t420-maximized boards: build against coreboot 4.13

[natterangell]

Bump Coreboot to version 4.13 and enable measured boot. This obviates the need for coreboot 4.8.1 0030-sandybridge.patch

Tested and verified here.

Would be nice to get confirmation from other board owners. Tagging @SebastianMcMillan @alexmaloteaux

[tlaurion]

@SebastianMcMillan @alexmaloteaux : measured boot output here:

#692 (comment)

[tlaurion]

@SebastianMcMillan @alexmaloteaux since I do not own the board, I would need at least one confirmation prior of merging and moving CI config for that board to depend on 4.13 material on CircleCI.

[tlaurion]

CircleCI build happening here: https://app.circleci.com/pipelines/github/tlaurion/heads/732/workflows/812c5598-47ca-49e1-9819-6dd2f985d633

Note: CircleCI config didn't have to be changed, since t420 builds (and all others) depend on librem_mini build cache, which is coreboot 4.13.

Artifacts will be available there in like 8 hours (caches get deleted after 30 days of uselessness [not used by another build])

[tlaurion]

CircleCI builds can be seen here:
t420-maximized: https://app.circleci.com/pipelines/github/tlaurion/heads/732/workflows/812c5598-47ca-49e1-9819-6dd2f985d633/jobs/1072
t420-hotp-maximized: https://app.circleci.com/pipelines/github/tlaurion/heads/732/workflows/812c5598-47ca-49e1-9819-6dd2f985d633/jobs/1072

Build artifacts (roms) resulting of this PR can be downloaded here:
t420-maximized: https://app.circleci.com/pipelines/github/tlaurion/heads/732/workflows/812c5598-47ca-49e1-9819-6dd2f985d633/jobs/1078/artifacts
t420-hotp-maximized: https://app.circleci.com/pipelines/github/tlaurion/heads/732/workflows/812c5598-47ca-49e1-9819-6dd2f985d633/jobs/1078/artifacts

As current board config, only the full rom is created. Will need to fix that....
EDIT: This is one single SPI flash chip board; nevermind.

[tlaurion]

@akfhasodh have you tested this under #999 ?

[tlaurion]

@akfhasodh have you tested this under #999 ?

@akfhasodh Is that what was tested under #1004 ? Or master over coreboot 4.8.1?

[tlaurion]

@akfhasodh can I add you under #692 for the t420 board?
Will rebase @natterangell branch on master and link the new build happening here.
EDIT: No rebasing was needed. No adaptation of CircleCI config needed either.

Will then edit the post with links to fully internally flashable rom from CircleCI.
EDIT: Fresh build happening here. Will take a while, there are no cache since last commit (and build) was more then 30 days ago.

EDIT: as stated #1004 (comment), this is desired change for a while. Initial Heads project introduced measured boot on earlier coreboot. Later coreboot version introduced measuredboot on top of verified boot (4.11 I think) where coreboot 4.13 offeres measured boot without verified boot, which permits to drop initial patchset referred in OP, where most of the patches that were needed to be applied on top of coreboot were merged upstream since then, resulting in Heads becoming more and more a coreboot payload, without being patches to coreboot+ linux payload, as can be witnessed when comparing the patches directories of coreboot 4.8.1 vs 4.13.

Measurements of the firmware are now more visible thanks to upstreamed effort.
Expectations and output were documented in another port where now Heads only takes coreboot self measurements and uses them through totp and seal unseal scripts.

[akfhasodh]

@tlaurion yes

[tlaurion]

@akfhasodh a build occured for the same coomit id (3e13af1) 29 days ago for which artifacts exists:
https://app.circleci.com/pipelines/github/tlaurion/heads/732/workflows/812c5598-47ca-49e1-9819-6dd2f985d633/jobs/1072/artifacts
Where direct link to internally fully flashed rom for t420 maximized HOTP board is here (if you have a Nitrokey Pro/Nitrokey Storage or Librem Key):
https://1072-103208611-gh.circle-artifacts.com/0/build/t420-maximized/heads-t420-maximized-v0.2.0-1040-g3e13af1.rom

The actual build "should" result in the same hashes.txt file output since from same CI.
You can wait for the next build to finish or test this one.

EDIT:
Nevermind. Those will not be reproducible, because busybox is not giving the same hashes for already compiled coreboot-qemu board targets
hashes_new.txt
hashes_old.txt

In all case, it seems that no rom will be reproducible even on the same host since busybox includes timestamps of its build.

[akfhasodh]

@tlaurion The issue TOTP/HOTP inconsistency issue still persists on the 4.13 rom. Maybe its an issue with my hardware itself?

[tlaurion]

What measurement change between boots?

[tlaurion]

@akfhasodh: Can you please:

1. Validate that you kept settings at reflash (including your public key and /etc/config.user overlay)
2. Reset TPM from GUI (will generate new Qr Code and seal secret to USB Security dongle through HOTP). Save/rename TOTP entree in phone. Reboot.
3. Regenerate TOTP/HOTP through GUI. Will generate a Qr code. Scan it under new name. Those two entree SHOULD give the same TOTP (result of measurements) since we are talking about the same ROM here with same components measured.

Going into the recovery console is invalidating TOTP unsealing by modifying PCR4.
The measurements calculated with coreboot and exposed through TCPA logs should advise us into what is changing in ROM or if TPM is misbehaving.

[tlaurion]

Reviewed tested x230-hotp-maximized board config and coreboot changes which didn't add anything special compared to the t420-hotp-maximized board and coreboot config changes.

Building here and will retest cbmem and other notes to test my own procedures before asking you to redo.

Build is happening here, reusing cache from yesterday build: https://app.circleci.com/pipelines/github/tlaurion/heads/739/workflows/05a5c7c0-8718-4497-99c6-1d63f385cb15/jobs/1159

[tlaurion]

@akfhasodh running
cbmem -c at the recovery shell should give your output with the actual measurements being extended in PCR-2.

I would love to see those when it fails, and when it succeeds on coreboot 4.13 t420-hotp-maximized rom

[akfhasodh]

@tlaurion Turns out the instability was only something I would experience at the beginning, as all my subsequent boots for the past two days have had successful TOTP/HOTP unseals. If I come across the issue again, I will definitely send the differences in cbmem.

[akfhasodh]

@tlaurion It started again, and it got worse, After I attempted updating qubes dom0 (and failed), I decided to reboot. Upon the reboot I was met with the same issue of inconsistent unseals. But, once I got a proper unseal, it showed a red screen with the TOTP code displayed, and "HOTP: Invalid code". Up until the failed update things were working fine, unfortunately, I forgot to save the TOTP verification to my phones authenticator, is it possible for heads to have been tampered with without physical access?

[tlaurion]

@akfhasodh running
cbmem -c at the recovery shell should give your output with the actual measurements being extended in PCR-2.

I would love to see those when it fails, and when it succeeds on coreboot 4.13 t420-hotp-maximized rom

@akfhasodh do you have before/after PCR-2 measurements?

It would be useful to have reports from other t420 owners here.

is it possible for heads to have been tampered with without physical access?

Highly doubtful, while still possible. But highly improbable (iomem=relaxed comment there):

[user@dom0 ~]$ sudo qubes-dom0-update flashrom
Using sys-whonix as UpdateVM to download updates for Dom0; this may take some time...
qubes-contrib-dom0-r4.0-current                             | 3.0 kB  00:00     
updates/metalink                                            | 2.5 kB  00:00     
--> Running transaction check
---> Package flashrom.x86_64 0:0.9.9-2.fc25 will be installed
--> Processing Dependency: libftdi1.so.2()(64bit) for package: flashrom-0.9.9-2.fc25.x86_64
--> Running transaction check
---> Package libftdi.x86_64 0:1.3-2.fc25 will be installed
--> Finished Dependency Resolution
flashrom-0.9.9-2.fc25.x86_64.rpm                            | 202 kB  00:00     
libftdi-1.3-2.fc25.x86_64.rpm                               |  50 kB  00:00     
Successfully verified /var/lib/qubes/dom0-updates/packages/flashrom-0.9.9-2.fc25.x86_64.rpm
Successfully verified /var/lib/qubes/dom0-updates/packages/kernel-5.4.129-1.fc25.qubes.x86_64.rpm
Successfully verified /var/lib/qubes/dom0-updates/packages/kernel-qubes-vm-5.4.129-1.fc25.qubes.x86_64.rpm
Successfully verified /var/lib/qubes/dom0-updates/packages/libftdi-1.3-2.fc25.x86_64.rpm
Qubes OS Repository for Dom0                     49 MB/s |  77 kB     00:00    
Dependencies resolved.
================================================================================
 Package        Arch         Version              Repository               Size
================================================================================
Installing:
 flashrom       x86_64       0.9.9-2.fc25         qubes-dom0-cached       199 k
 libftdi        x86_64       1.3-2.fc25           qubes-dom0-cached        46 k

Transaction Summary
================================================================================
Install  2 Packages

Total size: 245 k
Installed size: 702 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : libftdi-1.3-2.fc25.x86_64                                   1/2 
/sbin/ldconfig: File /lib64/libkdeinit5_kmix.so is empty, not checked.
/sbin/ldconfig: File /lib64/libkdeinit5_kmixctrl.so is empty, not checked.
/sbin/ldconfig: File /lib64/libkdeinit5_dolphin.so is empty, not checked.
/sbin/ldconfig: File /lib64/libkdeinit5_ksysguard.so is empty, not checked.
  Installing  : flashrom-0.9.9-2.fc25.x86_64                                2/2 
Running as unit: run-r50c6de657fdf4997afb95f5a24399415.service
  Verifying   : flashrom-0.9.9-2.fc25.x86_64                                1/2 
  Verifying   : libftdi-1.3-2.fc25.x86_64                                   2/2 

Installed:
  flashrom.x86_64 0.9.9-2.fc25             libftdi.x86_64 1.3-2.fc25            

Complete!
[user@dom0 ~]$ sudo flashrom -p internal
flashrom v0.9.9-r1955 on Linux 5.4.125-1.fc25.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... delay loop is unreliable, trying to continue OK.
Error accessing high tables, 0x100000 bytes at 0x00000000bff22000
/dev/mem mmap failed: Operation not permitted
Failed getting access to coreboot high tables.
Error accessing DMI Table, 0x1000 bytes at 0x00000000bfeec000
/dev/mem mmap failed: Operation not permitted
Segmentation fault
[user@dom0 ~]$ sudo flashrom -p internal --force
flashrom v0.9.9-r1955 on Linux 5.4.125-1.fc25.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Error accessing high tables, 0x100000 bytes at 0x00000000bff22000
/dev/mem mmap failed: Operation not permitted
Failed getting access to coreboot high tables.
Error accessing DMI Table, 0x1000 bytes at 0x00000000bfeec000
/dev/mem mmap failed: Operation not permitted
Segmentation fault

[user@dom0 ~]$ sudo dnf remove flashrom
Dependencies resolved.
=======================================================================================================================================
 Package                      Arch                       Version                          Repository                              Size
=======================================================================================================================================
Removing:
 flashrom                     x86_64                     0.9.9-2.fc25                     @qubes-dom0-cached                     605 k
 libftdi                      x86_64                     1.3-2.fc25                       @qubes-dom0-cached                      96 k

Transaction Summary
=======================================================================================================================================
Remove  2 Packages

Installed size: 702 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Erasing     : flashrom-0.9.9-2.fc25.x86_64                                                                                       1/2 
  Erasing     : libftdi-1.3-2.fc25.x86_64                                                                                          2/2 
/sbin/ldconfig: File /lib64/libkdeinit5_kmix.so is empty, not checked.
/sbin/ldconfig: File /lib64/libkdeinit5_kmixctrl.so is empty, not checked.
/sbin/ldconfig: File /lib64/libkdeinit5_dolphin.so is empty, not checked.
/sbin/ldconfig: File /lib64/libkdeinit5_ksysguard.so is empty, not checked.
Running as unit: run-r912f1244e2d64817b8fcddd16919235b.service
  Verifying   : libftdi-1.3-2.fc25.x86_64                                                                                          1/2 
  Verifying   : flashrom-0.9.9-2.fc25.x86_64                                                                                       2/2 

Removed:
  flashrom.x86_64 0.9.9-2.fc25                                        libftdi.x86_64 1.3-2.fc25                                       

Complete!

[akfhasodh]

@tlaurion
this one, I believe is when it was working properly:

And this one is not:

Although I may have mixed these up.

[tlaurion]

@akfhasodh payload measurements are different

[akfhasodh]

@tlaurion What does this mean?

[tlaurion]

Are those measurements stable across reboots?

There was issue created in the past when CBFS regions mismatched available/used space for measured CBFS regions. One hypothesis here would be that coreboot measurements of the region mismatches reality.

Coreboot 4.13 uses TCPA logs to output the TPM measurements into cbmem.

I would recommend reflashing internally, resetting TPM, resealing TOTP/HOTP, and taking a screenshot of cbmem when it works. And then retaking a snapshot when it doesn't.

There is a larger PR trying to bring Heads based on coreboot 4.13 altogether. The T420 and x220 use the same defined CBFS regions.

I would need other board owners output and bug replication to know if there is an issue for xx20 boards and CBFS region.

The payload measurements should not change in time. So something is weird here and needs to be diagnosed.

Using CI builds would be recommended to have exactly the same hashes:
#1015 (comment)

[tlaurion]

Superseded by #1015