The Kobuk project

Missing measurements on confidential computing platforms (Intel TDX)

Bug #2069232 reported by Hector CAO on 2024-06-13

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	The Kobuk project	Confirmed	Medium	Hector CAO
	grub	Unknown	Unknown	savannah #65821
	grub2-signed (Ubuntu)	New	Undecided	Mate Kukri
	grub2-unsigned (Ubuntu)	Fix Released	Undecided	Mate Kukri

Bug Description

When we run a Confidential VM with grub bootlodaer on Intel TDX platform, the module tpm is not loaded and boot measurements are not done for the guest VM.

This bug will prevent grub of doing measurements on confidential computing platform
(the bug has been confirmed on Intel TDX). This lack of measurements will break the
remote attestation

See upstream bug : https://savannah.gnu.org/bugs/?65821

Upstream fix : https://git.savannah.gnu.org/cgit/grub.git/commit/?id=86df79275d065d87f4de5c97e456973e8b4a649c

Hector CAO (hectorcao) on 2024-06-13

Changed in grub2 (Ubuntu):
status:	New → Confirmed
assignee:	nobody → Hector CAO (hectorcao)
Changed in kobuk:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Hector CAO (hectorcao)

Revision history for this message

Julian Andres Klode (juliank) wrote on 2024-06-13:

#1

Reassigning to the correct package. This also needs a grub2-signed task.

We can pick this patch up or if you have experience working with a gbp-pq managed repository you could propose a merge for that. Either way, only the UEFI team can actually release any grub updates due to signing.

affects:

grub2 (Ubuntu) → grub2-unsigned (Ubuntu)

Revision history for this message

Mate Kukri (mkukri) wrote on 2024-06-14:

#2

@hectorcao, I am including your upstream patch in the next Ubuntu GRUB

Changed in grub2-unsigned (Ubuntu):
assignee:	Hector CAO (hectorcao) → Mate Kukri (mkukri)
Changed in grub2-signed (Ubuntu):
assignee:	nobody → Mate Kukri (mkukri)

Revision history for this message

Hector CAO (hectorcao) wrote on 2024-06-14:

#3

@mkukri and @juliank

Thanks so much for the feedback and work
Now, i would like to ask if we can consider to SRU it to 24.04 because we are having CC story for 24.04 with our Kobuk project

Revision history for this message

Mate Kukri (mkukri) wrote on 2024-06-14:

#4

As per SRU requirements it needs to go into the development release first, but I don't see anything preventing it from being SRUd afterwards.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-07-01:

#5

This bug was fixed in the package grub2-unsigned - 2.12-1ubuntu9

---------------
grub2-unsigned (2.12-1ubuntu9) oracular; urgency=medium

  * Cherry-pick upstream efi mm patches to avoid crashing at exit on Mu
  * peimage: Improve section consistency checks, use grub_dprintf for errors
  * peimage: Make sure partially loaded images are unloaded on error
  * Implement support for UEFI NX mitigation
  * Cherry-pick missing TDX measurements fix (LP: #2069232)
  * grub-common.service: Add After/Requires=boot-complete.target (LP: #1992643)
  * d/postinst.in: Remove upgrade check for GRUB version we can no longer upgrade from
  * Cherry-pick fdtdump patch
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

-- Mate Kukri <email address hidden> Wed, 19 Jun 2024 11:47:16 +0100

Changed in grub2-unsigned (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

savannah #65821 Edit

Bug watches keep track of this bug in other bug trackers.