[Bug 1909734] Re: TPM PCR checking will fail if the all characters are 0

Łukasz Zemczak 1909734 at bugs.launchpad.net
Thu Apr 8 10:05:37 UTC 2021 

Hello jeremyszu, or anyone else affected,

Accepted fwupd into groovy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.4.7-0~20.10.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
groovy to verification-done-groovy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-groovy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: fwupd (Ubuntu Groovy)
       Status: Triaged => Fix Committed

** Tags added: verification-needed verification-needed-groovy

** Also affects: fwupd-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: fwupd-signed (Ubuntu Groovy)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/1909734

Title:
  TPM PCR checking will fail if the all characters are 0

Status in OEM Priority Project:
  Triaged
Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd-signed package in Ubuntu:
  New
Status in fwupd source package in Focal:
  Triaged
Status in fwupd-signed source package in Focal:
  New
Status in fwupd source package in Groovy:
  Fix Committed
Status in fwupd-signed source package in Groovy:
  Fix Committed
Status in fwupd source package in Hirsute:
  Fix Released
Status in fwupd-signed source package in Hirsute:
  New

Bug description:
  [Impact]

   * TPM PCR0 differs from reconstruction, if your PCR0 contains one (or
  more) zero byte(s) then the PCR0 will mismatch. (zero byte(s) be
  ignored)

  [Test Plan]

   * run

  $ fwupdmgr get-devices
  ...
  └─System Firmware:
        Device ID: c8489035f8df6f87a1a3cd1baff36129262a5ac1
        Current version: 92.1.0
        Minimum Version: 0.0.1
        Vendor: HP (DMI:HP)
        Update Error: TPM PCR0 differs from reconstruction, please see https://github.com/fwupd/fwupd/wiki/TPM-PCR0-differs-from-reconstruction
        GUID: 116180f2-105d-4ab2-809e-7fabed71217b

     will get the failed.

   * already tried on bug1891966 bug1893018 bug1896855 bug1897674
  bug1899914 bug1902835 bug1903660 bug1909539 bug1910197 bug1914335
  bug1918600 bug1918866 bug1919270 bug1919424 bug1920714 and this patch
  could solve the error.

  [Where problems could occur]

   * the all zero PCR0 is invalid, the original logic is to check
  whether a byte is zero. If zero then skip. It cause the PCR0 will
  potentially miss some valid zero byte. (e.g.
  0x0C>>00<<62898247F8FE3085960E5B0270E7667B6F7D4CAE17A503950499D45B4116)

   * this patch will not skip zero byte. Instead, add a flag to check
  whether all bytes are zero.

  * for this change, it makes sense and didn't see any potential
  regression.

  ---

  In some of HP platforms, the TPM PCR checking will fail on focal
  ubuntu

  $ fwupdmgr get-devices
  ...
  └─System Firmware:
        Device ID: c8489035f8df6f87a1a3cd1baff36129262a5ac1
        Current version: 92.1.0
        Minimum Version: 0.0.1
        Vendor: HP (DMI:HP)
        Update Error: TPM PCR0 differs from reconstruction, please see https://github.com/fwupd/fwupd/wiki/TPM-PCR0-differs-from-reconstruction
        GUID: 116180f2-105d-4ab2-809e-7fabed71217b
        Device Flags: • Internal device
                             • Updatable
                             • Requires AC power
                             • Needs a reboot after installation
                             • Cryptographic hash verification is available
                             • Device is usable for the duration of the update

        Update Error: TPM PCR0 differs from reconstruction, please see
  https://github.com/fwupd/fwupd/wiki/TPM-PCR0-differs-from-
  reconstruction

  ---

  This issue is fixed by upstream commit
  https://github.com/fwupd/fwupd/pull/2394/commits/e265dd1d8687965bee77259ef3482b09b92033c1

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1909734/+subscriptions

More information about the foundations-bugs mailing list