Menu
▾
▴
tboot-devel — Developer support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(3) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(19) |
Feb
(24) |
Mar
(8) |
Apr
(14) |
May
(8) |
Jun
(10) |
Jul
(14) |
Aug
(3) |
Sep
(13) |
Oct
(27) |
Nov
(39) |
Dec
(24) |
| 2009 |
Jan
(19) |
Feb
(4) |
Mar
(2) |
Apr
(15) |
May
|
Jun
(2) |
Jul
(44) |
Aug
(21) |
Sep
(20) |
Oct
(2) |
Nov
(1) |
Dec
(7) |
| 2010 |
Jan
(7) |
Feb
(10) |
Mar
(2) |
Apr
(12) |
May
(7) |
Jun
(2) |
Jul
(18) |
Aug
(11) |
Sep
(4) |
Oct
(25) |
Nov
(8) |
Dec
(1) |
| 2011 |
Jan
(27) |
Feb
(2) |
Mar
(19) |
Apr
(8) |
May
(16) |
Jun
(11) |
Jul
(9) |
Aug
(9) |
Sep
(35) |
Oct
(9) |
Nov
(8) |
Dec
(32) |
| 2012 |
Jan
(37) |
Feb
(20) |
Mar
(2) |
Apr
(24) |
May
(4) |
Jun
(3) |
Jul
(5) |
Aug
(21) |
Sep
(8) |
Oct
(15) |
Nov
(1) |
Dec
(7) |
| 2013 |
Jan
(4) |
Feb
(8) |
Mar
(38) |
Apr
(9) |
May
(42) |
Jun
(4) |
Jul
(21) |
Aug
(4) |
Sep
|
Oct
(7) |
Nov
(2) |
Dec
(3) |
| 2014 |
Jan
(8) |
Feb
(8) |
Mar
(5) |
Apr
(9) |
May
(19) |
Jun
(1) |
Jul
(10) |
Aug
(25) |
Sep
(6) |
Oct
(2) |
Nov
(5) |
Dec
(1) |
| 2015 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
(12) |
Jun
|
Jul
(2) |
Aug
(5) |
Sep
(11) |
Oct
(5) |
Nov
(3) |
Dec
(1) |
| 2016 |
Jan
(2) |
Feb
(24) |
Mar
|
Apr
(6) |
May
(26) |
Jun
(20) |
Jul
(8) |
Aug
(15) |
Sep
(21) |
Oct
(1) |
Nov
(7) |
Dec
(24) |
| 2017 |
Jan
(12) |
Feb
(2) |
Mar
(6) |
Apr
(8) |
May
(18) |
Jun
(13) |
Jul
(12) |
Aug
(8) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
| 2018 |
Jan
(2) |
Feb
(12) |
Mar
(8) |
Apr
(5) |
May
(7) |
Jun
(1) |
Jul
(4) |
Aug
(8) |
Sep
(2) |
Oct
(3) |
Nov
(4) |
Dec
(3) |
| 2019 |
Jan
(8) |
Feb
|
Mar
(2) |
Apr
|
May
(3) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(8) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2020 |
Jan
(25) |
Feb
(12) |
Mar
(2) |
Apr
(13) |
May
(44) |
Jun
(9) |
Jul
|
Aug
(3) |
Sep
(5) |
Oct
(4) |
Nov
(2) |
Dec
|
| 2021 |
Jan
(6) |
Feb
|
Mar
(7) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
(16) |
Sep
(4) |
Oct
(6) |
Nov
(1) |
Dec
(6) |
| 2022 |
Jan
(5) |
Feb
(4) |
Mar
(22) |
Apr
(6) |
May
(4) |
Jun
(17) |
Jul
(2) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(2) |
| 2023 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2024 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Timo L. <tim...@ik...> - 2020-05-12 09:35:11
|
Hi, On Tue, 12 May 2020, Lukasz Hawrylko wrote: > Thanks for investigating that issue. Fixed in a6180f9e9e86 Thanks, seems to build now. -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-12 09:28:59
|
Hi, On Mon, 11 May 2020, Lukasz Hawrylko wrote: > Thank you for patches, I will look at them this week. Next time, please > use 'hg email' if this is not a problem for you, it is easier to > maintain where all patches go through mailing list directly. Ok, good to know. I'll setup some SMTP stuff to make hg email work, shouldn't be that difficult. -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-12 09:28:01
|
Hi, On Mon, 11 May 2020, Lukasz Hawrylko wrote: > It looks like I forget to upload public key to PGP server. I have just > done it: https://pgp.mit.edu/pks/lookup?op=get&search=0x6F2F48CC4E0B23EF Thanks! I'll add this to the packaging (debian/upstream/signing-key.asc). -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-12 09:27:09
|
Hi On Tue, 12 May 2020, Lukasz Hawrylko wrote: > The base TBOOT licence is BSD-3-clause, however some files that comes > from other projects have different licenses (but all of them are > compatible with BSD-3-clause). > > I can add information to COPYING file that looks like: "All files that > do not have license header, have BSD-3-clause license and are > copyrighted by Intel Corporation". Will it solve all license gaps in > your opinion? Yes, I think that would clarify the situation nicely but I would also include the full license text in COPYING and not just a reference to "BSD-3-clause". With these changes I feel I can upload this to Debian Gitlab (https://salsa.debian.org/debian/tboot/), the actual upload to the archive will of course still go through review by the Debian FTP master team. -Timo |
|
From: Lukasz H. <luk...@li...> - 2020-05-12 08:51:12
|
On Sun, 2020-05-10 at 15:12 +0300, Timo Lindfors wrote: > Hi, > > I'm planning to package tboot for Debian. As part of the process I went > through all the copyright and license notices in tboot-1.9.12.tar.gz.gpg. > > Everything looks pretty smooth but I do have two concerns: > > 1) lcptools/Linux_LCP_Tools_User_Manual.doc has the paragraph > > "This document and the software described in it are furnished under > license and may only be used or copied in accordance with the terms of the > license." > > but it is not at all clear what license this is talking about. Is it the > BSD-3-clause license used in most other files or something else? Would it > be possible to clarify this either in this file or in the COPYING file? > > 2) The COPYING file states > > "Files which do not contain any copyright information are assumed to be > copyrighted by Intel Corporation. All other files contain their copyright > and license at the beginning of the file." > > This is a good clarification but this file does not actually explain what > the license of files without license information is. Is it the > BSD-3-clause license used in most files? The files without license > information that I could identify are: > Hi Timo The base TBOOT licence is BSD-3-clause, however some files that comes from other projects have different licenses (but all of them are compatible with BSD-3-clause). I can add information to COPYING file that looks like: "All files that do not have license header, have BSD-3-clause license and are copyrighted by Intel Corporation". Will it solve all license gaps in your opinion? Thanks, Lukasz |
|
From: Lukasz H. <luk...@li...> - 2020-05-12 08:17:14
|
On Sat, 2020-05-09 at 00:55 +0300, Timo Lindfors wrote: > Hi, > > I get the following build failure on debian unstable with GCC 9.3.0: > > tar xf tboot-1.9.12.tar.gz > cd tboot-1.9.12/ > env CFLAGS="-g" make > ... > cc -z noexecstack -z relo -z now -c -o obj/mem_primitives_lib.o > safeclib/mem_primitives_lib.c -g -Wall -Wformat-security -Werror > -Wstrict-prototypes -Wextra -Winit-self -Wswitch-default > -Wunused-parameter -Wwrite-strings -Wlogical-op > -Wno-missing-field-initializers -Wno-address-of-packed-member > -fno-strict-aliasing -std=gnu99 -Wno-array-bounds -O2 -U_FORTIFY_SOURCE > -D_FORTIFY_SOURCE=2 -m64 -I/home/lindi/tboot-1.9.12/safestringlib/include > -Wall -Wformat-security -Werror -Wstrict-prototypes -Wextra -Winit-self > -Wswitch-default -Wunused-parameter -Wwrite-strings -Wlogical-op > -Wno-missing-field-initializers -Wno-address-of-packed-member > -fno-strict-aliasing -std=gnu99 -Wno-array-bounds -O2 -U_FORTIFY_SOURCE > -D_FORTIFY_SOURCE=2 -m64 -I/home/lindi/tboot-1.9.12/safestringlib/include > -Iinclude -fstack-protector-strong -fPIE -fPIC -O2 -D_FORTIFY_SOURCE=2 > -Wformat -Wformat-security -DSTDC_HEADERS > safeclib/mem_primitives_lib.c: In function \u2018mem_prim_set\u2019: > safeclib/mem_primitives_lib.c:111:25: error: this statement may fall > through [-Werror=implicit-fallthrough=] > 111 | case 15: *lp++ = value32; > | ~~~~~~^~~~~~~~~ > safeclib/mem_primitives_lib.c:112:9: note: here > 112 | case 14: *lp++ = value32; > | ^~~~ > > > It seems that Config.mk adds -Werror and -Wextra that cause this to > happen. Why doesn't this happen when CFLAGS is not set as an > environment variable? Apparently because > > CFLAGS += $(CFLAGS_WARN) -fno-strict-aliasing -std=gnu99 > > behaves differently with recursive makefiles if CFLAGS is in the > environment: > > "By default, only variables that came from the environment or the command > line are passed to recursive invocations." > > https://www.gnu.org/software/make/manual/html_node/Environment.html > > Is the intent here that CFLAGS_WARN should be used for the whole build? If > yes, then we need to add "export CFLAGS" to ensure that it is passed to > other makefiles and also fix that build failure. > > If not, we need to add "unexport CFLAGS" and don't necessary need to fix > the switch-case statement. > > > -Timo > Hi Thanks for investigating that issue. Fixed in a6180f9e9e86 Lukasz |
|
From: Lukasz H. <luk...@li...> - 2020-05-11 14:59:02
|
On Sat, 2020-05-09 at 21:02 +0300, Timo Lindfors wrote: > Hi, > > I made some spelling fixes. My mercurial skills are quite rusty but I > think you should be able to access them by pulling the > fix/spelling-fixes-1 branch from https://lindi.iki.fi/lindi/hg/tboot > > Should I prefer sending patches over email with "hg email"? > > -Timo > > Hi Timo Thank you for patches, I will look at them this week. Next time, please use 'hg email' if this is not a problem for you, it is easier to maintain where all patches go through mailing list directly. Thanks, Lukasz |
|
From: Lukasz H. <luk...@li...> - 2020-05-11 14:51:29
|
On Fri, 2020-05-08 at 13:28 +0300, Timo Lindfors wrote: > Hi, > > where could I get the GPG used for signing releases? > > $ gpg tboot-1.9.12.tar.gz.gpg > gpg: WARNING: no command supplied. Trying to guess what you mean ... > gpg: Signature made Wed 29 Apr 2020 04:29:59 PM EEST > gpg: using RSA key 5CECC9E12872F424009D0E0B6F2F48CC4E0B23EF > gpg: Can't check signature: No public key > > > > -Timo > Hi It looks like I forget to upload public key to PGP server. I have just done it: https://pgp.mit.edu/pks/lookup?op=get&search=0x6F2F48CC4E0B23EF Thanks, Lukasz |
|
From: Timo L. <tim...@ik...> - 2020-05-10 20:55:35
|
Hi, tboot installs a binary called "parse_err". I realize tboot has been doing this for a long time but have you considered renaming the binary to something less generic? Maybe txt_parse_err? -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-10 20:43:48
|
Hi, many commands installed by tboot don't seem to have man pages. I did some detective work based on --help output and source code and wrote the missing pages. Can you please take a look that they are accurate? You can find the pages in the feature/add-missing-man-pages-1 branch at https://lindi.iki.fi/lindi/hg/tboot/ -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-10 13:08:59
|
Hi,
currently tboot installs man pages for the following commands that are not
installed:
lcp_crtpconf lcp_crtpol lcp_crtpol2 lcp_crtpolelt lcp_crtpollist
lcp_mlehash
These tools were removed in
commit 225ff1be2e43611d3055b2f02aaa418e47fab0ed
Author: Gang Wei <gan...@in...>
Date: Fri Nov 30 08:53:10 2018 +0800
lcptools: remove tools supporting platforms before 2008
Signed-off-by: Gang Wei <gan...@in...>
You can pull a fix from the fix/remove-obsolete-man-pages-1 branch at
http://lindi.iki.fi/lindi/hg/tboot/
-Timo
|
|
From: Timo L. <tim...@ik...> - 2020-05-10 12:12:30
|
Hi, I'm planning to package tboot for Debian. As part of the process I went through all the copyright and license notices in tboot-1.9.12.tar.gz.gpg. Everything looks pretty smooth but I do have two concerns: 1) lcptools/Linux_LCP_Tools_User_Manual.doc has the paragraph "This document and the software described in it are furnished under license and may only be used or copied in accordance with the terms of the license." but it is not at all clear what license this is talking about. Is it the BSD-3-clause license used in most other files or something else? Would it be possible to clarify this either in this file or in the COPYING file? 2) The COPYING file states "Files which do not contain any copyright information are assumed to be copyrighted by Intel Corporation. All other files contain their copyright and license at the beginning of the file." This is a good clarification but this file does not actually explain what the license of files without license information is. Is it the BSD-3-clause license used in most files? The files without license information that I could identify are: CHANGELOG Config.mk COPYING docs/Makefile docs/man/acminfo.8 docs/man/lcp_crtpconf.8 docs/man/lcp_crtpol2.8 docs/man/lcp_crtpol.8 docs/man/lcp_crtpolelt.8 docs/man/lcp_crtpollist.8 docs/man/lcp_mlehash.8 docs/man/lcp_readpol.8 docs/man/lcp_writepol.8 docs/man/tb_polgen.8 docs/man/txt-stat.8 docs/policy_v1.txt docs/policy_v2.txt docs/txt-info.txt docs/vlp.txt .hg_archival.txt .hgignore .hgtags lcp-gen2/asn1spec.py lcp-gen2/build.py lcp-gen2/defines.py lcp-gen2/ElementBase.py lcp-gen2/ElementGui.py lcp-gen2/LcpPolicy.py lcp-gen2/list.py lcp-gen2/mleLegacy.py lcp-gen2/mle.py lcp-gen2/pconfLegacy.py lcp-gen2/pconf.py lcp-gen2/pdef.py lcp-gen2/sbiosLegacy.py lcp-gen2/sbios.py lcp-gen2/stm.py lcp-gen2/tools.py lcp-gen2/TxtPolicyGen2.py lcp-gen2/UserGuide.txt lcp-gen2/util.py lcptools/Linux_LCP_Tools_User_Manual.doc lcptools/Linux_LCP_Tools_User_Manual.pdf lcptools/Makefile lcptools-v2/lcptools.txt lcptools-v2/Makefile Makefile README tboot/common/tboot.lds.x tboot/Config.mk tboot/Makefile tb_polgen/Makefile test-patches/e820-test.patch test-patches/mtrrs-test.patch test-patches/tpm-test.patch test-patches/vsprintf-test.patch txt-test/Kbuild txt-test/Makefile utils/Makefile Finally, here is the machine-readable copyright information I was able to compile from all other files in that release: Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: tboot Source: https://sourceforge.net/projects/tboot/ Files: include/elf_defns.h include/lcp2.h include/config.h include/lcp_hlp.h include/hash.h include/mle.h include/uuid.h include/tb_policy.h include/lcp3_hlp.h include/lcp3.h include/tboot.h include/lcp.h include/tb_error.h lcptools/lcptools.h lcptools/lcputils.h lcptools/lcptools.c lcptools/writepol.c lcptools/lcputils.c lcptools/relindex.c lcptools/lock.c lcptools/defindex.c lcptools/readpol.c lcptools/getcap.c lcptools-v2/crtpol.c lcptools-v2/mle_elt.c lcptools-v2/lcputils.h lcptools-v2/polelt.h lcptools-v2/poldata.c lcptools-v2/pollist2.c lcptools-v2/hash.c lcptools-v2/lcputils.c lcptools-v2/pollist1.c lcptools-v2/sbios_elt.c lcptools-v2/mlehash.c lcptools-v2/custom_elt.c lcptools-v2/pol.c lcptools-v2/pol.h lcptools-v2/stm_elt.c lcptools-v2/polelt_plugin.h lcptools-v2/pollist1.h lcptools-v2/pollist2.h lcptools-v2/poldata.h lcptools-v2/crtpollist.c lcptools-v2/polelt.c lcptools-v2/crtpolelt.c tboot/txt/acmod.c tboot/txt/txt.c tboot/txt/heap.c tboot/txt/vmcs.c tboot/txt/verify.c tboot/txt/errors.c tboot/txt/mtrrs.c tboot/include/txt/txt.h tboot/include/txt/config_regs.h tboot/include/txt/acmod.h tboot/include/txt/errorcode.h tboot/include/txt/heap.h tboot/include/txt/smx.h tboot/include/txt/vmcs.h tboot/include/txt/mtrrs.h tboot/include/txt/verify.h tboot/include/sha1.h tboot/include/cmdline.h tboot/include/io.h tboot/include/msr.h tboot/include/page.h tboot/include/processor.h tboot/include/loader.h tboot/include/string.h tboot/include/compiler.h tboot/include/tpm_20.h tboot/include/linux_defns.h tboot/include/e820.h tboot/include/paging.h tboot/include/com.h tboot/include/ctype.h tboot/include/tpm.h tboot/include/mutex.h tboot/include/multiboot.h tboot/include/integrity.h tboot/include/printk.h tboot/include/types.h tboot/include/misc.h tboot/include/efi_memmap.h tboot/include/vga.h tboot/include/vtd.h tboot/common/memcmp.c tboot/common/acpi.c tboot/common/boot.S tboot/common/shutdown.S tboot/common/strlen.c tboot/common/tpm_20.c tboot/common/tboot.c tboot/common/vtd.c tboot/common/printk.c tboot/common/strtoul.c tboot/common/wakeup.S tboot/common/misc.c tboot/common/sha1.c tboot/common/linux.c tboot/common/hash.c tboot/common/strncmp.c tboot/common/tpm.c tboot/common/loader.c tboot/common/strncpy.c tboot/common/vsprintf.c tboot/common/paging.c tboot/common/integrity.c tboot/common/mutex.S tboot/common/strcmp.c tboot/common/cmdline.c tboot/common/vga.c tboot/common/policy.c tboot/common/tb_error.c tboot/common/elf.c tboot/common/index.c tboot/common/efi_memmap.c tboot/common/tpm_12.c tboot/common/e820.c tboot/common/memcpy.c tb_polgen/commands.c tb_polgen/hash.c tb_polgen/param.c tb_polgen/tb_polgen.c tb_polgen/policy.c tb_polgen/tb_polgen.h txt-test/txt-test.c utils/txt-stat.c utils/acminfo.c utils/parse_err.c Copyright: 1989, 1990, 1991, 1992, 1993 The Regents of the University of California 1995, 1996, 1997, 1998 WIDE Project. 2001-2020 Intel Corporation 2004 Artur Grabowski <ar...@op...> 2016 Real-Time Systems GmbH 2020 Cisco Systems, Inc. <pm...@ci...> 2007, 2011, 2012, 2013, 2014, 2015, 2018 Gang Wei 2007, 2008, 2009, 2010, 2011 Joseph Cihula 2019, 2020 Lukasz Hawrylko 2014, 2015, 2016, 2017, 2018 Ning Sun 2014 Qiaowei Ren 2008, 2009, 2010 Shane Wang License: BSD-3-clause Files: tboot/common/pci_cfgreg.c tboot/common/com.c tboot/include/atomic.h tboot/include/pci_cfgreg.h lcptools-v2/pconf2_elt.c Copyright: 1997 Stefan Esser <se...@fr...> 1998 Doug Rabson 1998 Michael Smith <ms...@fr...> 2000 Michael Smith <ms...@fr...> 2000 BSDi 2004 Scott Long <sc...@fr...> 2010 Intel Corporation 2020 Cisco Systems, Inc. <pm...@ci...> 2007, 2009, 2010 Joseph Cihula 2010 Shane Wang 2014, 2018 Gang Wei 2020 Lukasz Hawrylko License: BSD-2-clause Files: safestringlib/* Copyright: 2008 Bo Berry 2005-2013 by Cisco Systems, Inc. 2012 Jonathan Toppins <jto...@us...> 2014-2016 Intel Corporation. 2018 Gang Wei License: Expat Files: tboot/include/sha2.h tboot/common/sha256.c tboot/common/sha384.c tboot/common/sha512.c Copyright: 2000 Tom St Denis License: public-domain Files: tboot/common/vmac.c tboot/include/vmac.h Copyright: 2008 Ted Krovetz <td...@ac...> 2008 Wei Dai 2010 Intel Corporation. 2009 Joseph Cihula 2010 Shane Wang License: public-domain Files: tboot/include/rijndael.h tboot/common/rijndael.c Copyright: 2000 Vincent Rijmen <vin...@es...> 2000 Antoon Bosselaers <ant...@es...> 2000 Paulo Barreto <pau...@te...> 2009 Joseph Cihula License: public-domain EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: tboot/20_linux_tboot tboot/20_linux_xen_tboot Copyright: 2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc. 2012, 2013, 2014, 2018 Gang Wei 2019, 2020 Lukasz Hawrylko 2015, 2016, 2017 Ning Sun License: GPL-3+ Files: tboot/include/lz.h tboot/common/lz.c Copyright: 2003-2010 Marcus Geelnard 2015, 2016 Ning Sun License: Zlib Files: tboot/include/acpi.h Copyright: 2005 Thorsten Lockert <th...@si...> 2005 Marco Peereboom <ma...@op...> 2010 Intel Corporation 2014 Gang Wei 2007, 2008, 2009, 2010 Joseph Cihula 2019 Lukasz Hawrylko 2016, 2017 Ning Sun 2008 Shane Wang License: ISC -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-09 18:03:23
|
Hi, I made some spelling fixes. My mercurial skills are quite rusty but I think you should be able to access them by pulling the fix/spelling-fixes-1 branch from https://lindi.iki.fi/lindi/hg/tboot Should I prefer sending patches over email with "hg email"? -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-09 15:22:40
|
Hi, at the moment it seems that the links on https://software.intel.com/content/www/us/en/develop/articles/intel-trusted-execution-technology.html under the table "SINIT AC Modules" are all broken and redirect to just https://www.intel.com/content/www/us/en/404.html -Timo |
|
From: Timo L. <tim...@ik...> - 2020-05-08 21:56:01
|
Hi,
I get the following build failure on debian unstable with GCC 9.3.0:
tar xf tboot-1.9.12.tar.gz
cd tboot-1.9.12/
env CFLAGS="-g" make
...
cc -z noexecstack -z relo -z now -c -o obj/mem_primitives_lib.o
safeclib/mem_primitives_lib.c -g -Wall -Wformat-security -Werror
-Wstrict-prototypes -Wextra -Winit-self -Wswitch-default
-Wunused-parameter -Wwrite-strings -Wlogical-op
-Wno-missing-field-initializers -Wno-address-of-packed-member
-fno-strict-aliasing -std=gnu99 -Wno-array-bounds -O2 -U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=2 -m64 -I/home/lindi/tboot-1.9.12/safestringlib/include
-Wall -Wformat-security -Werror -Wstrict-prototypes -Wextra -Winit-self
-Wswitch-default -Wunused-parameter -Wwrite-strings -Wlogical-op
-Wno-missing-field-initializers -Wno-address-of-packed-member
-fno-strict-aliasing -std=gnu99 -Wno-array-bounds -O2 -U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=2 -m64 -I/home/lindi/tboot-1.9.12/safestringlib/include
-Iinclude -fstack-protector-strong -fPIE -fPIC -O2 -D_FORTIFY_SOURCE=2
-Wformat -Wformat-security -DSTDC_HEADERS
safeclib/mem_primitives_lib.c: In function \u2018mem_prim_set\u2019:
safeclib/mem_primitives_lib.c:111:25: error: this statement may fall
through [-Werror=implicit-fallthrough=]
111 | case 15: *lp++ = value32;
| ~~~~~~^~~~~~~~~
safeclib/mem_primitives_lib.c:112:9: note: here
112 | case 14: *lp++ = value32;
| ^~~~
It seems that Config.mk adds -Werror and -Wextra that cause this to
happen. Why doesn't this happen when CFLAGS is not set as an
environment variable? Apparently because
CFLAGS += $(CFLAGS_WARN) -fno-strict-aliasing -std=gnu99
behaves differently with recursive makefiles if CFLAGS is in the
environment:
"By default, only variables that came from the environment or the command
line are passed to recursive invocations."
https://www.gnu.org/software/make/manual/html_node/Environment.html
Is the intent here that CFLAGS_WARN should be used for the whole build? If
yes, then we need to add "export CFLAGS" to ensure that it is passed to
other makefiles and also fix that build failure.
If not, we need to add "unexport CFLAGS" and don't necessary need to fix
the switch-case statement.
-Timo
|
|
From: Timo L. <tim...@ik...> - 2020-05-08 10:29:13
|
Hi, where could I get the GPG used for signing releases? $ gpg tboot-1.9.12.tar.gz.gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: Signature made Wed 29 Apr 2020 04:29:59 PM EEST gpg: using RSA key 5CECC9E12872F424009D0E0B6F2F48CC4E0B23EF gpg: Can't check signature: No public key -Timo |
|
From: Lukasz H. <luk...@li...> - 2020-04-30 14:03:39
|
Hello I have added new branch to TBOOT repository. This branch starts new TBOOT version family - 2.x that in the future will replace current 1.9. Right now both mainline versions are supported, however 1.9 is focused on stability and bugfixing, and new features will go to 2.x versions. At this moment there are two features that are included in 2.x. TBOOT binary signing. As a result of building process, now there are two files generated: tboot.gz and tboot.mb2. First one is a standard gziped ELF file, second one is a PE binary with multiboot2 header. It can be signed with UEFI Secure Boot signing tools, like sbsign. The signature can be verified by GRUB2 when booted with UEFI Secure Boot and shim loader. That feature allows to expand Secure Boot verification chain up to TBOOT. tboot.mb2 still requires multiboot2 protocol and should be loaded in the same way as tboot.gz - by multiboot2 command in grub.cfg. Apart of that possibility to add signature, both tboot.gz and tboot.mb2 behave the same. Poly1305 replaces VMAC. TBOOT uses MAC algorithm to keep data integrity during S3 cycle. VMAC algorithm, that was in TBOOT till now, was the best choice at the time when TBOOT was created in therms of security vs. performance. Now it's time to replace it with a modern option and I have decided to choose Poly1305. I did performance testing and it reaches the same throughput as VMAC with better security. Thanks, Lukasz |
|
From: Timo L. <tim...@ik...> - 2020-04-14 15:51:09
|
On Tue, 14 Apr 2020, Lukasz Hawrylko wrote:
> I don't know if that tool exists. Anyway, I will look at that multiple
> SINITs bug in TBOOT, when it will be fixed, that kind of tool will not
> be required.
True, that would mostly not be needed if tboot worked automatically. I can
think of two use cases where it might still be useful:
1) You could save disk space and boot speed by not having grub read all
SINIT modules from disk.
2) You might want to know before reboot that you have the matching SINIT
module if you are enabling TPM support remotely for your server :)
> In mean time, you can check acminfo from utils directory. It examines
> SINIT binary and also can check if SINIT is compatible with current
> platform. You can easily adopt it (with bash scripting help) to do what
> you need.
Thanks, I will look into that.
Currently I am trying to automate sealing of disk encryption keys
after an upgrade. Here's a quick and dirty prototype that "works on my
server"(TM) but probably contains many bugs. In particular it does not
currently know how to predict PCR-17 and just assumes that it has the same
value on next reboot. Posting it here in the hope that this will activate
discussion on the list for potential alternatives :)
#!/usr/bin/python3
# tpm-luks-auto-seal 2020-04-14
import argparse
import subprocess
import hashlib
import binascii
import glob
import re
import os
import tempfile
INITIAL_HASH = b'\x00'*20
def text_to_hash(text):
hash = binascii.unhexlify(text.replace(' ', '').replace('\n', ''))
assert len(hash) == 20
return hash
def hash_to_text(hash):
assert len(hash) == 20
return binascii.hexlify(hash).decode('utf-8')
def extend_hash(hash1, hash2):
assert len(hash1) == 20
assert len(hash2) == 20
return sha1(hash1 + hash2)
def sha1(data):
m = hashlib.sha1()
m.update(data)
return m.digest()
def predict_pcrs(configuration):
pcr = {}
pcr[17] = get_current_pcrs()[17]
pcr[18] = INITIAL_HASH
tboot_hash = text_to_hash(subprocess.check_output([
'/usr/sbin/lcp_mlehash',
'-c',
configuration.tboot_cmdline,
configuration.tboot], encoding='utf-8'))
pcr[18] = extend_hash(pcr[18], tboot_hash)
with open(configuration.kernel, 'rb') as f:
kernel_hash = sha1(sha1(configuration.kernel_cmdline.encode('utf-8')) + sha1(f.read()))
pcr[18] = extend_hash(pcr[18], kernel_hash)
pcr[19] = INITIAL_HASH
with open(configuration.initrd, 'rb') as f:
initrd_hash = sha1(sha1(b'') + sha1(f.read()))
pcr[19] = extend_hash(pcr[19], initrd_hash)
return pcr
class Configuration:
def __init__(self, tboot, tboot_cmdline, kernel, kernel_cmdline, initrd):
self.tboot = tboot
self.tboot_cmdline = tboot_cmdline
self.kernel = kernel
self.kernel_cmdline = kernel_cmdline
self.initrd = initrd
def __str__(self):
return "{}({}) {}({}) {}".format(self.tboot, self.tboot_cmdline, self.kernel, self.kernel_cmdline, self.initrd)
def get_current_pcrs():
pcrs = {}
with open("/sys/devices/pnp0/00:05/tpm/tpm0/pcrs") as f:
for line in f.readlines():
assert line.startswith("PCR-")
n = int(line.split(":")[0].split("-")[1])
pcrs[n] = text_to_hash(line.split(":")[1])
return pcrs
def get_grub_entries(cfg, prefix):
inside_entry = False
entries = []
with open(cfg) as f:
for line in f.readlines():
line = line.rstrip().strip()
if line.startswith("menuentry"):
inside_entry = True
entry = {}
elif inside_entry:
parts = re.split("\s+", line)
if line.startswith("}"):
if "tboot_cmdline" in entry:
entries.append(entry)
inside_entry = False
elif parts[0] == "multiboot":
entry["tboot"] = prefix + parts[1]
entry["tboot_cmdline"] = parts[2]
elif parts[0] == "module" and "vmlinuz" in parts[1]:
entry["kernel"] = prefix + parts[1]
entry["kernel_cmdline"] = " ".join(parts[2:])
elif parts[0] == "module" and "initrd" in parts[1]:
entry["initrd"] = prefix + parts[1]
return entries
def get_configurations():
configurations = []
for e in get_grub_entries("/boot/grub/grub.cfg", "/boot"):
assert os.path.exists(e["tboot"])
assert os.path.exists(e["kernel"])
assert os.path.exists(e["initrd"])
if " single " in e["kernel_cmdline"]:
# Skip for now
continue
c = Configuration(tboot=e["tboot"],
tboot_cmdline=e["tboot_cmdline"],
kernel=e["kernel"],
kernel_cmdline=e["kernel_cmdline"],
initrd=e["initrd"])
configurations.append(c)
return configurations
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--luks-key-file", default="/etc/luks.key")
parser.add_argument("--force", action="store_true")
args = parser.parse_args()
print("==== Current configuration")
current_pcr = get_current_pcrs()
for i in range(17, 20):
print("PCR-{} {}".format(i, hash_to_text(current_pcr[i])))
configurations = get_configurations()
count = 1
pcrs = []
for c in configurations:
print("==== Predicted configuration #{}".format(count))
print("# {}".format(c))
pcr = predict_pcrs(c)
for i in range(17, 20):
print("PCR-{} {}{}".format(i, hash_to_text(pcr[i]), "*" if pcr[i]!=current_pcr[i] else ""))
count += 1
pcrs.append(pcr)
with open(args.luks_key_file) as f:
luks_key_length = len(f.read())
assert luks_key_length >= 12
assert luks_key_length < 128
if not args.force:
reply = input("Do you want to enable these configurations (use --force to automate this) (Y/n)? ")
if not reply.lower().startswith("y"):
print("Aborting")
sys.exit(0)
print("Removing old configurations (1-20)")
for i in range(20):
try:
subprocess.check_call(["tpm_nvrelease",
"-i", str(i+1),
"--pwdo=1234"])
except subprocess.CalledProcessError:
pass
for i in range(len(configurations)):
print("Enabling configuration #{}".format(i+1))
with tempfile.NamedTemporaryFile(mode="w+") as f:
for j in range(17, 20):
f.write("r {} {}\n".format(j, hash_to_text(pcrs[i][j])))
f.flush()
subprocess.check_call(["tpm_nvdefine",
"-i", str(i+1),
"-s", str(luks_key_length),
"-p", "OWNERWRITE|READ_STCLEAR",
"--pwdo=1234",
"-z",
"-f", f.name])
subprocess.check_call(["tpm_nvwrite",
"-i", str(i+1),
"-f", args.luks_key_file,
"-z", "--password=1234"])
-Timo
|
|
From: Lukasz H. <luk...@li...> - 2020-04-14 08:24:44
|
On Tue, 2020-04-14 at 10:40 +0300, Timo Lindfors wrote: > On Tue, 14 Apr 2020, Lukasz Hawrylko wrote: > > As KBL SINIT works with both SKL and KBL platforms, the old one, > > compatible only with SKL, is not longer supported and may not work with > > newer versions of SKL bioses. Recommendation is to use the KBL SINIT for > > both KBL and SKL systems. > > > > To avoid possible confusion in the future, old, not longer supported > > SINIT, will be removed from download site. After that, there will be > > only one binary available - 6th_7th_gen_i5_i7-SINIT_74 (that works with > > both SKL and KBL platforms). Please do not use 6th_gen_i5_i7_SINIT_71. > Great to hear that you found the root cause! Would it be possible to > publish a simple tool that can pick the right ACM module for a given CPU > automatically? So that I could use that tool to generate my grub.cfg this > would greatly improve usability of the whole solution. I can of course try > to extract that logic from tboot but maybe such a tool already exists? > I don't know if that tool exists. Anyway, I will look at that multiple SINITs bug in TBOOT, when it will be fixed, that kind of tool will not be required. In mean time, you can check acminfo from utils directory. It examines SINIT binary and also can check if SINIT is compatible with current platform. You can easily adopt it (with bash scripting help) to do what you need. Lukasz |
|
From: Timo L. <tim...@ik...> - 2020-04-14 07:57:12
|
On Tue, 14 Apr 2020, Lukasz Hawrylko wrote: > As KBL SINIT works with both SKL and KBL platforms, the old one, > compatible only with SKL, is not longer supported and may not work with > newer versions of SKL bioses. Recommendation is to use the KBL SINIT for > both KBL and SKL systems. > > To avoid possible confusion in the future, old, not longer supported > SINIT, will be removed from download site. After that, there will be > only one binary available - 6th_7th_gen_i5_i7-SINIT_74 (that works with > both SKL and KBL platforms). Please do not use 6th_gen_i5_i7_SINIT_71. Great to hear that you found the root cause! Would it be possible to publish a simple tool that can pick the right ACM module for a given CPU automatically? So that I could use that tool to generate my grub.cfg this would greatly improve usability of the whole solution. I can of course try to extract that logic from tboot but maybe such a tool already exists? -Timo |
|
From: Lukasz H. <luk...@li...> - 2020-04-14 07:12:54
|
On Wed, 2020-04-08 at 18:34 +0300, Timo Lindfors wrote: > On Wed, 8 Apr 2020, Lukasz Hawrylko wrote: > > TBOOT has an algorithm that checks if SINIT matches platform. I can't > > tell you right now what is wrong here, I need some logs. Please run it > > once again, than after reboot, can you launch Linux without TBOOT and > > run 'txt-stat' tool that is in TBOOT's repo in 'utils' folder? What I > > need is a value of ERRORCODE field. > > > > If you can connect serial port and dump serial logs too that will be > > awesome. Dell's docking station has RS232 connector and TBOOT's logs are > > printed there (tested on my laptop). > > $ txt-stat > Intel(r) TXT Configuration Registers: > STS: 0x00000012 > senter_done: FALSE > sexit_done: TRUE > mem_config_lock: FALSE > private_open: FALSE > locality_1_open: FALSE > locality_2_open: FALSE > ESTS: 0x00 > txt_reset: FALSE > E2STS: 0x0000000000000008 > secrets: FALSE > ERRORCODE: 0xc0003c11 > DIDVID: 0x00000001b0068086 > vendor_id: 0x8086 > device_id: 0xb006 > revision_id: 0x1 > FSBIF: 0xffffffffffffffff > QPIIF: 0x000000009d003000 > SINIT.BASE: 0xaced0000 > SINIT.SIZE: 327680B (0x50000) > HEAP.BASE: 0xacf20000 > HEAP.SIZE: 917504B (0xe0000) > DPR: 0x00000000ad000041 > lock: TRUE > top: 0xad000000 > size: 4MB (4194304B) > PUBLIC.KEY: > 2d [REDACTED] > 77 [REDACTED] > *********************************************************** > TXT measured launch: FALSE > secrets flag set: FALSE > *********************************************************** > unable to find TBOOT log > I had a discussion with people responsible for SINITs for that platform and here is how the situation looks like: * 6th_gen_i5_i7_SINIT_71 is a SkyLake SINIT that was released together with SKL platforms * 6th_7th_gen_i5_i7-SINIT_74 is a KabyLake SINIT that is newer and is backward compatible with SKL platforms As KBL SINIT works with both SKL and KBL platforms, the old one, compatible only with SKL, is not longer supported and may not work with newer versions of SKL bioses. Recommendation is to use the KBL SINIT for both KBL and SKL systems. To avoid possible confusion in the future, old, not longer supported SINIT, will be removed from download site. After that, there will be only one binary available - 6th_7th_gen_i5_i7-SINIT_74 (that works with both SKL and KBL platforms). Please do not use 6th_gen_i5_i7_SINIT_71. Thank you for finding that issue. Lukasz |
|
From: Timo L. <tim...@ik...> - 2020-04-08 19:55:27
|
On Wed, 8 Apr 2020, Lukasz Hawrylko wrote: > If you can connect serial port and dump serial logs too that will be > awesome. Dell's docking station has RS232 connector and TBOOT's logs are > printed there (tested on my laptop). A boot log captured from the monitor using a camera is now available at https://lindi.iki.fi/lindi/tboot/6th_gen_i5_i7_SINIT_71.BIN.tboot.log.png -Timo |
|
From: Timo L. <tim...@ik...> - 2020-04-08 15:58:17
|
On Wed, 8 Apr 2020, Lukasz Hawrylko wrote: > TBOOT has an algorithm that checks if SINIT matches platform. I can't > tell you right now what is wrong here, I need some logs. Please run it > once again, than after reboot, can you launch Linux without TBOOT and > run 'txt-stat' tool that is in TBOOT's repo in 'utils' folder? What I > need is a value of ERRORCODE field. > > If you can connect serial port and dump serial logs too that will be > awesome. Dell's docking station has RS232 connector and TBOOT's logs are > printed there (tested on my laptop). $ txt-stat Intel(r) TXT Configuration Registers: STS: 0x00000012 senter_done: FALSE sexit_done: TRUE mem_config_lock: FALSE private_open: FALSE locality_1_open: FALSE locality_2_open: FALSE ESTS: 0x00 txt_reset: FALSE E2STS: 0x0000000000000008 secrets: FALSE ERRORCODE: 0xc0003c11 DIDVID: 0x00000001b0068086 vendor_id: 0x8086 device_id: 0xb006 revision_id: 0x1 FSBIF: 0xffffffffffffffff QPIIF: 0x000000009d003000 SINIT.BASE: 0xaced0000 SINIT.SIZE: 327680B (0x50000) HEAP.BASE: 0xacf20000 HEAP.SIZE: 917504B (0xe0000) DPR: 0x00000000ad000041 lock: TRUE top: 0xad000000 size: 4MB (4194304B) PUBLIC.KEY: 2d [REDACTED] 77 [REDACTED] *********************************************************** TXT measured launch: FALSE secrets flag set: FALSE *********************************************************** unable to find TBOOT log I'll check if we can get serial output. -Timo |
|
From: Lukasz H. <luk...@li...> - 2020-04-08 14:45:35
|
On Wed, 2020-04-08 at 17:12 +0300, Timo Lindfors wrote: > On Tue, 7 Apr 2020, Lukasz Hawrylko wrote: > > Unfortunately, this bug is not reported anywhere. In real life scenarios > > I don't see any benefits of loading multiple SINITs. In most cases you > > have one SINIT that is dedicated to the platform. > > After a closer inspection this might be a different bug as the reboot > occurs also if I specify only one SINIT module, the file > 6th_gen_i5_i7_SINIT_71.BIN. > > Why does tboot think that this file is a valid SINIT module for this CPU > and try to use it? Is this a bug in the ACM module or tboot? Is there some > algorithm for choosing the correct SINIT module? > TBOOT has an algorithm that checks if SINIT matches platform. I can't tell you right now what is wrong here, I need some logs. Please run it once again, than after reboot, can you launch Linux without TBOOT and run 'txt-stat' tool that is in TBOOT's repo in 'utils' folder? What I need is a value of ERRORCODE field. If you can connect serial port and dump serial logs too that will be awesome. Dell's docking station has RS232 connector and TBOOT's logs are printed there (tested on my laptop). Thanks, Lukasz |
|
From: Timo L. <tim...@ik...> - 2020-04-08 14:13:18
|
On Tue, 7 Apr 2020, Lukasz Hawrylko wrote: > Unfortunately, this bug is not reported anywhere. In real life scenarios > I don't see any benefits of loading multiple SINITs. In most cases you > have one SINIT that is dedicated to the platform. After a closer inspection this might be a different bug as the reboot occurs also if I specify only one SINIT module, the file 6th_gen_i5_i7_SINIT_71.BIN. Why does tboot think that this file is a valid SINIT module for this CPU and try to use it? Is this a bug in the ACM module or tboot? Is there some algorithm for choosing the correct SINIT module? -Timo |
15 messages has been excluded from this view by a project administrator.
