ml/uefi: Failure to unseal upon reboot on HP 800 G3

Description

Only seen on HP 800 G3 mini for now.

Installation with measured launch will succeed, sealing will succeed, but unsealing will fail upon reboot.
On first reboot, following installation:

  • /boot/system/tpm/bad.pcrs match tpm2_pcrlist (bad.pcrs has PCR15 uncapped value of course),
    On second reboot:

  • Unsealing succeeds and the platform reboot in measured state?
    On further reboots:

  • Unsealing fails, /boot/system/tpm/bad.pcrs does not match tpm2_pcrlist for PCR1.

Environment

HP 800 G3 mini (Firmware P12 Ver 2.25 01/03/2019)
OpenXT 9
TXT enabled.

Validation Steps

  1. Install OpenXT 9 with measured launch enabled;

  2. Reboot into installed system.

    • Reboot should be successful;

    • Reboot should end up in UIVM displaying a green shield at the bottom right corner.

Activity

Show:
Jason Andryuk
April 30, 2019, 11:56 AM

Oh, I think you only get the TPM2 binary_bios_measurements when you boot UEFI.

Chris Rogers
June 10, 2019, 3:16 PM

Try HP firmware from May to see if there are any improvements.

Christopher Clark
June 10, 2019, 3:18 PM

https://support.hp.com/us-en/drivers/selfservice/hp-elitedesk-800-g3-small-form-factor-pc/15257618
shows new firmware available: 11.8.65.3590 Rev.A : May 3, 2019
Release notes mention that it addresses a series of CVEs.

Rich Persaud
June 10, 2019, 3:41 PM

From triage call: HP is working on a fix but has not yet released that fix in a BIOS update.

garrett morgan
March 3, 2020, 10:33 PM

ED800G3 mini TPM2.0 on 2.31 appears to solve many of these issue legacy-boot but not yet UEFI.

Assignee

Andrew Jones

Reporter

Eric Chanudet

Labels

None

QA Assignee

None

QA Image URL

None

Epic Link

Components

Fix versions

Affects versions

Priority

Critical
Configure