snapd

  1. Bug #2063113
  2. Comment #9

Comment 9 for bug 2063113

Revision history for this message
Viktor Petersson (vpetersson) wrote (last edit ):

For context - both of these systems should be brand new. To my knowledge, no other OS has been installed on either of them.

> Is /sys/kernel/security/tpm0/binary_bios_measurements missing also on the NUC?

I need to wait until later today when my colleague wakes up to check that.

> Also, could you look if the tpm has a lockout? Do this and give the output.

Sure - this is the output from the Star Labs System device:

$ sudo snap install tpm2-tools-alexmurray
tpm2-tools-alexmurray 5.3 from Alex Murray (alexmurray✪) installed

$ sudo snap connect tpm2-tools-alexmurray:tpm

$ sudo tpm2-tools-alexmurray.getcap properties-variable
TPM2_PT_PERMANENT:
  ownerAuthSet: 0
  endorsementAuthSet: 0
  lockoutAuthSet: 0
  reserved1: 0
  disableClear: 0
  inLockout: 0
  tpmGeneratedEPS: 0
  reserved2: 0
TPM2_PT_STARTUP_CLEAR:
  phEnable: 1
  shEnable: 1
  ehEnable: 1
  phEnableNV: 1
  reserved1: 0
  orderly: 1
TPM2_PT_HR_NV_INDEX: 0x0
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x15
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0x4
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x4
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0

$ echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request
5

$ cat /sys/devices/virtual/dmi/id/bios_*
04/19/2024
24.2
coreboot
24.04

$ sudo snap reboot --install

[wait for the device to be re-instated]

$ findmnt --submounts /sys
TARGET SOURCE FSTYPE OPTIONS
/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
├─/sys/fs/cgroup cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot
├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime
├─/sys/firmware/efi/efivars efivarfs efivarfs rw,nosuid,nodev,noexec,relatime
├─/sys/fs/bpf bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700
├─/sys/kernel/debug debugfs debugfs rw,nosuid,nodev,noexec,relatime
├─/sys/kernel/tracing tracefs tracefs rw,nosuid,nodev,noexec,relatime
├─/sys/fs/fuse/connections fusectl fusectl rw,nosuid,nodev,noexec,relatime
└─/sys/kernel/config configfs configfs rw,nosuid,nodev,noexec,relatime

$ sudo blkid
/dev/loop1: TYPE="squashfs"
/dev/nvme0n1p5: LABEL="ubuntu-data" UUID="4b2c84bc-d101-4876-a974-5facbb5af775" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="ubuntu-data" PARTUUID="52025746-fc3d-c24e-b094-26f721c7cd48"
/dev/nvme0n1p3: LABEL="ubuntu-boot" UUID="5a2c439c-cf62-4773-8376-2603ea7a81fe" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="ubuntu-boot" PARTUUID="7206e296-fce4-924c-b6fd-affe319f9f1f"
/dev/nvme0n1p1: PARTLABEL="BIOS Boot" PARTUUID="3a1a3e5c-6b7b-479e-9752-7cc79e4a5e46"
/dev/nvme0n1p4: LABEL="ubuntu-save" UUID="83d045a3-2e33-47f9-b1e2-7c7d59d4541e" BLOCK_SIZE="1024" TYPE="ext4" PARTLABEL="ubuntu-save" PARTUUID="c967e18c-9991-0544-9316-55a0c988f7a8"
/dev/nvme0n1p2: LABEL_FATBOOT="ubuntu-seed" LABEL="ubuntu-seed" UUID="2EFA-CB53" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="ubuntu-seed" PARTUUID="61cd77c3-d8c0-4382-9b03-0714bc38ffda"
/dev/loop4: TYPE="squashfs"
/dev/loop2: TYPE="squashfs"
/dev/loop0: TYPE="squashfs"
/dev/loop3: TYPE="squashfs"

Updated journalctl dump:
https://gist.github.com/vpetersson/3b41538b1405d55b2833b45f0fae375e