No ability to change active PCR banks with TPM PPI in FW

[johanes2115]

Device

novacustom nv41 ADL

Dasharo version

v1.7.0

Affected component(s) or functionality

TPM

Brief summary

In TCG configuration, after changing active PCR bank and restarting the device, TPM state change request prompt does not appear and the settings go back to values before the change.

How reproducible

100%

How to reproduce

1. Power on the device
2. Enter the BIOS
3. Go into Device Manager -> TCG2 Configuration
4. Change active PCR banks
5. Save settings and restart the device

Expected behavior

TPM state change request prompt should appear and and active PCR banks should change.

Actual behavior

TPM state change request prompt does not appear and and active PCR banks remain the same.

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

[macpijan]

This also has not worked with the previous releases, such as v1.6.0 on NV4x ADL. This should probably be moved to the next releases, not the hotfix ones.

[filipleple]

still occurs on MSI ZX90 for both respective v1.1.3 and v0.9.1 releases

[miczyg1]

Indeed, it is not working on Z790-P v0.9.1, but worked on v0.9.0. We might have some regression either in edk2 payload or coreboot side after rebase...

[filipleple]

same for VP4670, the protectli_vault_cml_v1.1.0_vp46xx (coreboot 4.21 rebase) binary

[arturkow2]

Should be fixed by https://github.com/Dasharo/edk2/pull/164.

[macpijan]

Should be fixed by https://github.com/Dasharo/edk2/pull/164.

On which platform it's been tested?

[miczyg1]

Also applied on rebased branch: https://github.com/Dasharo/edk2/pull/165

On which platform it's been tested?

Tetsed on VP4650 (old EDK2) and VP4670 (rebased EDK2)

[mkopec]

Bug still happens on NovaCustom V56 even with the fix

[miczyg1]

Bug still happens on NovaCustom V56 even with the fix

If the laptop does some kind of power cycle on reset, then it will not work. It solely depends on warm reset not trashing the memory.

[krystian-hebel]

Shouldn't this issue be reopened based on https://github.com/Dasharo/dasharo-issues/issues/521#issuecomment-2389033122? What is the current state?

[macpijan]

@mkopec should we reopen?

[miczyg1]

@mkopec @macpijan it was fixed in December: https://github.com/Dasharo/edk2/pull/198 While the comment https://github.com/Dasharo/dasharo-issues/issues/521#issuecomment-2389033122 is from October

[mkopec]

Okay, then we'll retest on a novacustom laptop and see if it's fixed

[krystian-hebel]

I think we need to define clear rules as to when the issue should be closed, i.e. whether it should be closed:

• after the fix lands on dasharo branch - but then older releases could potentially have a link to issue that is marked as resolved
• after any release with the fix (and positive test results, preferably with proof better than "it works" comment) is published
• after releases for all tagged platforms containing the fix are released - but some platforms may be impacted, but not tested
• something else?

In any case, it would be nice to have a list somewhere in the issue saying in which release for given platform the problem was fixed.

[philipanda]

Changing the active PCR banks via UEFI Setup menu works on NV41PZ (edit: and NS70PU) Alderlake with Dasharo v1.8.0-rc3. When switching to either:

• SHA1
• SHA256
• SHA1, SHA256
• None The prompt appears.

Every combination apart from none works. When trying to disable all the PCR banks, the change is not applied and the state is not changed.