Update ACMS for DRTM measured launch #1478
Conversation
|
Instead of adding recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/openxt.cfg needs to be updated for the new modules? Hmm. if you OTA, the old modules are probably left on the ESP. I don't think we have any support for clearing out old files from there. This is dropping some support for older systems? That is fine from my end, but we should be clear about it. However, I have an issue with at least one modern system. When I use CFL_SINIT_20211019_PRODUCTION_REL_NT_O1_1.10.0.bin with it, it reboots, seemingly in tboot. i.e. it enters a boot loop. Normally it uses the BIOS-provided SINIT. With Converged Bootguard and TXT (CBnT), TXT-enabled systems are shipping with an embedded SINIT module. I'm wondering if these external SINIT modules are really needed for newer systems. As I've seen, they can be problematic. |
Thought about that, but since it wasn't actually a license, didn't think it qualified.
from That should cover the old .acms
I can't be 100% sure about that. Based on the support matrix in the .zip it seems like they combined some platforms into a single SINIT. It however doesn't say anything about Xeon processors, for which we had separate SINIT's defined in the recipe. In practice they might just be BIOS provided but we'd need to test them out for sure.
That's an issue then, if there's a txt errorcode you can pull that might tell us what's wrong. Otherwise I was under the impression it would prefer BIOS provided SINITs over the ones we provide. Maybe it has something to do with whichever version is newer. Are there any firmware updates for your system that's using the CFL SINIT? |
Ok, leaving license seems fine.
Thanks. Nice that we have that.
Well, gm45, q35, q45, i5_i7_DUAL and i7_QUAD are older Intel Core processors predating Sandy Bridge. Not sure what Xeon covers, but they are older Xeons as well.
tboot will overwrite the BIOS SINIT if a module is newer. The CFL SINIT is newer in this case. Let me look for a firmware update. Hmmm, maybe I can get the TXT errorcode, too. |
|
Updated with latest Intel ACMs released today. |
|
Updated to include missing changes to the openxt.cfg file referencing the names of the new SINITs. |
|
Added commit that uses |
recipes-security/acms/acms.bb
Outdated
| ${OPENXT_MIRROR}/CFL_SINIT_20221220_PRODUCTION_REL_NT_O1_1.10.1_signed.bin;downloadfilename=cfl_wkl_cml.bin;name=cfl_wkl_cml \ | ||
| ${OPENXT_MIRROR}/CML_S_SINIT_1_13_33_REL_NT_O1.PW_signed.bin;downloadfilename=cml_s.bin;name=cml_s \ | ||
| ${OPENXT_MIRROR}/CMLSTGP_SINIT_v1_14_39_20211214_REL_NT_O1.PW_signed.bin;downloadfilename=cml_s_tgp.bin;name=cml_s_tgp \ | ||
| ${OPENXT_MIRROR}/RKLS_SINIT_v1_14_46_20220818_REL_NT_O1.PW_signed.bin;downloadfilename=rkls.bin;name=rkls \ |
There was a problem hiding this comment.
RKLS failed to download - it's 20220819.
630744_003 also has:
CML_RKL_S_SINIT_v1.13.33_REL_NT_O1.PW_signed.bin
CMLSTGP_SINIT_v1_14_46_20220819_REL_NT_O1.PW_signed.bin
which are not on the mirror or included here in SRC_URI.
There was a problem hiding this comment.
The three CML_* files are identical:
5670905f72d7415fad97eb02bd994ae75c15ceec 630744_002/CML_S_SINIT_1_13_33_REL_NT_O1.PW_signed.bin
5670905f72d7415fad97eb02bd994ae75c15ceec 630744_003/CML_RKL_S_SINIT_v1.13.33_REL_NT_O1.PW_signed.bin
5670905f72d7415fad97eb02bd994ae75c15ceec 630744_003/CML_S_SINIT_1_13_33_REL_NT_O1.PW_signed.bin
There was a problem hiding this comment.
My mistake on the 20220819. Pushing a fix for that. The change to v1_14_46 for CMLSTGP slipped past me, pushing a fix for that as well. It'll also go up on the mirror.
Not sure why they have 2 versions of the same sinit, but the CML_RKL_S isn't on the 630744_ACM_PlatformList_003.pdf, only the CML_S_SINIT_1_13_33 is. So I'm going to advocate for only listing that one in the SRC_URI and chalk up the inclusion of the other one to user error on Intel's part.
|
Something else is wrong with an OTA. Ugh, the installer: https://github.com/OpenXT/installer/blob/e20749637d9a8016af6721d4bc3968cd5978c60a/part2/stages/Functions/install-main#L639 |
crogers1
force-pushed
the
update-acms
branch
from
bb577ca to
1674c67
Compare
Hmm, guess we'll have to drop that line. |
Signed-off-by: Chris Rogers <[email protected]>
with the new names of the SINITs. We use the renamed versions of the bins since they'll exist on the ESP under those names. Signed-off-by: Chris Rogers <[email protected]>
New SINIT modules no longer have the well known fingerprint that starts with c22c443. Instead, we can use the acminfo tool and check the return code to know whether or not the module being processed is a SINIT. Signed-off-by: Chris Rogers <[email protected]>
crogers1
force-pushed
the
update-acms
branch
from
1674c67 to
e6ddf4b
Compare
|
Updated acm hashes for the CMLSTGP |
This PR introduces Intel's latest ACMs released here: https://www.intel.com/content/www/us/en/developer/articles/tool/intel-trusted-execution-technology.html version 630744 into OpenXT.
The first commit updates the URLs to these ACMs on the mirror, and it also gives them new names which are abbreviations of the cpu codename they apply to. It also updates the hashes and starts tracking a license file from a recent ACM since the 630744 version no longer distributes the ACMs bundled with their error codes and individual license files.
The second commit updates their usage in isolinux and pxelinux cfgs. The installer.git code doesn't need to be updated as the ACMs are built into the dom0 image under /boot, and copied to the ESP for EFI boot in the function
copy_to_esp()inpart2/stages/functions/install-main