x86/tools/relocs_64.o arch/x86/tools/relocs_common.o   
make -f ../scripts/Makefile.build obj=scripts/dtc
make -f ../scripts/Makefile.build obj=scripts
  gcc -Wp,-MD,scripts/.bin2c.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/bin2c ../scripts/bin2c.c   
  gcc -Wp,-MD,scripts/.kallsyms.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/kallsyms ../scripts/kallsyms.c   
  gcc -Wp,-MD,scripts/.conmakehash.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/conmakehash ../scripts/conmakehash.c   
  gcc -Wp,-MD,scripts/.sortextable.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include -I../tools/include -I ./scripts   -o scripts/sortextable ../scripts/sortextable.c   
  gcc -Wp,-MD,scripts/.asn1_compiler.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include -I../include -I ./scripts   -o scripts/asn1_compiler ../scripts/asn1_compiler.c   
  gcc -Wp,-MD,scripts/.sign-file.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89     -I../tools/include  -I ./scripts   -o scripts/sign-file ../scripts/sign-file.c   -lcrypto
../scripts/sign-file.c:25:10: fatal error: openssl/opensslv.h: No such file or directory
 #include <openssl/opensslv.h>
          ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [scripts/Makefile.host:107: scripts/sign-file] Error 1
make[2]: *** [/root/project/build/linux-5.4.69/Makefile:1123: scripts] Error 2
make[1]: *** [../Makefile:179: sub-make] Error 2
make[1]: Leaving directory '/root/project/build/linux-5.4.69/linux-safeboot'
make: *** [Makefile:442: /root/project/build/linux-5.4.69/linux-safeboot/.build] Error 1

CircleCI received exit code 0

[osresearch]

Ah, sbsigntool requires host openssl devel package (used to sign the unified hypervisor + kernel + initrd + command line). It isn't necessary yet in the build process since I don't have an automated qemu OVMF key registration working right now.

[tlaurion]

@osresearch

if [ -d patches/tpm2-tools ] && [ -r patches/tpm2-tools ] ; then for patch in patches/tpm2-tools/*.patch ; do echo "Applying patch file : $patch " ; ( cd /root/project/build/tpm2-tools-78a7681 ; patch -p1 ) < $patch || exit 1 ; done ; fi
2020-11-09 21:50:48+00:00 CONFIG tpm2-tools
./bootstrap && ./configure CC=/root/project/crossgcc/bin/x86_64-linux-musl-gcc -fdebug-prefix-map=/root/project=heads -gno-record-gcc-switches -D__MUSL__ -I/root/project/install/include -L/root/project/install/lib  AR=/root/project/crossgcc/bin/x86_64-linux-musl-ar LD=/root/project/crossgcc/bin/x86_64-linux-musl-ld STRIP=/root/project/crossgcc/bin/x86_64-linux-musl-strip NM=/root/project/crossgcc/bin/x86_64-linux-musl-nm OBJCOPY=/root/project/crossgcc/bin/x86_64-linux-musl-objcopy OBJDUMP=/root/project/crossgcc/bin/x86_64-linux-musl-objdump PKG_CONFIG_PATH=/root/project/install/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=/root/project/install  AWK=/root/project/build/gawk-4.2.1/gawk  --host i386-elf-linux --prefix / TSS2_ESYS_3_0_CFLAGS=-I/root/project/install/include TSS2_ESYS_3_0_LIBS=-ltss2-esys 
Generating file lists: src_vars.mk
aclocal: installing 'm4/libtool.m4' from '/usr/share/aclocal/libtool.m4'
aclocal: installing 'm4/ltoptions.m4' from '/usr/share/aclocal/ltoptions.m4'
aclocal: installing 'm4/ltsugar.m4' from '/usr/share/aclocal/ltsugar.m4'
aclocal: installing 'm4/ltversion.m4' from '/usr/share/aclocal/ltversion.m4'
aclocal: installing 'm4/lt~obsolete.m4' from '/usr/share/aclocal/lt~obsolete.m4'
aclocal: installing 'm4/pkg.m4' from '/usr/share/aclocal/pkg.m4'
libtoolize: putting auxiliary files in '.'.
libtoolize: linking file './ltmain.sh'
configure.ac:40: error: possibly undefined macro: AC_MSG_ERROR
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
make: *** [Makefile:442: /root/project/build/tpm2-tools-78a7681/.configured] Error 1

[tlaurion]

@osresearch Unfortunately, most of the boards with faked ifd where Heads coreboot config doesn't take advantage of ME freed space won't be able to integrate cryptsetup 2.3 unless #590, or #703 similar approaches to use me_cleaner's freed space (and included generated gbe, ifd BIOS increased region resulting of ME neutered regions):

CircleCI output extract:

t430/util/cbfstool/cbfstool t430/coreboot.pre.tmp add-payload -f ../../build/t430/bzImage -n fallback/payload  -c none  -r COREBOOT   -C "intel_iommu=igfx_off quiet" -I "../../build/t430/initrd.cpio.xz"
E: Could not add [../../build/t430/bzImage, 7120836 bytes (6953 KB)@0x0]; too big?
E: Failed to add '../../build/t430/bzImage' into ROM image.
E: Failed while operating on 'COREBOOT' region!
E: The image will be left unmodified.
make[1]: *** [Makefile.inc:920: t430/coreboot.pre] Error 1
rm t430/util/cbfstool/fmd_scanner.c t430/util/cbfstool/fmd_parser.c
make[1]: Leaving directory '/root/project/build/coreboot-4.8.1'
make: *** [Makefile:442: /root/project/build/coreboot-4.8.1/t430/.build] Error 1

As a result, merging this would break x230, t430, x220 t420 and other smaller SPI based boards. Any other idea to squeeze additional space?

[osresearch]

I need to split this into two separate PRs -- one for the tpm2 support (which also adds openssl), the second for the safeboot board config (which adds bash, cryptsetup2, etc). For the cryptsetup, it might be necessary to add a cryptsetup2 module that has the 2.2 support so that we don't run into the size issues. Boards that need the newer version can select it as a module, and the others can default to the older, smaller version.

[osresearch]

I've edited this commit to only have the tpm2 module and ROM size increase in the PR. The safeboot config is now in the WIP #907

[tlaurion]

@osresearch : would be awesome if a board config with TPM2 was added in this PR to see host build requirements changes and building working. something like qemu-coreboot-tpm2 would be awesome, with your changes needed to be able to do make BOARD=qemu-coreboot-tpm2 run functional. I would then adjust this to duplicate changes so we have a qemu-coreboot-tpm board, where the only missing step to test in QEMU will be to have usb passthrough of USB Security dongle to be able to have testing in QEMU useful for devels.

[MrChromebox]

hmm, so how much work are we talking to update tpmtotp to use a TPM 2.0, assuming it supports the functions necessary?

[osresearch]

Right now I'm using a separate tpm2-totp program for safeboot, although I want to figure out how to directly allocate and use an HMAC key type so that there isn't the extra dependency (and more flexible PCR policies become possible).

TPM2 HMAC keys are neat in that the key never leaves the TPM - it performs the HMAC inside the hardware, so the TOTP secret can't be easily copied.

[tlaurion]

@osresearch the qemu-coreboot size was increase in coreboot config, but no change or inclusion of new added modules were added into board configuration file itself. Consequently, CI builds don't test current changes of the PR.

[aesrentai]

What's the status of this PR? I'm looking to port Heads to some System76 laptops in the (not so distant) future and TPM2 support is a hard requirement before then. Is there any work I could do also to test this PR?

[tlaurion]

@osresearch @aesrentai
Tried to build with #893 and #907, adding host libssl-dev dependency that was missing and building against cryptsetup2 which was merged.

Basically, adding on top of master:
https://github.com/tlaurion/heads/commit/631252a97ec687c68f6aa1be69ece526fc96dfd8.patch
https://github.com/tlaurion/heads/commit/b99974c3fe3797dd722351fa7dc3b6473ab156c6.patch
https://github.com/tlaurion/heads/commit/19eb164297e5f69178362d5cc439ef92c2340c2e.patch

As a result, https://app.circleci.com/pipelines/github/tlaurion/heads/730/workflows/6ef83293-142d-4028-8108-6df27e947a93/jobs/1023 failed:

#!/bin/bash -eo pipefail
rm -rf build/safeboot/* build/log/* && make CPUS=16 V=1 BOARD=safeboot || touch ./tmpDir/failed_build
[...]
2021-05-11 02:55:03+00:00 DONE tpm2-tss
touch /root/project/build/tpm2-tss-2.4.3/.build 
git clone https://github.com/tpm2-software/tpm2-tools.git "/root/project/build/tpm2-tools-78a7681"
Cloning into '/root/project/build/tpm2-tools-78a7681'...
Warning: Permanently added the RSA host key for IP address '140.82.113.4' to the list of known hosts.
remote: Enumerating objects: 27983, done.        
remote: Counting objects: 100% (563/563), done.        
remote: Compressing objects: 100% (193/193), done.        
remote: Total 27983 (delta 413), reused 448 (delta 368), pack-reused 27420        
Receiving objects: 100% (27983/27983), 8.80 MiB | 35.91 MiB/s, done.
Resolving deltas: 100% (22440/22440), done.
cd /root/project/build/tpm2-tools-78a7681 && git submodule update --init --checkout
if [ -r patches/tpm2-tools.patch ]; then ( cd /root/project/build/tpm2-tools-78a7681 ; patch -p1 ) < patches/tpm2-tools.patch || exit 1 ; fi
patching file Makefile.am
if [ -d patches/tpm2-tools ] && [ -r patches/tpm2-tools ] ; then for patch in patches/tpm2-tools/*.patch ; do echo "Applying patch file : $patch " ; ( cd /root/project/build/tpm2-tools-78a7681 ; patch -p1 ) < $patch || exit 1 ; done ; fi
2021-05-11 02:55:05+00:00 CONFIG tpm2-tools
./bootstrap && ./configure CC=/root/project/crossgcc/bin/x86_64-linux-musl-gcc -fdebug-prefix-map=/root/project=heads -gno-record-gcc-switches -D__MUSL__ -isystem /root/project/install/include -L/root/project/install/lib  AR=/root/project/crossgcc/bin/x86_64-linux-musl-ar LD=/root/project/crossgcc/bin/x86_64-linux-musl-ld STRIP=/root/project/crossgcc/bin/x86_64-linux-musl-strip NM=/root/project/crossgcc/bin/x86_64-linux-musl-nm OBJCOPY=/root/project/crossgcc/bin/x86_64-linux-musl-objcopy OBJDUMP=/root/project/crossgcc/bin/x86_64-linux-musl-objdump PKG_CONFIG_PATH=/root/project/install/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=/root/project/install  AWK=/root/project/build/gawk-4.2.1/gawk  --host i386-elf-linux --prefix / TSS2_ESYS_3_0_CFLAGS=-I/root/project/install/include TSS2_ESYS_3_0_LIBS=-ltss2-esys 
Generating file lists: src_vars.mk
aclocal: installing 'm4/libtool.m4' from '/usr/share/aclocal/libtool.m4'
aclocal: installing 'm4/ltoptions.m4' from '/usr/share/aclocal/ltoptions.m4'
aclocal: installing 'm4/ltsugar.m4' from '/usr/share/aclocal/ltsugar.m4'
aclocal: installing 'm4/ltversion.m4' from '/usr/share/aclocal/ltversion.m4'
aclocal: installing 'm4/lt~obsolete.m4' from '/usr/share/aclocal/lt~obsolete.m4'
aclocal: installing 'm4/pkg.m4' from '/usr/share/aclocal/pkg.m4'
libtoolize: putting auxiliary files in '.'.
libtoolize: linking file './ltmain.sh'
configure.ac:40: error: possibly undefined macro: AC_MSG_ERROR
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
make: *** [Makefile:442: /root/project/build/tpm2-tools-78a7681/.configured] Error 1

CircleCI received exit code 0

[aesrentai]

@tlaurion @osresearch tpm-tss has another build dependency, autoconf-archive. I applied those exact patches and recreated the error, and installing autoconf-archive on my debian 10 system fixes that error. I'm working on this right now and I'll post my results if/when I hit an error that isn't a simple dependency issue or the build works.

Edit: I've probably hit 20+ build dependency issues, even though this box has all the build dependencies listed on the website. If I have time I may try to dockerize this because this is getting annoying.

Edit 2:

Intel ACPI Component Architecture
ASL+ Optimizing Compiler/Disassembler version 20180531
Copyright (c) 2000 - 2018 Intel Corporation

coreboot toolchain v1.52 June 11th, 2018
ASL Input:     dsdt.aml - 442 lines, 23730 bytes, 342 keywords
AML Output:    dsdt.aml - 6952 bytes, 226 named objects, 116 executable opcodes

Compilation complete. 0 Errors, 0 Warnings, 0 Remarks, 432 Optimizations
if [ -z "$(/home/user/heads/build/coreboot-4.8.1/util/crossgcc/xgcc/bin/iasl -d safeboot/dsdt.aml 2>&1 | grep 'ACPI Warning')" ]; then echo "    IASL       safeboot/dsdt.aml disassembled correctly."; true; else echo "Error: Could not correctly disassemble safeboot/dsdt.aml"; /home/user/heads/build/coreboot-4.8.1/util/crossgcc/xgcc/bin/iasl -d safeboot/dsdt.aml; false; fi
    IASL       safeboot/dsdt.aml disassembled correctly.
make[1]: *** No rule to make target '../../build/qemu-coreboot/bzImage', needed by 'safeboot/coreboot.pre'.  Stop.
rm safeboot/util/cbfstool/fmd_parser.c safeboot/util/cbfstool/fmd_scanner.c
make[1]: Leaving directory '/home/user/heads/build/coreboot-4.8.1'
make: *** [Makefile:442: /home/user/heads/build/coreboot-4.8.1/safeboot/.build]

Now this error looks more significant.

Edit 3: Well, the obvious workaround is to do a make BOARD=qemu-coreboot after which the build completes successfully, although I don't have a way to test it unfortunately.

Edit 4: Two more dependency issues I hit when trying to build the board again a few days later are libjson-c-dev and libcurl (whatever packages provides that). Those either need to be included in the system dependencies or added to the tpm2-tss module file. I also hit another dumb error that I'm trying to solve which is, get this,

2021-07-13 01:16:27-07:00 CONFIG tpm2-tss
make: *** [Makefile:442: /home/user/heads/build/tpm2-tss-2.4.3/.configured] Error 1

yep, that's the entire error. I can't even find any logs. Yay.

[tlaurion]

@aesrentai up to date dependencies on debian-10 are here https://github.com/osresearch/heads/blob/master/.circleci/config.yml#L13

qemu-coreboot can be tested by making the board with qemu-coreboot run.
@osresearch made the changes to that board config disappear to have vTPM setuped in the board config before. Can try to look up for it and will report back

[tlaurion]

@aesrentai the vtpm magic that was bound into "qemu-coreboot board run" is here

Edit: and was moved into a safeboot board config here from that commit. @osresearch seperated the TPM2 implementation from the board configuration later on in this PR force commits, that you can look into. I think the latest was here to be able to test it.

Maybe the cleanest way to test this up from now would be to create a qemu-coreboot-vtpm2 board, associated coreboot config and linux config?

[aesrentai]

I wasn't aware we had a version of qemu with a working tpm2-- last I remembered even tpm 1 emulation didn't work. I'll take a look, although it may take a bit because this is the first time I've done anything like this so I'll have to figure out how QEMU works. General plan is to do what you said, create a qemu-tpm2 board and see what works and what doesn't.

[tlaurion]

@aesrentai

I wasn't aware we had a version of qemu with a working tpm2-- last I remembered even tpm 1 emulation didn't work. I'll take a look, although it may take a bit because this is the first time I've done anything like this so I'll have to figure out how QEMU works. General plan is to do what you said, create a qemu-tpm2 board and see what works and what doesn't.

TPM1 emulation magic (swtpm) was not build under Heads nor dealt with into the qemu board run statement and was subject of issue tracking #516 #701.

It should theoretically work based on this PoC by tweaking swtpm into being into 1.2 mode

PR welcome, as usual.

[aesrentai]

I'm not particularly interested in trying to get TPM 1.2 emulation working (I'm almost tunnel visioned on getting S76 and Star Labs laptop support as a way for Heads to rapidly gain users), but at face value that PR about tweaking swtpm doesn't make sense. From the swtpm man pages:

--tpm2
Choose TPM 2 functionality; by default a TPM 1.2 is chosen.

so shouldn't tpm 1.2 emulation just work if you don't pass the --tpm2 flag? I won't have time to work on this until the weekend, but I'll try to submit a PR introducing the swptm module. It'll also make life easier for me as I'm currently doing all this work in an AppVM and trying to get all of swtpm's dependencies working in only my home directory is being a pain (and I'm stubbornly doing my best to keep this as an AppVM not a StandaloneVM).

Once I get swtpm working I'll be able to move on to actually testing if the tpm2 tools work (which they should). Right now my ultimate problem in getting S76 support is actually acquiring the hardware, which is made more difficult by the fact that I am a broke college student.

Edit: One contribution that I may work on far in the future is a more comprehensive test suite for heads. Right now we only test that Heads builds successfully, but that's really the bare minimum. At least we should have a set of commands that can be run manually in qemu that exercises all of Head's features. Ideally this would be automated through CircleCI, although I'm not sure if this is possible (because you have to run qemu and then pass a script to the guest, although an ugly hack to solve the second problem would be

if "$TESTING"
#test script here
endif

somewhere in the init script).

[tlaurion]

superseded (and included and reworked) under #1292

[tlaurion]

Securityfs removed under #1292 not sure I understand the scope from where that was needed but maybe safeboot. To be reinserted later if needed.