Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Acer Chromebook 515 Plus (CB515-2H) / Google Omnigul Platform #1658

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

mdrobnak
Copy link
Contributor

@mdrobnak mdrobnak commented Apr 30, 2024

Implementation of Issue #1663.

This is implemented using the @MrChromebox Coreboot. Linux 6.1.90, Linux 6.5.13, 6.6.30 all work to recognize the UFS storage. This PR uses 6.6.30.

Version 4.22.01 of Coreboot does not have the Intel ME, VBT, or Flash Descriptor, thus MrChromeBox is used.

Items tested:

  • GOP Driver working. No issues booting to Qubes or Ubuntu, splash screen works.
  • Update checksums and sign all files in /boot
  • TPM Measured Boot
  • TOTP Code
  • HOTP Code (No key to test with)
  • TPM Disk Encryption Key does not work.
  • Flash Upgrade from UI with Config Save
  • USB Boot
  • System Info - Partial. Disk Size incorrect.
  • Generate new TOTP/HOTP Secret
  • Reset TPM
  • Change Configuration Settings [ Not all Options Tested ]
  • Enable Debug
  • Add / Remove GPG Key from BIOS
  • Power Down

Issues:

  • Sealing Disk Unlock Key into TPM does not work.

Configuration Sources:
Linux Configuration based on linux-nitropad-x.config
Coreboot Configuration based on MrChromeBox UEFI configuration. Modified to have Linux payload as per the wiki's instructions.

@tlaurion
Copy link
Collaborator

tlaurion commented May 1, 2024

@mdrobnak nice!

  • sign your commits and do commit --signoff
  • add the board under .circleci/config.yml

We will move from there? You can also join matrix channel and ping me from there, while I prefer PR to be examples for boards porting.

modules/linux Outdated Show resolved Hide resolved
Copy link
Collaborator

@tlaurion tlaurion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this contribution! now let's make this build! Put as draft this PR until ready to be tested by others and to prevent people from bricking their laptop until ready!

@tlaurion tlaurion marked this pull request as draft May 1, 2024 22:49
@mdrobnak
Copy link
Contributor Author

mdrobnak commented May 1, 2024

@mdrobnak nice!

  • sign your commits and do commit --signoff
  • add the board under .circleci/config.yml

We will move from there? You can also join matrix channel and ping me from there, while I prefer PR to be examples for boards porting.

Ok I'll get this going shortly.

@tlaurion
Copy link
Collaborator

@mdrobnak please merge master in this branch and keep this PR updated with the most verbose trail of what your state is, others might chime in and make your progress less lonely :)

Board configuration from: nitropad-nv41.
Linux configuration from: linux-nitropad-x.config
Coreboot configuration from: MrChromeBox EDK2 configuration for omnigul.

Signed-off-by: Matthew Drobnak <[email protected]>
@mdrobnak mdrobnak marked this pull request as ready for review May 28, 2024 16:41
@tlaurion tlaurion self-assigned this May 28, 2024
modules/linux Outdated Show resolved Hide resolved
CONFIG_TPM_GOOGLE=y
CONFIG_TPM_GOOGLE_CR50=y
CONFIG_TPM_GOOGLE_IMMEDIATELY_COMMIT_FW_SECDATA=y
CONFIG_GOOGLE_TPM_IRQ_TIMEOUT_MS=100
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be too small. Is there timeouts in dmesg?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not that I've seen. I can try modifying that.

@mdrobnak
Copy link
Contributor Author

Disk Unlock:

user@heads-devel:/media$ cat cbmem_L.log 
TPM2 log:
	Specification: 2.00
	Platform class: PC Client
TPM2 log entry 1:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 648fd22dbf689a7facd6f6935170dd740bce45c36a7831032e71eb180078ab0c
	Event data: FMAP: FMAP
TPM2 log entry 2:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 03796d2e280f07673cb9f6c013443378ffb8290ea709babb83550af82fc940cd
	Event data: CBFS: bootblock
TPM2 log entry 3:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: e2fee1a8472d4986e5a142c5d15f162835854ea772f0e86d1379a554d4f4ea21
	Event data: CBFS: fallback/romstage
TPM2 log entry 4:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 20f555dbb6678b91b75f4d635df597bca7cc6cf2ff477e22bc6e1df6bbea61cb
	Event data: CBFS: fspm.bin
TPM2 log entry 5:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 7c52722fdf3eb612144c9e3747fe05dbbcf9e02811a505f6cdd33494da78fc1d
	Event data: CBFS: spd.bin
TPM2 log entry 6:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 388468b7b064bf27b13e49d91f6c80d6313a1ea226d9ebfc82aa260382d1bb30
	Event data: CBFS: fallback/postcar
TPM2 log entry 7:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: ad2053fd5b97f52d3a25edea9500ba0f697accd467d9a6e0f7a3bc22c0a8270b
	Event data: CBFS: fallback/ramstage
TPM2 log entry 8:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 970fbc1d69d801604a09967036dbf1c07c514c30a2835a4a53a5295372346b88
	Event data: CBFS: cpu_microcode_blob.bin
TPM2 log entry 9:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 3dc0ba24e5dd1c8a2d7880cf6e40e169eb92e193b68d838ad69be08f6cc9a2a6
	Event data: CBFS: fsps.bin
TPM2 log entry 10:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 83c94bebba28305531ac7fa841f5075754fec72582fb8ef770e81bd430aadc49
	Event data: CBFS: vbt.bin
TPM2 log entry 11:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: c9b940f1866ecd4fb8f23a622a17b1b42b59be2dff09d7bc8e8e1a9fb62a8c5b
	Event data: CBFS: fallback/dsdt.aml
TPM2 log entry 12:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 2f045194201a13dcffaadf1b295b5d8b156a51e7ca8fb93b05c8927bc2391d9e
	Event data: CBFS: bootsplash.jpg
TPM2 log entry 13:
	PCR: 2
	Event type: Action
	Digests:
		 SHA256: 42e8453008e55c6383763e0ea91699203443bc52ccb259e8185a3ae3d861d3f8
	Event data: CBFS: fallback/payload
user@heads-devel:/media$ 

Attaching debug.log as that's larger.
debug.log

@tlaurion
Copy link
Collaborator

As written under matrix thread for this updated PR at https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$VKP1ynETRMavsOqy3SqUf_nadPUgyoSC9H_13y8Dpjo?via=matrix.org&via=nitro.chat&via=fairydust.space

The white rabbit to be followed is why CR50 TPM refuses to to add TPM DUK nv region into TPM which doesn't seem supported on CR50 not sure why:

TRACE: /bin/tpmr(32): main
TRACE: /bin/tpmr(413): tpm2_seal
DEBUG: tpm2_seal: file=/tmp/secret/secret.key handle=0x81000003 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin pass=<hidden>
LOG: tpmr stderr: WARNING:esys:src/tss2-esys/api/Esys_PolicyPassword.c:292:Esys_PolicyPassword_Finish() Received TPM Error 
LOG: tpmr stderr: ERROR:esys:src/tss2-esys/api/Esys_PolicyPassword.c:106:Esys_PolicyPassword() Esys Finish ErrorCode (0x000b0143) 
LOG: tpmr stderr: ERROR: Esys_PolicyPassword(0xB0143) - rmt:error(2.0): command code not supported
LOG: tpmr stderr: ERROR: Could not build policyauthvalue TPM
LOG: tpmr stderr: ERROR: Unable to run policypassword

@mdrobnak
Copy link
Contributor Author

mdrobnak commented May 28, 2024

Attached are two files:
debug_reset_tpm_sign_reboot.log
That file is boot, reset TPM, sign /boot files, copy logs, reboot. (sealing succeeds with policy)

debug_after_reboot_attempt_duk_seal.log
After rebooting, go to OS boot menu, set default, attempt to add Disk Unlock Key. (selling fails with policy)

Tlaurion edit: fail/success notes in parenthesis

@tlaurion
Copy link
Collaborator

tlaurion commented Aug 7, 2024

TLDR: Chromebooks have a fTPM which differs from dTPM (documentation and understanding is missing to be supported correctly from the TPM toolstack), correct @mdrobnak ?

Putting this as draft until this is worked seperately.

@tlaurion tlaurion marked this pull request as draft August 7, 2024 15:20
@tlaurion
Copy link
Collaborator

tlaurion commented Sep 6, 2024

@mdrobnak revisiting because interest at https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$E4N2td-clfQq3IP4F4v_04oSLABpj-Kcm5rNVvDgi30?via=matrix.org&via=nitro.chat&via=envs.net

Not all boards support TPM DUK, and can today be deactivated as a possibility through CONFIG_TPM_NO_LUKS_DISK_UNLOCK that can be added into board config as can be seen checked at

if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then

Until TPM DUK (seperate secret sealing nvram region issue figured out), Chromebooks could be supported with this bfeature missing? Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants