TXT Testing TBOOT 1.8.3
Copyright 2015 by Assured Information Security, Inc. Created by Ross Philipson <philipsonr@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
Test Instructions:
Use a build that has the new TBOOT 1.8.3 (currently http://openxt.ainfosec.com:81/builds/master/ext-dev-288-master).
- In the systems's firmware/BIOS setup program, clear the TPM (the details are system specific). It may also require you to disable TXT. This may take a few reboots.
- Ensure the TPM is active (after clearing it) and TXT is enabled before going on. Checking this then do a full power cycle (cold boot) before going on.
- Install OpenXT using the "Advanced Install" option. Select the option to setup measured launch when asked. If the installer fails to boot (hangs/resets system) see "What To Do".
- After reboot as OpenXT is starting, there should be a message box that says "Resealing...". If there is no error here, the system will reboot automatically. If there are errors see "What To Do".
- After reboot, OpenXT should boot to the UIVM with no further messages or problems. If there are errors or problems see "What To Do".
- The UIVM should have a green icon in the lower left corner. Hovering over it will report that "Measured Launch succeeded". If this is not the case or there are error messages see "What To Do".
- Shut the system down and then start it back up (S5). If there are any hangs, reset or other problems, see "What To Do".
- Put the system into hibernate then resume (S4). If there are any hangs, reset or other problems, see "What To Do".
- Put the system to sleep and then resume (S3). If there are any hangs, reset or other problems, see "What To Do".
- If all is well, put an entry in the table below - fill in the details as best as possible. Set all P/F fields to P.
What To Do:
Put an entry in the table below and mark what failed. P/F is for anything prior to step 7 or if there is an unsealing error during powering back on in step 7. S5 P/F is for step 7, S4 P/F is for S4 and S3 P/F is for step 9. In the details field, note what was observed. A decision will be made later if a ticket should be created, at which time more information about the failure(s) may be requested.
Test Results (w/ Workaround):
| Vendor | Model | T | CPU Arch. | FW/BIOS Ver. | Processors(s) | Memory | P/F | S5 P/F | S4 P/F | S3 P/F | Details |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Dell | E6430 ATG | L | Ivy Bridge | A16 | Core i5-3360M | 8G | P | P | P | P | ext-300; |
| Dell | Optiplex XE2 | D | Haswell | A10 | Core i5-4570S | 16G | P | P | P | P | ext-300; |
| Dell | E7440 | L | Haswell | A08, A15 | Core i7-4600U | 8G | P | P | F | ext-300; "creation or verification of S3 measurements failed" - this is a different failure mode - needs investigation. Tried a firmware uprev but no luck. Earlier test below showed this was broken with 1.7.0 too. | |
| Lenovo | T440 | L | Haswell | GJET75WW (2.25) | Core i5-4300U | 4G | P | P | P | P | ext-300; |
| Dell | E6540 | L | Haswell | A14 | Core i7-4800M | 8G | P | P | P | P | ext-300; |
| HP | EliteBook 850 G1 | L | Haswell | L71 01.30 | Core i7-4600U | 16G | P | P | P | ext-300; | |
| HP | 800 G1 SFF | D | Haswell | L01 A.02.23 | Core i5-4570 | 8G | P | P | P | P | ext-300; |
| HP | 8300 | D | Ivy Bridge | K01 02.51 | Core i5-3470 | 16G | P | P | P | F | ext-300; On resume, TXT reset the system during GETSEC[SENTER]. I don't think this is a regression - I think this system has always had problems. |
| HP | EliteBook 2760p | L | Sandy Bridge | F.42 | Core i5-2540M | 4G | P | P | P | P | ext-300; |
| HP | EliteBook 2170p | L | Ivy Bridge | F.00 | Core i5-3427U | 4G | P | P | P | F | ext-300; It looks like the system reset on resume from S3. Since I have no serial output it is hard to tell but I would bet it goes down during GETSEC[SENTER]. I tried to uprev the firmware to F.61 (latest) but short of installing Windows on it I can't manage to do the update. I believe the problem is the extremely old firmware though. |
| Dell | Optiplex 9010 | D | Ivy Bridge | A05 -> A20 | Core i7-3770 | 8G | P | P | P | P | ext-300; The system originally had the Dell 0xffffffff TXT error code bug in firmware. The uprev to A20 fixed that. |
| HP | Revolve 810 G2 | L | Haswell | L86 01.30 | Core i7-4600U | 8G | P | P | P | ext-300; | |
| HP | Z840 | W | Haswell? | M60 01.58 | Xeon E5-2630 v3 | 96GB | P | P | P | F | S3 failing with tboot error in Observation 1, similar observation on tboot 1.7 |
| Dell | Latitude E7350 | T | Broadwell | A06 | Core M-5Y71 | 8GB | P | P | P | F | Sleep failures indeterminate due to lack of serial connection. Only get a black screen upon attempting to sleep, no current method to further diagnose. |
| HP | ZBook 14 G2 | L | Broadwell | M71 1.09 | Core i7-5600U | 16GB | P | P | P | F | Sleep failures indeterminate due to lack of serial connection. Only get a black screen upon attempting to sleep, no current method to further diagnose. |
| Dell | Dell Optiplex 980 | D | Ivy Bridge | A12 | Intel i7-3770 | 10GB | P | P | P | ext-300; | |
| Dell | Dell Latitude 14 7000 (e7450) | L | Broadwell | A03 | Intel 5th Gen i5-5200U | 8GB | P | P | F | ext-300; S3 failing, once the machine is put to sleep it can not be revived, without a force off, which then displays a TXT error. RJP: these 2 broadwells - are they coming back form S3 at all - is there any serial logging after the resume is initiated? | |
| Dell | Dell Latitude 14 7000 (e7450) | L | Broadwell | A03 | Intel 5th Gen i7-5600U | 8GB | P | P | F | ext-300; S3 failing, once the machine is put to sleep it can not be revived, without a force off, which then displays a TXT error. "TXT Measured boot failed" | |
| Dell | Dell Latitude E6540 | L | Haswell | A13 | Intel i7-4610M | 8GB | P | P | F | ext-300; S3 failing. once the machine is put to sleep it can not be revived, without a force off, which then displays a TXT error. "TXT Measured boot failed" RJP: I tested an E6540 above and it worked with a newer FW version - may want to try this. | |
| Dell | OptiPlex 7010 | D | Ivy Bridge | A20 | Intel i7-3770 | 8GB | P | P | P | ext-300; | |
| Dell | OptiPlex 9020 SFF | D | Haswell | A09 | Intel i5-4570 | 18GB | P | P | P | ext-300; | |
| Dell | OptiPlex 9020 MT | D | Haswell | A09 | Intel i7-4770 | 12GB | P | P | P | ext-300; | |
| HP | HP EliteDesk 800 G1 Tower | D | Haswell | L01 V02.53 RevA | Intel i7-4770 | 32GB | P | PWE | P | ext-300; Measure launch failed after shutdown and restart. The machine was then restarted again and measured launch was enabled. | |
| HP | HP Compaq Elite 8200 | D | Sandy Bridge | J01 V02.15 | Intel i5-2500 | 14 GB | P | P | P | ext-300; | |
| HP | HP Pro x2 612 | T | Haswell | M83 V01.03 | Intel Core I5-4302Y | 8GB | F | F | F | ext-300; Installer just sits at the first screen, downloading files. Then attempted to install both network and CD, and on the dock and off the dock. | |
| HP | HP Elite 1011 x2 | T | Broadwell | M72 V.01.03 | Intel Core M-5Y71 | 8GB | F | F | F | ext-300; The installer warns that VTX is turned off, while in the BIOS it is not. NOTE: this is likely a firmware issue beyond our control and not strictly a TXT/TBOOT failure. | |
| HP | HP Z230 | W | Haswell | L51 V01.51 | Intel Xeon E3-1225-v34 | 16GB | P | P | P | ext-300; | |
| HP | EliteBook Folio 9470M | L | Ivy Bridge | 68IBD Ver.F.60 | Intel Core i5-3437U | 8GB | P | P | P | ext-300; | |
| HP | Z820 | W | Haswell | J63 V03.85 | Intel Xeon Processor E5-2600 | 130GB | P | P | F | ext-300; Error message displays during the install that states this system might not be compatible with OXT. failed at S3, system will not resume unless it is forced off and restart. | |
| NCS | Vortex | W | Haswell | 1804 | Intel I7-4770 | 16GB | P | P | P | ext-300; | |
| NCS | Stratus | D | Ivy Bridge | F3b1GA | Intel I7-3770 | 32 GB | F | F | F | ext-300; Unable to Clear the TPM, This is a frequent issue with the stratus. NOTE: this is likely a firmware issue beyond our control and not strictly a TXT/TBOOT failure. |
Observations:
- HP Z840
TBOOT: ******************* TBOOT *******************
TBOOT: 2015-05-08 12:00 -0800 1.8.3
TBOOT: *********************************************
TBOOT: command line: min_ram=0x2000000 loglvl=all serial=115200,8n1,0x3f8 logging=serial,memory
TBOOT: resume from S3
TBOOT: BSP is cpu 0
TBOOT: TPM: TPM Family 0x0
TBOOT: TPM: get capability, return value = 0000001C
TBOOT: TPM is disabled or deactivated.
TBOOT: TPM not ready.
TBOOT: TPM: read nv index 20000002 offset 00000000, return value = 0000001C
TBOOT: Error: read TPM error: 0x1c.
TBOOT: No need to hide DMAR table.
TBOOT: creation or verification of S3 measurements failed.
TBOOT: An error had occurred on this launch or the previous.
Old Test Results:
| Vendor | Model | T | CPU Arch. | FW/BIOS Ver. | Processors(s) | Memory | P/F | S5 P/F | S3 P/F | Details |
|---|---|---|---|---|---|---|---|---|---|---|
| Dell | E6440 | L | Haswell | A01 | Core i7-4600M | 8G | P | P | F | With the new tboot, it hangs in tboot on resume. Eventually it times out, resets the system and does an unmeasured launch. |
| Lenovo | T440 | L | Haswell | GJET75WW (2.25) | Core i5-4300U | 4G | P | P | F | The new tboot hangs up in S3 - not clear if it is going into S3 or coming out. The power button is slowly blinking like it is in S3 but pressing it does nothing. |
| Dell | E7440 | L | Haswell | A08 | Core i7-4600U | 8G | P | P | F | With the new tboot, it hangs in tboot on resume. Eventually it times out, resets the system and does an unmeasured launch. Testing with 1.7.0 tboot, tboot resets the system on resume so it is broken in both versions, just differently. |
| Dell | E6430 ATG | L | Ivy Bridge | A16 | Core i5-3360M | 8G | P | P | F | With the new tboot, it resets the system and does an unmeasured launch. |
| HP | EliteBook 850 G1 | L | Haswell | L71 01.30 | Core i7-4600U | 16G | P | P | F | The new tboot hangs up in S3 - not clear if it is going into S3 or coming out. It causes the power button to flash quickly while "in" S3. Tested with tboot 1.7.0 and S3 worked fine. Regression |
| Dell | E6540 | L | Haswell | A14 | Core i7-4800M | 8G | P | P | F | With the new tboot, it resets the system and does an unmeasured launch (may do the timeout thing too). |
| HP | ZBook 14 G2 | L | Broadwell | M71 01.04 | Core i7-5600U | 16G | P | P | F | S3 fails to show display on resume. Blindly bringing up UIVM terminal, loggin in, issuing reboot caused system to reboot. Measured launch failure on warm boot, succeeded on cold boot. |
| Dell | 9010 | D | Ivy Bridge | A05 | Core i7-3770 | 8G | F | Died on first reboot after install with an error "TXT measued boot failed" | ||
| HP | 8300 | D | Ivy Bridge | K01 02.51 | Core i5-3470 | 16G | P | P | F | On resume, TXT reset the system during GETSEC[SENTER]. |
| HP | Z840 | W | Haswell? | M60 01.58 | Xeon E5-2630 v3 | 96GB | F | txt-stat states that TXT not enabled. Old tboot says that TXT is enabled | ||
| Dell | XE2 | D | Haswell | A10 | Core i5-4570S | 16G | P | P | F | Same hang on resume as other Dells. Eventually it times out and resets the system. It resumes fine with a 1.7.0 tboot. Regression. |
| HP | 800 G1 SFF | D | Haswell | L01 A.02.23 | Core i5-4570 | 8G | P | P | F | With the new tboot, it hangs in tboot on resume. Eventually it times out, resets the system and does an unmeasured launch. |