heads icon indicating copy to clipboard operation
heads copied to clipboard

Published 20 hours ago verified publisher icon linuxboot

Add support for Acer Chromebook 515 Plus (CB515-2H) / Google Omnigul Platform

Open mdrobnak opened this issue 1 year ago • 8 comments

Implementation of Issue https://github.com/linuxboot/heads/issues/1663.

This is implemented using the @MrChromebox Coreboot. Linux 6.1.90, Linux 6.5.13, 6.6.30 all work to recognize the UFS storage. This PR uses 6.6.30.

Version 4.22.01 of Coreboot does not have the Intel ME, VBT, or Flash Descriptor, thus MrChromeBox is used.

Items tested:

  • [x] GOP Driver working. No issues booting to Qubes or Ubuntu, splash screen works.
  • [x] Update checksums and sign all files in /boot
  • [x] TPM Measured Boot
  • [x] TOTP Code
  • [ ] HOTP Code (No key to test with)
  • [ ] TPM Disk Encryption Key does not work.
  • [x] Flash Upgrade from UI with Config Save
  • [x] USB Boot
  • [x] System Info - Partial. Disk Size incorrect.
  • [x] Generate new TOTP/HOTP Secret
  • [x] Reset TPM
  • [x] Change Configuration Settings [ Not all Options Tested ]
  • [x] Enable Debug
  • [x] Add / Remove GPG Key from BIOS
  • [x] Power Down

Issues:

  • Sealing Disk Unlock Key into TPM does not work.

Configuration Sources: Linux Configuration based on linux-nitropad-x.config Coreboot Configuration based on MrChromeBox UEFI configuration. Modified to have Linux payload as per the wiki's instructions.

mdrobnak avatar Apr 30 '24 04:04 mdrobnak

@mdrobnak nice!

  • sign your commits and do commit --signoff
  • add the board under .circleci/config.yml

We will move from there? You can also join matrix channel and ping me from there, while I prefer PR to be examples for boards porting.

tlaurion avatar May 01 '24 22:05 tlaurion

@mdrobnak nice!

  • sign your commits and do commit --signoff
  • add the board under .circleci/config.yml

We will move from there? You can also join matrix channel and ping me from there, while I prefer PR to be examples for boards porting.

Ok I'll get this going shortly.

mdrobnak avatar May 01 '24 23:05 mdrobnak

@mdrobnak please merge master in this branch and keep this PR updated with the most verbose trail of what your state is, others might chime in and make your progress less lonely :)

tlaurion avatar May 24 '24 19:05 tlaurion

Disk Unlock:

user@heads-devel:/media$ cat cbmem_L.log 
TPM2 log:
	Specification: 2.00
	Platform class: PC Client
TPM2 log entry 1:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 648fd22dbf689a7facd6f6935170dd740bce45c36a7831032e71eb180078ab0c
	Event data: FMAP: FMAP
TPM2 log entry 2:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 03796d2e280f07673cb9f6c013443378ffb8290ea709babb83550af82fc940cd
	Event data: CBFS: bootblock
TPM2 log entry 3:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: e2fee1a8472d4986e5a142c5d15f162835854ea772f0e86d1379a554d4f4ea21
	Event data: CBFS: fallback/romstage
TPM2 log entry 4:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 20f555dbb6678b91b75f4d635df597bca7cc6cf2ff477e22bc6e1df6bbea61cb
	Event data: CBFS: fspm.bin
TPM2 log entry 5:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 7c52722fdf3eb612144c9e3747fe05dbbcf9e02811a505f6cdd33494da78fc1d
	Event data: CBFS: spd.bin
TPM2 log entry 6:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 388468b7b064bf27b13e49d91f6c80d6313a1ea226d9ebfc82aa260382d1bb30
	Event data: CBFS: fallback/postcar
TPM2 log entry 7:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: ad2053fd5b97f52d3a25edea9500ba0f697accd467d9a6e0f7a3bc22c0a8270b
	Event data: CBFS: fallback/ramstage
TPM2 log entry 8:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 970fbc1d69d801604a09967036dbf1c07c514c30a2835a4a53a5295372346b88
	Event data: CBFS: cpu_microcode_blob.bin
TPM2 log entry 9:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 3dc0ba24e5dd1c8a2d7880cf6e40e169eb92e193b68d838ad69be08f6cc9a2a6
	Event data: CBFS: fsps.bin
TPM2 log entry 10:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 83c94bebba28305531ac7fa841f5075754fec72582fb8ef770e81bd430aadc49
	Event data: CBFS: vbt.bin
TPM2 log entry 11:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: c9b940f1866ecd4fb8f23a622a17b1b42b59be2dff09d7bc8e8e1a9fb62a8c5b
	Event data: CBFS: fallback/dsdt.aml
TPM2 log entry 12:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 2f045194201a13dcffaadf1b295b5d8b156a51e7ca8fb93b05c8927bc2391d9e
	Event data: CBFS: bootsplash.jpg
TPM2 log entry 13:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 42e8453008e55c6383763e0ea91699203443bc52ccb259e8185a3ae3d861d3f8
	Event data: CBFS: fallback/payload
user@heads-devel:/media$

Attaching debug.log as that's larger. debug.log

mdrobnak avatar May 28 '24 16:05 mdrobnak

As written under matrix thread for this updated PR at https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$VKP1ynETRMavsOqy3SqUf_nadPUgyoSC9H_13y8Dpjo?via=matrix.org&via=nitro.chat&via=fairydust.space

The white rabbit to be followed is why CR50 TPM refuses to to add TPM DUK nv region into TPM which doesn't seem supported on CR50 not sure why:

TRACE: /bin/tpmr(32): main
TRACE: /bin/tpmr(413): tpm2_seal
DEBUG: tpm2_seal: file=/tmp/secret/secret.key handle=0x81000003 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin pass=<hidden>
LOG: tpmr stderr: WARNING:esys:src/tss2-esys/api/Esys_PolicyPassword.c:292:Esys_PolicyPassword_Finish() Received TPM Error 
LOG: tpmr stderr: ERROR:esys:src/tss2-esys/api/Esys_PolicyPassword.c:106:Esys_PolicyPassword() Esys Finish ErrorCode (0x000b0143) 
LOG: tpmr stderr: ERROR: Esys_PolicyPassword(0xB0143) - rmt:error(2.0): command code not supported
LOG: tpmr stderr: ERROR: Could not build policyauthvalue TPM
LOG: tpmr stderr: ERROR: Unable to run policypassword

tlaurion avatar May 28 '24 19:05 tlaurion

Attached are two files: debug_reset_tpm_sign_reboot.log That file is boot, reset TPM, sign /boot files, copy logs, reboot.

debug_after_reboot_attempt_duk_seal.log After rebooting, go to OS boot menu, set default, attempt to add Disk Unlock Key.

mdrobnak avatar May 28 '24 20:05 mdrobnak

TLDR: Chromebooks have a fTPM which differs from dTPM (documentation and understanding is missing to be supported correctly from the TPM toolstack), correct @mdrobnak ?

Putting this as draft until this is worked seperately.

tlaurion avatar Aug 07 '24 15:08 tlaurion

@mdrobnak revisiting because interest at https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$E4N2td-clfQq3IP4F4v_04oSLABpj-Kcm5rNVvDgi30?via=matrix.org&via=nitro.chat&via=envs.net

Not all boards support TPM DUK, and can today be deactivated as a possibility through CONFIG_TPM_NO_LUKS_DISK_UNLOCK that can be added into board config as can be seen checked at https://github.com/linuxboot/heads/blob/b28c257b851c880f5dc2c4adf0c47377026529cb/initrd/bin/kexec-save-default#L190

Until TPM DUK (seperate secret sealing nvram region issue figured out), Chromebooks could be supported with this bfeature missing? Thoughts?

tlaurion avatar Sep 06 '24 14:09 tlaurion