grub fails to boot with tpm activated in bios #16

New issue

Open

opened 2024-09-30 17:47:22 +00:00 by humaton · 0 comments

humaton commented 2024-09-30 17:47:22 +00:00

Member

Copy link

Description of problem: After installing and activating a hardware tpm2 module grub produces the following error: ../../grub-core/commands/efi/tpm.c:148: Unknown TPM error and does not boot the kernel. Version-Release number of selected component (if applicable): grub2-efi-x64.x86_64 1:2.06-52.fc36 How reproducible: always Steps to Reproduce: 1. Power on the PC or reboot 2. 3. Actual results: grub error message ....tpm.c:148: Unknown TPM error and no kernel booted Expected results: Booting of kernel Additional info: Disabling the hw-TPM module in the BIOS removes the error and still uses UEFI secure boot with kernel lock down (according to dmesg). Removing the grub tpm module (rmmod tpm) at the grub command prompt or putting rmmod tpm into /boot/efi/EFI/fedora/grub.cfg enables booting with the tpm activated in the bios, but puts [ 0.000000] secureboot: Secure boot disabled [ 0.007596] secureboot: Secure boot disabled into dmesg. Only grub is having issues with this hw-TPM, once past the boot loader both the kernel and the tpm2 program suite are perfectly fine with it. Info about the TPM in question: [ 0.000000] efi: TPMFinalLog=0x8a9d4000 ESRT=0x8b1add98 ACPI=0x8a5a6000 ACPI 2.0=0x8a5a6000 SMBIOS=0x8b1ab000 SMBIOS 3.0=0x8b1aa000 MOKvar=0x8abae000 TPMEventLog=0x8022f018 [ 0.007619] ACPI: TPM2 0x000000008A5DB098 000034 (v03 Tpm2Tabl 00000001 AMI 00000000) [ 0.007660] ACPI: Reserving TPM2 table memory at [mem 0x8a5db098-0x8a5db0cb] [ 0.685553] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16) It is an Asus TPM-M R2.0 for a Z170-A mainboard. According to MS-Win10's tpm.msc the firmware version is 5.63.3353.0. All fw updates available from https://www.asus.com/Motherboards-Components/Motherboards/Accessories/TPM-M-R2-0/HelpDesk_BIOS/ (TPM_5.61.2785to5.63.3144 and TPM_5.51.2098to5.63.3144) appear to be older than what I have, so I have not attempted to install them. Output of tpm2 getcap properties-fixed | grep -A1 -i firm TPM2_PT_FIRMWARE_VERSION_1: raw: 0x5003F TPM2_PT_FIRMWARE_VERSION_2: raw: 0xD1900 Apparently the way of representing the fw version is 1-2-2-1 bytes: printf %d.%d.%d.%d
0x5 0x003F 0xD19 0x00 5.63.3353.0

Description of problem: After installing and activating a hardware tpm2 module grub produces the following error: ../../grub-core/commands/efi/tpm.c:148: Unknown TPM error and does not boot the kernel. Version-Release number of selected component (if applicable): grub2-efi-x64.x86_64 1:2.06-52.fc36 How reproducible: always Steps to Reproduce: 1. Power on the PC or reboot 2. 3. Actual results: grub error message ....tpm.c:148: Unknown TPM error and no kernel booted Expected results: Booting of kernel Additional info: Disabling the hw-TPM module in the BIOS removes the error and still uses UEFI secure boot with kernel lock down (according to dmesg). Removing the grub tpm module (rmmod tpm) at the grub command prompt or putting rmmod tpm into /boot/efi/EFI/fedora/grub.cfg enables booting with the tpm activated in the bios, but puts [ 0.000000] secureboot: Secure boot disabled [ 0.007596] secureboot: Secure boot disabled into dmesg. Only grub is having issues with this hw-TPM, once past the boot loader both the kernel and the tpm2 program suite are perfectly fine with it. Info about the TPM in question: [ 0.000000] efi: TPMFinalLog=0x8a9d4000 ESRT=0x8b1add98 ACPI=0x8a5a6000 ACPI 2.0=0x8a5a6000 SMBIOS=0x8b1ab000 SMBIOS 3.0=0x8b1aa000 MOKvar=0x8abae000 TPMEventLog=0x8022f018 [ 0.007619] ACPI: TPM2 0x000000008A5DB098 000034 (v03 Tpm2Tabl 00000001 AMI 00000000) [ 0.007660] ACPI: Reserving TPM2 table memory at [mem 0x8a5db098-0x8a5db0cb] [ 0.685553] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16) It is an Asus TPM-M R2.0 for a Z170-A mainboard. According to MS-Win10's tpm.msc the firmware version is 5.63.3353.0. All fw updates available from https://www.asus.com/Motherboards-Components/Motherboards/Accessories/TPM-M-R2-0/HelpDesk_BIOS/ (TPM_5.61.2785to5.63.3144 and TPM_5.51.2098to5.63.3144) appear to be older than what I have, so I have not attempted to install them. Output of tpm2 getcap properties-fixed | grep -A1 -i firm TPM2_PT_FIRMWARE_VERSION_1: raw: 0x5003F TPM2_PT_FIRMWARE_VERSION_2: raw: 0xD1900 Apparently the way of representing the fw version is 1-2-2-1 bytes: printf %d.%d.%d.%d 0x5 0x003F 0xD19 0x00 5.63.3353.0

Sign in to join this conversation.

f39

Branches Tags

Clear current reference

rawhide

f41

main

f40

f39

f38

uefi-vlan

f37

f36

f35

put-font-back

f34

f33

f32

f31

f30

f29

f28

f27

f26

f25

f25-bls3

f24

f25-bls

splitarch4

f23

f22

f19

f20

f21

f17

f18

f16

f15

f11

el6

f14

f9

el5

f10

f12

f13

Clear current reference

grub2-1_98-3_el6

grub2-1_98-3_fc14

grub2-1_98-2_fc12

grub2-1_98-2_fc13

grub2-1_98-2_fc14

grub2-1_97_1-3_el6

grub2-1_97_2-1_fc13

F-13-start

F-13-split

grub2-1_97_1-5_fc13

grub2-1_97_1-4_fc13

EL-6-start

EL-6-split

grub2-1_97_1-3_fc13

grub2-1_97_1-3_fc12

grub2-1_97_1-2_fc12

grub2-1_97_1-2_fc13

grub2-1_97_1-1_fc13

grub2-1_98-0_6_20090911svn_fc13

grub2-1_98-0_6_20090911svn_fc12

F-12-start

F-12-split

grub2-1_98-0_6_20080827svn_fc12

grub2-1_98-0_5_20080827svn_fc11

F-11-start

F-11-split

grub2-1_98-0_4_20080827svn_fc11

grub2-1_98-0_3_20080827svn_fc10

F-10-start

F-10-split

grub2-1_98-0_2_20080807svn_fc10

F-9-start

F-9-split

EL-5-start

EL-5-split

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: rpms/grub2#16

No description provided.