TPM PCR checking will fail if the all characters are 0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Fix Released
|
High
|
jeremyszu | ||
fwupd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned | ||
fwupd-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* TPM PCR0 differs from reconstruction, if your PCR0 contains one (or more) zero byte(s) then the PCR0 will mismatch. (zero byte(s) be ignored)
[Test Plan]
* run
$ fwupdmgr get-devices
...
└─System Firmware:
Device ID: c8489035f8df6f8
Current version: 92.1.0
Minimum Version: 0.0.1
Vendor: HP (DMI:HP)
Update Error: TPM PCR0 differs from reconstruction, please see https:/
GUID: 116180f2-
will get the failed.
* already tried on bug1891966 bug1893018 bug1896855 bug1897674 bug1899914 bug1902835 bug1903660 bug1909539 bug1910197 bug1914335 bug1918600 bug1918866 bug1919270 bug1919424 bug1920714 and this patch could solve the error.
[Where problems could occur]
* the all zero PCR0 is invalid, the original logic is to check whether a byte is zero. If zero then skip. It cause the PCR0 will potentially miss some valid zero byte. (e.g. 0x0C>>00<
* this patch will not skip zero byte. Instead, add a flag to check whether all bytes are zero.
* for this change, it makes sense and didn't see any potential regression.
---
In some of HP platforms, the TPM PCR checking will fail on focal ubuntu
$ fwupdmgr get-devices
...
└─System Firmware:
Device ID: c8489035f8df6f8
Current version: 92.1.0
Minimum Version: 0.0.1
Vendor: HP (DMI:HP)
Update Error: TPM PCR0 differs from reconstruction, please see https:/
GUID: 116180f2-
Device Flags: • Internal device
Update Error: TPM PCR0 differs from reconstruction, please see https:/
---
This issue is fixed by upstream commit
https:/
X-HWE-Bug: Bug #1931189
tags: | added: originate-from-1903660 |
tags: | added: originate-from-1891966 |
tags: | added: originate-from-1909539 |
Changed in oem-priority: | |
assignee: | nobody → jeremyszu (os369510) |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: originate-from-1910197 |
Changed in fwts (Ubuntu): | |
assignee: | nobody → Ivan Hu (ivan.hu) |
no longer affects: | fwts (Ubuntu) |
tags: | added: originate-from-1914335 |
tags: | added: originate-from-1918600 |
tags: | added: originate-from-1918866 |
tags: | added: fwupd |
tags: | added: originate-from-1919270 |
tags: | added: originate-from-1919424 |
tags: | added: originate-from-1920714 |
description: | updated |
tags: | added: originate-from-1922029 |
tags: | removed: verification-needed |
Changed in fwupd-signed (Ubuntu): | |
status: | New → Fix Released |
Changed in fwupd-signed (Ubuntu Hirsute): | |
status: | New → Fix Released |
tags: | added: originate-from-1929044 |
tags: | added: originate-from-1929671 |
description: | updated |
tags: | added: originate-from-1931189 |
tags: | added: originate-from-1931653 |
tags: | added: originate-from-1931669 |
tags: | added: originate-from-1931323 |
tags: | added: originate-from-1932230 |
Changed in oem-priority: | |
status: | Triaged → Fix Committed |
tags: | added: originate-from-1933916 |
tags: | added: originate-from-1938760 |
The result is passed after install the latest fwupd
$sudo snap install fwupd --edge --classic 7a1a3cd1baff361 29262a5ac1 105d-4ab2- 809e-7fabed7121 7b 8d9b-53ec- 838b-6cfc038349 3a ← main-system- firmware ba40-574c- 8e55-e7dcb89aff 07 ← UEFI\RES_ {116180F2- 105D-4AB2- 809E-7FABED7121 7B}
...
└─System Firmware:
│ Device ID: c8489035f8df6f8
│ Current version: 1543569408
│ Minimum Version: 1
│ Vendor: HP (DMI:HP)
│ GUIDs: 116180f2-
│ 230c8b18-
│ d4b3b8bf-
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update