debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #06715
[Bug 2115391] Re: systemd-pcrlock log fails to read hyper-v vTPMs on Azure
Performing verification for noble.
I created a new "Standard D2s v3" instance on Azure, running noble. The system
has "Trusted Launch" set and has a vTPM.
With systemd from updates:
$ apt-cache policy systemd | grep Installed
Installed: 255.4-1ubuntu8.10
$ sudo /usr/lib/systemd/systemd-pcrlock log
Hash algorithms in event log record don't match log.
I then enabled -proposed, and installed systemd 255.4-1ubuntu8.11 and
rebooted.
$ sudo /usr/lib/systemd/systemd-pcrlock log
PCR PCRNAME EVENT MATCH SHA256 F/U COMPONENT DESC>
0 █ platform-code s-crtm-version ✓ 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 F - Raw:>
0 █ platform-code efi-platform-firmware-blob - 2da34fbe343757e290d8e718407ede5f8b9f8920644a4d0f56244097aebbe81a F - Blob>
7 █ secure-boot-policy efi-variable-driver-config ✓ ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e F - Vari>
7 █ secure-boot-policy efi-variable-driver-config ✓ 827f3ad1828bd20cc03a5624d4ce3f1cf74910715cc764f69800fefd8f406dc6 F - Vari>
7 █ secure-boot-policy efi-variable-driver-config ✓ f2ff789f4c200f638f38a453c3128398d4f30181c9c4b46ebb32ba5e19c73b0a F - Vari>
7 █ secure-boot-policy efi-variable-driver-config ✓ c1bc3e1aeb319c357129dc6e8e51c9a92abd135aabec122fca5f6cae0e477686 F - Vari>
7 █ secure-boot-policy efi-variable-driver-config ✓ 4495e52d2675bd260c90cf42c3f0ae20e41486f857502e3204de0f429d0558c1 F - Vari>
7 █ secure-boot-policy separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 400-secureboot-separator Sepa>
6 █ host-platform compact-hash ✓ 3c2a3a23ba49e7ae736ff564bb720158aec6f1baf820704cfec2774cae930027 F - Raw:>
1 █ platform-config efi-variable-boot ✓ 47dc540c94ceb704a23875c11273e16bb0b8a87aed84de911f2133568115f254 F - Vari>
1 █ platform-config efi-variable-boot ✓ e1208a5825b4f30cfef7592c6ff8e47f51984e22b2ff1a74e677242bc4c8a746 F - Vari>
4 █ boot-loader-code efi-action ✓ 3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba F 350-action-efi-application Acti>
0 █ platform-code separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 500-separator Sepa>
1 █ platform-config separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 500-separator Sepa>
2 █ external-code separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 500-separator Sepa>
3 █ external-config separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 500-separator Sepa>
4 █ boot-loader-code separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 500-separator Sepa>
5 █ boot-loader-config separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 500-separator Sepa>
6 █ host-platform separator ✓ df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 F 500-separator Sepa>
7 █ secure-boot-policy efi-variable-authority ✓ 4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 F - Auth>
5 █ boot-loader-config efi-gpt-event ✓ 191d3cb17af203cc7c98337ef1c4c86286a7cd8e5533777ed22279d6236544fb F - GPT:>
4 █ boot-loader-code efi-boot-services-application - 724de6844dd0fe618ba5776c7bca0728be38a6544e24e44ef259b987b7abce80 F - File>
14 █ shim-policy ipl - 2f196b05a0564764cca674175ecd97898e74ed3891c7c63ce6f17dc82603164a F - Raw:>
14 █ shim-policy ipl - 8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0 F - Raw:>
7 █ secure-boot-policy efi-variable-authority ✓ e8e9578f5951ef16b1c1aa18ef02944b8375ec45ed4b5d8cdb30428db4a31016 F - Auth>
14 █ shim-policy ipl - 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a F - Raw:>
7 █ secure-boot-policy efi-variable-authority ✓ 68bdff38e48c399326ca7356eb992693d13301f3925caf10e7b39dc9240789cd F - Auth>
4 █ boot-loader-code efi-boot-services-application - 4caffb530989433f184353c48d8150fcdce6037933ab129249f50f0068cf1815 F - File>
9 █ kernel-initrd ipl - 5b1baa7c66d70bb28cb1d36753e48b53fcb3cd3b676140e50d6af07b69a01e03 F - Raw:>
9 █ kernel-initrd ipl - 5b1baa7c66d70bb28cb1d36753e48b53fcb3cd3b676140e50d6af07b69a01e03 F - Raw:>
8 █ - ipl - 0b305fcbfd6de749f087a2b591220a46c9626c93605af4f02844eed8ca0e09e9 F - Raw:>
8 █ - ipl - 97a14107305bbdb5eea84815ab8ddff21028cfaf65f09178ebf3cab85803b6a2 F - Raw:>
9 █ kernel-initrd ipl - aef695413d1a1b9eaff753a15512d0ba79e23e5524033eec20c7a1c7c20eb1c4 F - Raw:>
9 █ kernel-initrd ipl - 32fc7f5de8c0a5dc0b1e7eb609ca31a77eb3475539e1d97a4543dca1b9b26c57 F - Raw:>
9 █ kernel-initrd ipl - 1b766f38a94927fe9b7bc1e809f0363e778e14c601e800faea271a2e75d3fc43 F - Raw:>
9 █ kernel-initrd ipl - 46f888c52f36baf9b62d60bc8d06426a314aad5a0ff86a4362a91c2512a1df9c F - Raw:>
8 █ - ipl - 7bab9fbe716a627d300c67b6c28f2b6cd0aca9b3182b76c992f23d40d2466b67 F - Raw:>
9 █ kernel-initrd ipl - 82af4fd7991144d427e90db8a6fb407aff1e58eba311182d011ff8bee6219a9e F - Raw:>
8 █ - ipl - 6ad77e4fde8bf2232893cf4ac273a050fd0e1f3f4e4098c3511a52bd8bda87f6 F - Raw:>
9 █ kernel-initrd ipl - f64122858064885ef0733e42c6a3d2d3fd642671f714db0d974b880c0f087430 F - Raw:>
8 █ - ipl - 0e3a17e0c48e42d79f4d1576e7f787c911239510586505c326143b9b268bdd65 F - Raw:>
8 █ - ipl - f8b99f77983990e8804864cade91f361b5b6600cc2832febaef878ac8b44d27e F - Raw
9 █ kernel-initrd ipl - f64122858064885ef0733e42c6a3d2d3fd642671f714db0d974b880c0f087430 F - Raw:>
8 █ - ipl - d2b92983e66aff99982fe5af55e0f9277dc0f8879934e17b00147e1f4156179e F - Raw:>
8 █ - ipl - 82a4a14e43a4f76118ae63285d0af05af139f260fae57b2c20737a1c1df3382b F - Raw:>
8 █ - ipl - ce8124bc1b0fbc0cb5cd47338ca0c7d5f5446d79936e443a201d96b192a7bd65 F - Raw:>
8 █ - ipl - 3a118940bf2675007df3368cb6d45cf2756f328d3e75daf69a971dd21bd1bc58 F - Raw:>
8 █ - ipl - 4568361fb7581b31a42d645ab534302fb9f742adaa37b7fde152215d69e259fb F - Raw:>
8 █ - ipl - 09f17d4dfb4b97f16246632c21b1ac2125c95c148899eee5069fbb1b34365513 F - Raw:>
8 █ - ipl - 4af0bb370c9e3b7982027d02e04c935e32d52b528007476bfc50d36d1b86815e F - Raw:>
8 █ - ipl - ce8124bc1b0fbc0cb5cd47338ca0c7d5f5446d79936e443a201d96b192a7bd65 F - Raw:>
8 █ - ipl - 9d23bf4d90296276c6fdb424de9051f722d20618404903ce4381c55c59eb517c F - Raw:>
8 █ - ipl - fab8fd77ca0ea3d91c73940aae2ca687a427de20d8b74f120d8c4fe59d540d8d F - Raw:>
8 █ - ipl - 28ead791aa27d4a5201a4662b813928050b8f8aa9b0ab33b175200db688602b9 F - Raw:>
8 █ - ipl - 82a4a14e43a4f76118ae63285d0af05af139f260fae57b2c20737a1c1df3382b F - Raw:>
8 █ - ipl - 4568361fb7581b31a42d645ab534302fb9f742adaa37b7fde152215d69e259fb F - Raw:>
8 █ - ipl - 92c6fa68ecb56c92078047f6d607d0cd3781d87dad7606616e90b3a0c476e80a F - Raw:>
8 █ - ipl - fd11e62aa088d6215506792058ebcd489a79ae453a5513a60b5a0a3f350c3d03 F - Raw:>
8 █ - ipl - cfa4676ffe751d1547e77a8d66a033b59b3eed3400d9b3a305d2601891ab0e59 F - Raw:>
8 █ - ipl - 2436afe3cb181454ab807d6ca526ed3132dc1759787f9ed3f2f148e86948e978 F - Raw:>
8 █ - ipl - eb97ee12d3f873aada1c5cd0c844e3a80416b6aed3c42c9f573e4c4b809b89ed F - Raw:>
8 █ - ipl - 01ffa4a5eae6be98974c1b75e839f442eed9d9f5c1d65c03d355e04fc81d2873 F - Raw:>
8 █ - ipl - 207cda95fd859189d016c7c2cc03b9c05672984589e4809e1dcee665d629cf7d F - Raw:>
8 █ - ipl - 6f18799fe0ecb5c4bb4c0695a3094dc9841c940c3b463e14c25e444246348a2a F - Raw:>
8 █ - ipl - c42994f4562544cc5f5ab303ca656b3e9c96bb026687f3da5371b0fb9f3da74e F - Raw:>
8 █ - ipl - f0b4b3c23103828ea2fa05044a2cfce5efc9d15e99ffb9c61d7349c1303741af F - Raw:>
8 █ - ipl - 5049802d85c95cc52a8d1495e21db7c7dc2519a12202ea15a8cc1cc7b123bbf0 F - Raw:>
8 █ - ipl - a1d598d76cd92cdf36ef379aae43ded1cc512bd74a17e5b03fc901015b899755 F - Raw:>
8 █ - ipl - f249e761a7e37510f8acf59142c117444c3aa1bc5a719ae7eab60d3b7109180a F - Raw:>
8 █ - ipl - 22e041251eb54eeb3270245759aa3e8bd3b77a647db988b681b1eafc6960aa45 F - Raw:>
8 █ - ipl - 837cdd7f2f3bb6fdf306bdf167415a609fe25bdaf3ef1bbf52ab689e5016fa8e F - Raw:>
8 █ - ipl - 662bf0884afb913d75f3a0ce423dfe3ec0a25712f68eacf85f4dfe6b4d035674 F - Raw:>
8 █ - ipl - 5d487e285706b36d48eff03e56383e4692de24b867b38fcb3c5896fd222a5957 F - Raw:>
8 █ - ipl - 2b632b145c9a0b3c13ebf6661ae3128d9eb8bc00ae7594c744ec6b590b906833 F - Raw:>
9 █ kernel-initrd ipl - b49a7fd5edc02f168f0de51309313278dc2347c0f83a5cbedcb8974790a5e7e8 F - Raw:>
8 █ - ipl - 5d487e285706b36d48eff03e56383e4692de24b867b38fcb3c5896fd222a5957 F - Raw:>
8 █ - ipl - 8a0672215643524931da9a98294d41f13a6e324adf780e239ef0b5ea033255bd F - Raw:>
8 █ - ipl - d0b128de61633eaded03eaf1923aaed67e1973fb10714ad91515906104cd640f F - Raw:>
8 █ - ipl - ba0a0eba7367337a506a6c7bb223356ee9d83badd3c6ee91cca8c977bfe23c5e F - Raw:>
8 █ - ipl - 4379e3a5fea9ca2de50fd7ae4cdb17c78cc42fb3c3744b270623f1519e2c2e4f F - Raw:>
8 █ - ipl - 6f5599ee61f62c451a68931852f20cf7ed872583ee8b0f83e3df702c65a77c99 F - Raw:>
8 █ - ipl - bf5d10a466c0f77818990a9d0fdcc8fa2c4561ba92912d5fbc9d4ac1e31a00fb F - Raw:>
8 █ - ipl - a57e067e286efc4eea89659d40f13a38cc1792e4277bed820ded674c94bf2ead F - Raw:>
8 █ - ipl - 64bda8f65b1585d7868248a292c449660cc8f75075c10d87ae59a4db401ce119 F - Raw:>
8 █ - ipl - cfa4676ffe751d1547e77a8d66a033b59b3eed3400d9b3a305d2601891ab0e59 F - Raw:>
8 █ - ipl - 4e7a22f96bae467df0f26975e0bf7614d6b92993301c65bae6a85c6530e460bf F - Raw:>
8 █ - ipl - ce2cc20777ba8d3bc75b662163c3abe370344d4bae17d75fb5bd408d1fb6badf F - Raw:>
8 █ - ipl - 7626abd8be7442c2e575364a3e95cb3a3b533c58afbba402d2bdabdff85d29c7 F - Raw:>
8 █ - ipl - 4568361fb7581b31a42d645ab534302fb9f742adaa37b7fde152215d69e259fb F - Raw:>
8 █ - ipl - d71353f5368eb2c1280590928128979bd96ea8db1e8c81493f7878383b76ab3b F - Raw:>
8 █ - ipl - 2fa8065d9ee309384d35f8d530186b776d26e1bb5632f89a46d56e93b140282b F - Raw:>
8 █ - ipl - 15a5018b0177cf9c49c0b97911df67e7f2c193d3613e3fc4c9eb98a2b5d06fcc F - Raw:>
8 █ - ipl - b55d84bbb0a00f175ebbc6ca167f18dd6a9cb49b141535bfcc6c4ef9c53b1866 F - Raw:>
8 █ - ipl - 141dcfd03b1736e86f617122e7f31cffe89f7cf0faa773f1bced28f7f0c1fa13 F - Raw:>
8 █ - ipl - 6c4674d4c652ee67b98a6206d7541ccbf2d5dc0a18dae31ad66e82c794c49784 F - Raw:>
8 █ - ipl - 18865468f2e4bd9f0cc4ffdda1335f405d06df8d6ff183b373f50e08e81f924d F - Raw:>
8 █ - ipl - 62cd76d31ca3d10d742e46c6ff171046ce19dd90f361a827fec6571e59c24794 F - Raw:>
8 █ - ipl - b838a4d2860c81058105fbb1907a1fb7f60b65591b099b3b000d9b31d8d2fb20 F - Raw:>
8 █ - ipl - 37796339dc9cb3e51ba3f31319b01eaf6c00faceee33831d3b43895228f7be8c F - Raw:>
8 █ - ipl - 82a4a14e43a4f76118ae63285d0af05af139f260fae57b2c20737a1c1df3382b F - Raw:>
8 █ - ipl - d1bbd7d573d636850a1a9efbcfac9e589f1bcd34f617b16bc7872275ea036c3d F - Raw:>
8 █ - ipl - 477de525cace1b2460a487db823c9e04cd7b575e318431725359a45794a3847f F - Raw:>
9 █ kernel-initrd ipl - b7bc975098f83326a760286301f5993fc5ee41ef0f224ca7d282b03da17a9f87 F - Raw:>
4 █ boot-loader-code efi-boot-services-application ✗ 83d75b0b2e69ce35e2592e46fea05739f74a0c53367cc3899fff25a54408315c F - - >
8 █ - ipl - afc267d3ecc0e8b55f73673cb7f8606840b7ac0db48297c165e34b9e6f8ca9d9 F - Raw:>
8 █ - ipl - 76bc6c6d70ce34a24bda263584ed03d0fd5d94f90ca206dd5e500b0fe98b3df2 F - Raw:>
8 █ - ipl - cfa4676ffe751d1547e77a8d66a033b59b3eed3400d9b3a305d2601891ab0e59 F - Raw:>
8 █ - ipl - 9da41594d5d4c19a861b9d0e61f7a4cab22476704250ebf6694f56d8487eacd3 F - Raw:>
8 █ - ipl - 4e7a22f96bae467df0f26975e0bf7614d6b92993301c65bae6a85c6530e460bf F - Raw:>
8 █ - ipl - 6b2c97f60740ba1ed873c8a1344792aefe3ba93ed8f20db8e89193526cff5fbb F - Raw:>
8 █ - ipl - 2436afe3cb181454ab807d6ca526ed3132dc1759787f9ed3f2f148e86948e978 F - Raw:>
8 █ - ipl - a05839fd9bfebe3bde7739df6a1983a0008d37e25a47ffa6a164b4a22050c80f F - Raw:>
9 █ kernel-initrd event-tag - 5e16ef62783ecf6e42a284fe6482a2198144ccabb32b5d688697a2a30ef0eb04 F - Linu>
5 █ boot-loader-config efi-action ✓ d8043d6b7b85ad358eb3b6ae6a873ab7ef23a26352c5dc4faa5aeedacf5eb41b F 700-action-efi-exit-boot-services Acti>
5 █ boot-loader-config efi-action ✓ b54f7542cbd872a81a9d9dea839b2b8d747c7ebd5ea6615c40f42f44a6dbeba0 F 700-action-efi-exit-boot-services Acti>
PCR PCRNAME COUNT H R C CALCULATED SHA256 OBSERVED SHA256
0 █ 😨 platform-code 3 ✓ ✗ ✓ e15c44796beabf46abcec7c57e590942041e47497e4ec27571c8b7664f48dced e15c44796beabf46abcec7c57e590942041e47497e4ec27571c8b7664f48dc>
1 █ 😨 platform-config 3 ✓ ✗ ✓ 7981ca52646ae41fc14c4e1d9e3a507375c9e2d160392675fa16ec6092db327b 7981ca52646ae41fc14c4e1d9e3a507375c9e2d160392675fa16ec6092db32>
2 █ 😀 external-code 1 ✓ ✓ ✓ 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e79>
3 █ 😀 external-config 1 ✓ ✓ ✓ 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e79>
4 █ 😨 boot-loader-code 5 ✓ ✗ ✓ ea2481ce5c5941e139aa626d8538fbc5efae4e5bcb7ff8e0933792420ec25c54 ea2481ce5c5941e139aa626d8538fbc5efae4e5bcb7ff8e0933792420ec25c>
5 █ 😨 boot-loader-config 4 ✓ ✗ ✓ 153d0d22e29e829a700d020df5315970b2a4e897378ef36fb8036ac2b29d7af9 153d0d22e29e829a700d020df5315970b2a4e897378ef36fb8036ac2b29d7a>
6 █ 😨 host-platform 2 ✓ ✗ ✓ 50be9948c8764f68978ec5ba452943fdea53861dd23b5aed302d383cd89825bb 50be9948c8764f68978ec5ba452943fdea53861dd23b5aed302d383cd89825>
7 █ 😨 secure-boot-policy 9 ✓ ✗ ✓ c52d1f88ecb460721b077d4213f671231180982ef8d90c52ef3c2092e0dc7f33 c52d1f88ecb460721b077d4213f671231180982ef8d90c52ef3c2092e0dc7f>
8 █ 😨 - 72 ✓ ✗ ✓ f08fbd77f48beb9358b9bc0f8ce0ad185b110e8ba5e9ad5618297b23fa50204f f08fbd77f48beb9358b9bc0f8ce0ad185b110e8ba5e9ad5618297b23fa5020>
8 █ 😨 - 72 ✓ ✗ ✓ f08fbd77f48beb9358b9bc0f8ce0ad185b110e8ba5e9ad5618297b23fa50204f f08fbd77f48beb9358b9bc0f8ce0ad185b110e8ba5e9ad5618297b23fa5020>
9 █ 😨 kernel-initrd 12 ✓ ✗ ✓ 094b148460e75e23c67a84ac39555aaa79c64f04ff4a172198e29c4d11dcda94 094b148460e75e23c67a84ac39555aaa79c64f04ff4a172198e29c4d11dcda>
10 █ 🤢 ima - ✗ ✓ ✓ 0000000000000000000000000000000000000000000000000000000000000000 d81e08e944171cd82462ed27058fafa8a71c0891d50b5f47e3aa72eead605b>
11 █ 🙂 kernel-boot - ✓ ✓ ✗ 0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000>
12 █ 😀 kernel-config - ✓ ✓ ✓ 0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000>
13 █ 😀 sysexts - ✓ ✓ ✓ 0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000>
14 █ 😨 shim-policy 3 ✓ ✗ ✓ 306f9d8b94f17d93dc6e7cf8f5c79d652eb4c6c4d13de2dddc24af416e13ecaf 306f9d8b94f17d93dc6e7cf8f5c79d652eb4c6c4d13de2dddc24af416e13ec>
15 █ 😀 system-identity - ✓ ✓ ✓ 0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000>
16 █ 😀 debug - ✓ ✓ ✓ 0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000>
17 █ 😀 - - ✓ ✓ ✓ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff>
18 █ 😀 - - ✓ ✓ ✓ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff>
19 █ 😀 - - ✓ ✓ ✓ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff>
20 █ 😀 - - ✓ ✓ ✓ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff>
21 █ 😀 - - ✓ ✓ ✓ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff>
22 █ 😀 - - ✓ ✓ ✓ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff>
23 █ 😀 application-support - ✓ ✓ ✓ 0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000>
Legend: H → PCR hash value matches event log
R → All event log records for this PCR have a matching component
C → No components that couldn't be matched with log records affect this PCR
This is much better, and now it calculated and outputs the expected vs actual
contents of the registers.
For good measure, I also started a VM on GCP and ran the same reproducer steps,
and after installing tpm2-tools, systemd-pcrlock worked the same on both
-updates and -proposed.
The packages in -proposed fix the issue, I am happy to mark as verified for
noble.
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2115391
Title:
systemd-pcrlock log fails to read hyper-v vTPMs on Azure
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Noble:
Fix Committed
Bug description:
[Impact]
On Azure, running "systemd-pcrlock log" fails with:
$ sudo /usr/lib/systemd/systemd-pcrlock log
Hash algorithms in event log record don't match log.
This is because the hyper-v vTPMs announce the hash algorithms in the header
in a different order than what is actually written in the log. The patch changes
systemd-pcrlock to search for the correct mapping instead of using the order
in the header.
There are no workarounds.
[Testcase]
On Azure, boot a VM with Security type set to "Trusted launch virtual machines"
or "Confidential virtual machines".
I recommend "Trusted launch virtual machines" with size
Standard_D2s_v3.
Run systemd-pcrlock:
$ sudo /usr/lib/systemd/systemd-pcrlock log
Hash algorithms in event log record don't match log.
The expected result is a screenful of TPM PCR registers with their contents,
as well as a colour and an emoji indicating if the computed result is good or
not.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf409402-test
If you install the test packages, systemd-pcrlock works as expected.
[Where problems can occur]
This changes how systemd-pcrlock opens and reads the tpm2 eventlog. This should
be just a readonly operation, so a regression would not tamper with or modify
any TPM PCR registers.
If a regression were to occur, users could potentially not be able to run
"systemd-pcrlock log" against their TPMs on their systems, and not be able to
verify attestation of their boot.
A regression could also prevent users from using systemd-pcrlock to predict the
next set of TPM PCR values when installing a new kernel image to their system,
which might mean they would have to determine the correct PCR values manually.
A workaround is to use the non-related tpm2-tools package for these calculations
and reading the eventlog.
[Other info]
This was fixed in 256-rc1 by:
commit e90a255e55e3af0effac927ccaa10c2662501e1a
From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
Date: Wed, 21 Feb 2024 14:43:42 +0100
Subject: pcrlock: handle measurement logs where hash algs in header
are announced in different order than in records
Link: https://github.com/systemd/systemd/commit/e90a255e55e3af0effac927ccaa10c2662501e1a
This is in oracular onward, and jammy doesn't have pcrlock, so only noble needs
the fix.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2115391/+subscriptions
References
