cbmem -L broken under coreboot 4.21+

[tlaurion]

@JonathonHall-Purism

Well, TBH I'm not sure a lot of other use so much measured boot outside of Heads @JonathonHall-Purism ?
This shows its not tested a lot, or as you said, since cbmem is built by musl-cross-make related doubts, which is compiler buillding everything tools.cpio related under Heads, including cbmem here), that might as well be an undesired artifact of those? (modified quote)

I took the time to use rom produced here (4.22.01 tag release codebase built with measured boot and coreboot custom event log format) and test cbmem built on top of ubuntu 23.10/debian trixie OS (to remove musl-cross-make doubts).

Interestingly enough:

• sudo ~/Downloada/coreboot-4.22.01/util/cbmem/cbmem -L : Unknown TPM log specification: : FAIL
• sudo ~/Downloada/coreboot-4.19/util/cbmem/cbmem -L : coreboot TPM log: [...] : OK

So now, let's test cbmem behavior in between those release versions:

• sudo ~/Downloada/coreboot-4.21/util/cbmem/cbmem -L : Unknown TPM log specification: : FAIL
• sudo ~/Downloada/coreboot-4.20.1/util/cbmem/cbmem -L : coreboot TPM log: [...] : OK

So cbmem -L broke somewhere between 4.20.1 and 4.21.

---

Raised awareness under #coreboot channel at https://matrix.to/#/!EhaGFZyYcbyhdSgStq:matrix.org/$DJW_mF5d1PfhJIvoM-_HvX8s3BpzNvtNu77auhvKBo0?via=matrix.org&via=sibnsk.net&via=datanauten.de. @miczyg1 said he would take a look at https://matrix.to/#/!EhaGFZyYcbyhdSgStq:matrix.org/$34SHe96Ef5Qrv2pIXtmi2lqpSwnh1GsKXlZCR9I7PpY?via=matrix.org&via=sibnsk.net&via=datanauten.de

Originally posted by @tlaurion in #1604 (comment)

[miczyg1]

Issued a PR that should address the issue: #1609

As far as heads is concerned, it doesn't matter which event log format is used right? Or rather coreboot's custom format is preferred @tlaurion ?

Why cbmem -L does not work with the standard TPM log per specifications is a separate matter (I suspect the first event in the event log is not SpecID event, but why? not sure yet).

[tlaurion]

@miczyg1 @JonathonHall-Purism theoritically, tpm1.2 vs coreboot log format should not matter since from my understanding, they use PCR2 for operations.

For our interest here and where the bug was discovered (all ivy/sandy/haswell boards were based on 4.19 since edp/fhd patch was not merged upstream), boards stayed on 4.19. But since https://review.coreboot.org/c/coreboot/+/28950 got merged yesterday as coreboot/coreboot@a88dd4b, I'll prepare a PR switching all boards to that commit and be able to give traces, switching boards to TCG TPM1.2 TPM Event log format and go from there.

[tlaurion]

Logs provided and analysis at #1609 (comment) and further comments

TCPA log entry 10:
	PCR: -967035966
	Event type: Unknown (0xace82028 >= 19)
	Digest: d97f7b94ead60f73575cdf71010ef9fd99ed6b28
	Event data: 

Looks like coreboot didn't terminate the event log... cbmem checks for a zero_block of one TCPA entry length, if it isn;t found, then it goes further... We could add more safety checks to cbmem to avoid that but also make sure coreboot properly terminates the eventlog (or at least clear the cbmem entry with the log while creating it...)

@SergiiDmytruk cc

EDIT:

coreboot is clearing the cbmem areas with TCG logs in src/security/tpm/tspi/log-tpm1.c and src/security/tpm/tspi/log-tpm2.c: memset(tclt, 0, tpm_log_len);, so a memory corruption?

[tlaurion]

Discussion under thread at https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$CQDLxAckANKmXAu8ZDtcDIHUn1dgvgfzyifZidHr7SA?via=matrix.org&via=nitro.chat&via=fairydust.space leading to traces requests by @krystian-hebel and @miczyg1

[tlaurion]

Ok, so to trace this better

Coreboot custom event log format:

• https://github.com/tlaurion/heads/tree/422_fhd at commit tlaurion@4bb8317 used here to test on x230 (coreboot custom event log format)
  • https://output.circle-artifacts.com/output/job/cfdd3b68-2cd1-401f-8758-0ef2715e1cce/artifacts/0/build/x86/x230-maximized/heads-x230-maximized-v0.2.0-2026-g4bb8317.zip
    • cbmem -L "Unknown TPM log specification"
    • cbmem -1: Event log reported in coreboot logs fine
    • cbmem_list_custom_coreboot_format.log
    • cbmem_54435041_coreboot_format.log
    • cbmem_434f4e53_coreboot_console.log

[tlaurion]

TCG event log format

• https://github.com/tlaurion/heads/tree/422_fhd at commit tlaurion@6b61f61 used here to test on x230 (TCG event log format)
  • https://output.circle-artifacts.com/output/job/f7813a8c-8a95-4933-9353-98c56d806916/artifacts/0/build/x86/x230-maximized/heads-x230-maximized-v0.2.0-2027-g6b61f61.zip
    • cbmem -L: good until log entry 11 (corrupted to PCR0 and entry 12 bogus)
      • cbmem_L_TCG_event_log.log
    • cbmem -1: Event log reported in coreboot logs fine
    • cbmem_list_TCG_format.log
    • cbmem_54445041_TCG_format.log
    • cbmem_434f4e53_TCG_console.log

[tlaurion]

Issued a PR that should address the issue: #1609

@miczyg1 #1609 closed as explained under #1608 (comment) : switching to coreboot custom format doesn't fix anything at all.
The recap of the discussion leading to log dropped today above happened in the thread pointed by #1608 (comment)

Let me know here if anything else is needed to troubleshoot coreboot upstream issue from Heads side.

[tlaurion]

Blocker for #1568

[tlaurion]

@miczyg1 ping?

[tlaurion]

This is related to coreboot changes from TCPA->TPM event log and is still present under coreboot master (24.05) and affects all forks since coreboot 4.21 where that change occurred

[tlaurion]

Opened Dasharo/dasharo-issues#1004

Closing here

[miczyg1]

https://review.coreboot.org/c/coreboot/+/84926

Fixed the cbmem utility side, but it would also be good to clear that log area on creation.

[miczyg1]

https://review.coreboot.org/c/coreboot/+/84927

Fixed the log area creation for TPM1.2. Not sure why but the TPM2.0 log area was completely cleared, thus the issue did not appear when parsing TPM2.0 logs...