Drop tboot builderv2

[krystian-hebel]

No description provided.

[miczyg1]

It installed well without tboot. The only thing that doesn't work is the grub.cfg generation. It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there @krystian-hebel

[krystian-hebel]

It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there

I guess it has to do with file permissions. I changed https://github.com/TrenchBoot/qubes-antievilmaid/pull/4/files#diff-178386e8f730612b1192d7523b609267412f90efe0feeebf30125657ce74b52dL67, it used to point to non-existing file, and it is later used in few chmod instructions.

[miczyg1]

@krystian-hebel also what doesn't work is the slaunch_module command. GRUB says that slaunch_module command does not exist. I recall it has been dropped at some point. Can you confirm?

My GRUB menuentry:

menuentry 'TrenchBoot AEM Qubes, with Xen hypervisor' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-/dev/mapper/qubes_dom0-root' {
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos1'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  621aa9eb-a008-43dd-b07e-70bf0f482beb
	else
	  search --no-floppy --fs-uuid --set=root 621aa9eb-a008-43dd-b07e-70bf0f482beb
	fi
	echo	'Slaunch ...'
	slaunch
	echo	'Loading Xen 4.17.2 ...'
        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
            xen_rm_opts=
        else
            xen_rm_opts="no-real-mode edd=off"
        fi
	insmod multiboot2
	multiboot2	/xen-4.17.2.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M ucode=scan smt=off gnttab_max_frames=2048 gnttab_max_maptrack_frames=4096 ${xen_rm_opts}
	echo	'Loading Linux 6.1.43-1.qubes.fc37.x86_64 ...'
	module2	/vmlinuz-6.1.43-1.qubes.fc37.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-e8e8bdd1-ff6a-4053-85db-40ffe7cbc248 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap plymouth.ignore-serial-consoles rd.net.dhcp.vendor-class=anaconda-Linux 6.1.43-1.qubes.fc37.x86_64 x86_64 rd.driver.pre=btrfs rhgb quiet usbcore.authorized_default=1 
	echo	'Loading initial ramdisk ...'
	insmod multiboot2
	module2	--nounzip   /initramfs-6.1.43-1.qubes.fc37.x86_64.img
	echo	'Loading slaunch module SKL_KBL_AML_SINIT_20211019_PRODUCTION_REL_NT_O1_1.10.0.bin ...'
	slaunch_module	/SKL_KBL_AML_SINIT_20211019_PRODUCTION_REL_NT_O1_1.10.0.bin
}

[miczyg1]

It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there

I guess it has to do with file permissions. I changed https://github.com/TrenchBoot/qubes-antievilmaid/pull/4/files#diff-178386e8f730612b1192d7523b609267412f90efe0feeebf30125657ce74b52dL67, it used to point to non-existing file, and it is later used in few chmod instructions.

When I look at the code before the changes, we had:
/etc/grub.d/19_linux_xen_tboot and
%define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot

Why one has 19 and the others 20? I guess those with 20 come from tboot. Maybe this is related?

/etc/grub.d/19_linux_xen_tboot has 644 permissions, unlike others 755

[krystian-hebel]

It looks like grub2-mkconfig doesn't look at /etc/grub.d/19_linux_xen_trenchboot at all despite the file is there

I guess it has to do with file permissions. I changed https://github.com/TrenchBoot/qubes-antievilmaid/pull/4/files#diff-178386e8f730612b1192d7523b609267412f90efe0feeebf30125657ce74b52dL67, it used to point to non-existing file, and it is later used in few chmod instructions.

When I look at the code before the changes, we had: /etc/grub.d/19_linux_xen_tboot and %define tboot_grub /etc/grub.d/20_linux_tboot /etc/grub.d/20_linux_xen_tboot

Why one has 19 and the others 20? I guess those with 20 come from tboot. Maybe this is related?

Exactly my point. There is no file with 20_ in any of those repositories as far as I can see. I'll debug it further after I'm done with CI.

slaunch_module is valid command, it worked for me, however I built GRUB locally instead of using package from CI. Does it complain on slaunch as well?

[miczyg1]

Exactly my point. There is no file with 20_ in any of those repositories as far as I can see. I'll debug it further after I'm done with CI.

GRUB has file with 20:

rpm -ql grub2-tools-2.06-2.fc37.x86_64.rpm
/etc/default/grub
/etc/grub.d/00_header
/etc/grub.d/01_users
/etc/grub.d/08_fallback_counting
/etc/grub.d/10_linux
/etc/grub.d/10_reset_boot_success
/etc/grub.d/12_menu_auto_hide
/etc/grub.d/14_menu_show_once
/etc/grub.d/20_linux_xen
/etc/grub.d/30_os-prober
/etc/grub.d/30_uefi-firmware
/etc/grub.d/40_custom
/etc/grub.d/41_custom

slaunch_module is valid command, it worked for me, however I built GRUB locally instead of using package from CI. Does it complain on slaunch as well?

Only on slaunch_module from what I have noticed. Actually on both... So slaunch is not present in module most likely, I will have to check

[miczyg1]

Ok it seems the packages refuse to be installed because there is the same or newer version currently installed. grub2-pc-modules-2.06-2.fc37.noarch.rpm has slaunch GRUB mod inside. dnf reinstall to the rescue

[miczyg1]

Ok it seems the packages refuse to be installed because there is the same or newer version currently installed. grub2-pc-modules-2.06-2.fc37.noarch.rpm has slaunch GRUB mod inside. dnf reinstall to the rescue

Even if I reinstall the package the modules are only placed to /usr/lib/grub/i386-pc. They are not installed to /boot/grub2/i386-pc automatically along with the RPM. I had to manually run grub2-install /dev/sda and only then the launch module appeared. Maybe this is intentional, not sure.

[miczyg1]

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

[krystian-hebel]

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

Have you installed AEM as per https://github.com/QubesOS/qubes-antievilmaid/blob/main/README#L114? There are some steps to be done after RPM package is installed.

[miczyg1]

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

Have you installed AEM as per https://github.com/QubesOS/qubes-antievilmaid/blob/main/README#L114? There are some steps to be done after RPM package is installed.

I have used anti-evil-maid-tpm-setup -z, my bad I guess... I should have omitted the -z to set up SRK

[miczyg1]

@krystian-hebel when can I hope for the discussions to be addressed?

[krystian-hebel]

@miczyg1 today, I hope. I need to check why it even worked with tboot in the first place.

[miczyg1]

Difference in the boot process I noticed is that right now with TPM2.0 there is no prompt for SRK password. @krystian-hebel is that correct?

Have you installed AEM as per https://github.com/QubesOS/qubes-antievilmaid/blob/main/README#L114? There are some steps to be done after RPM package is installed.

I have used anti-evil-maid-tpm-setup -z, my bad I guess... I should have omitted the -z to set up SRK

Confirmed, the -z parameter has to be omitted to setup SRK password.

[miczyg1]

Ok it seems the packages refuse to be installed because there is the same or newer version currently installed. grub2-pc-modules-2.06-2.fc37.noarch.rpm has slaunch GRUB mod inside. dnf reinstall to the rescue

Even if I reinstall the package the modules are only placed to /usr/lib/grub/i386-pc. They are not installed to /boot/grub2/i386-pc automatically along with the RPM. I had to manually run grub2-install /dev/sda and only then the launch module appeared. Maybe this is intentional, not sure.

Changing the order of the packages passed to the dnf command doesn't help. Actually dnf seems to resolve dependencies across packages and reorders them always the same way. Still slaunch.mod does not get installed

[krystian-hebel]

I had to manually run grub2-install /dev/sda and only then the launch module appeared. Maybe this is intentional, not sure.

It seems that legacy boot was not tested when UEFI was developed. There are no calls to grub2-install invoked during RPM installation as far as I can tell. I guess we have to live with doing it manually...

In any case, I modified RPM spec here to hopefully properly call grub2-mkconfig after installation, you can test it as soon as CI finishes building.

[krystian-hebel]

Doesn't seem to work 😦 debugging...

[krystian-hebel]

Strange, grub.cfg wasn't updated after first install, but all following ones worked properly. They are updated also after anti-evil-maid-install so I think this isn't blocking.

[miczyg1]

Strange, grub.cfg wasn't updated after first install, but all following ones worked properly. They are updated also after anti-evil-maid-install so I think this isn't blocking.

Yes, anti-evil-maid-install does grub2-mkconfig so we should be alright. One has to remember to perform grub2-install before installing AEM. That's it.