On Wed, 2024-11-27 at 07:46 +0100, Jiri Slaby wrote: > Cc TPM + EFI guys. > > On 17. 11. 24, 23:26, Linus Torvalds wrote: > > But before the merge window opens, please give this a quick test to > > make sure we didn't mess anything up. The shortlog below gives you > > the > > summary for the last week, and nothing really jumps out at me. A > > number of last-minute reverts, and some random fairly small fixes > > fairly spread out in the tree. > > Hi, > > there is a subtle bug in 6.12 wrt TPM (in TPM, EFI, or perhaps in > something else): > https://bugzilla.suse.com/show_bug.cgi?id=1233752 > > Our testing (openQA) fails with 6.12: > https://openqa.opensuse.org/tests/4657304#step/trup_smoke/26 > > The last good is with 6.11.7: > https://openqa.opensuse.org/tests/4648526 > > In sum: > TPM is supposed to provide a key for decrypting the root partitition, > but fails for some reason. > > It's extremely hard (so far) to reproduce outside of openQA (esp. > when > trying custom kernels). > > Most of the 6.12 TPM stuff already ended in (good) 6.11.7. I tried to > revert: > 423893fcbe7e tpm: Disable TPM on tpm2_create_primary() failure > from 6.12 but that still fails. > > We are debugging this further, this is just so you know. > > Or maybe you have some immediate ideas? Well, it looks like you eliminated the TPM changes: https://bugzilla.suse.com/show_bug.cgi?id=1233752#c6 So it must be something in the logging or event recording code. The first thing to check is can you run a replay of the log to get the end PCR values? The binary for that is tsseventextend -sim -v -if /sys/kernel/security/tpm0/binary_bios_measurements You'll have to check the values it gives against the values in /sys/class/tpm/tpm0/tpm-sha256 Probably also check sha1 to see if it matches. Regards, James
