intel

[intel][ehl] Fail to install Ubuntu Core on EHL when BIOS supports SM3 256

Bug #1939505 reported by Doug Jacobs
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
intel
Fix Released
Undecided
Unassigned
Lookout-canyon-series
Fix Released
Critical
ethan.hsieh
intel sprint3

Bug Description

I installed Ubuntu Core (iotg-focal-core-unencrypted-20210804.img) on the EHL board (CID:202105-29063) and use default BIOS settings.

The boot process stops with the same error as seen when booting Ubuntu Core on the TGL-H board (https://bugs.launchpad.net/bugs/1938678):

"error locking access to sealed keys: caannot execute hash sequence: TPM returned an invalid response for command TPM_CC_EventSequenceComplete: cannot unmarshal response parameters: cannot unmarshal argument at index 0: cannot process list type tpm2.TaggedHashList: cannot process element at index 3 from list type tpm2.TaggedHashList: cannot process custom type tpm2.TaggedHash, inside container type tpm2.TaggedHashList: cannot determine digest size for unknown algorithm TPM_ALG_SM3_256"

Public bug: https://github.com/canonical/go-tpm2/issues/7

Same issue on TGL-H: https://bugs.launchpad.net/intel/+bug/1938678

See original description
Revision history for this message
Doug Jacobs (djacobs98) wrote :

TPM has support for the following PCRs:
sha1
sha256 (default)
sha384
sm3_256

This is similar to the TGL-H BIOS.

Anthony Wong (anthonywong)
Changed in intel:
assignee: Anthony Wong (anthonywong) → Ivan Hu (ivan.hu)
Doug Jacobs (djacobs98)
summary: - [iotg] [ehl] [outlookcanyon] Ubuntu Core boot fails on EHL
+ [iotg] [ehl] [lookout-canyon] Ubuntu Core boot fails on EHL
tags: added: outlook-canyon
removed: outlookcanyon
tags: added: lookout-canyon
removed: outlook-canyon
Brad Figg (brad-figg)
summary: - [iotg] [ehl] [lookout-canyon] Ubuntu Core boot fails on EHL
+ [iotg] [ehl] Ubuntu Core boot fails on EHL
Brad Figg (brad-figg)
summary: - [iotg] [ehl] Ubuntu Core boot fails on EHL
+ [ehl] Ubuntu Core boot fails on EHL
Revision history for this message
Anthony Wong (anthonywong) wrote : Re: [ehl] Ubuntu Core boot fails on EHL

Ethan reported a go-tpm2 bug at https://github.com/canonical/go-tpm2/issues/7

description: updated
Changed in intel:
status: New → Triaged
assignee: Ivan Hu (ivan.hu) → ethan.hsieh (ethan.hsieh)
Anthony Wong (anthonywong)
description: updated
Changed in ubuntu:
assignee: nobody → ethan.hsieh (ethan.hsieh)
Changed in intel:
status: Triaged → New
Changed in ubuntu:
status: New → Triaged
Changed in intel:
assignee: ethan.hsieh (ethan.hsieh) → nobody
Revision history for this message
ethan.hsieh (ethan.hsieh) wrote :

Tried to install UC20 with TPM enabled and saw same error message[1] as TGL-H.

EHL's BIOS doesn't support hash algorithm SHA384 and SM3_256.
For deails, please refer to attached photo.
BIOS version: EHLSFWI1.R00.3162.A01.2104131432

Here are steps:
1. Remove key enrolled by mokutil
2. Re-flash uc20 test image
3. Enroll KEK and Signature via BIOS settings:
[Boot Maintenance Manager Menu][Secure Boot Configuration Menu][Secure Boot Mode][Custom Mode][Custom Secure Boot Option]
[PK Options] => [Delete PK]
[PK Options] => [Enroll PK] => PkKek-1-snakeoil.der
[KEK Option][Enroll KEK] => PkKek-1-snakeoil.der
[DB Option][Enroll Signature] => PkKek-1-snakeoil.der
4. Clear TPM
[Intel Advanced Menu][TPM Configuration][TCG2 Configuration][TPM2 Operation]

---
[1] https://bugs.launchpad.net/intel/+bug/1938678/comments/31

ethan.hsieh (ethan.hsieh)
summary: - [ehl] Ubuntu Core boot fails on EHL
+ [ehl] Fail to install Ubuntu Core on EHL when SM3 256 is enabled
ethan.hsieh (ethan.hsieh)
summary: - [ehl] Fail to install Ubuntu Core on EHL when SM3 256 is enabled
+ [ehl] Fail to install Ubuntu Core on EHL when BIOS supports SM3 256
Rex Tsai (chihchun)
summary: - [ehl] Fail to install Ubuntu Core on EHL when BIOS supports SM3 256
+ [intel][ehl] Fail to install Ubuntu Core on EHL when BIOS supports SM3
+ 256
ethan.hsieh (ethan.hsieh)
Changed in ubuntu:
assignee: ethan.hsieh (ethan.hsieh) → nobody
Revision history for this message
ethan.hsieh (ethan.hsieh) wrote :

The issue is fixed by latest snapd and intel-kernel.
$ snap info snapd | grep stable
  latest/stable: 2.53.2 2021-11-24 (14066) 44MB -
$ snap info intel-kernel | grep stable
  20/stable: 5.13.0-1007.7.3 2021-11-18 (10) 309MB -

Pierre Equoy (pieq)
information type: Public → Private
Ana Lasprilla (anamlt)
information type: Private → Private Security
Ana Lasprilla (anamlt)
information type: Private Security → Public
Rex Tsai (chihchun)
Changed in intel:
status: New → Fix Released
no longer affects: ubuntu
no longer affects: snapd (Ubuntu)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.