Issues following bg-prov instructions, may be several bugs or user error

[65a]

Thanks for this project, it's awesome!

I am trying to write new bootguard metadata to a sapphire rapids board, and found this, which is perfect. I ran into a few issues.

I'm following use case 1 here: https://github.com/9elements/converged-security-suite/blob/main/cmd/bg-prov/README.md

First, bg-prov template foo.cfg doesn't exist, but I looked at the help output and found bg-prov template-v-2 foo.cfg should be right. I get a nil pointer dereference:

$ ./bg-prov template-v-2 ./bg2.cfg
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x5a01be]

goroutine 1 [running]:
github.com/linuxboot/fiano/pkg/intel/metadata/bg/bgbootpolicy.(*Manifest).WriteTo(0x0, {0x79af60, 0xc0002318f0})
	/home/user/go/pkg/mod/github.com/linuxboot/[email protected]/pkg/intel/metadata/bg/bgbootpolicy/manifest_manifestcodegen.go:209 +0x3e
github.com/9elements/converged-security-suite/v2/pkg/provisioning/bootguard.(*BootGuard).WriteBPM(0xc000231800)
	/home/user/devel/converged-security-suite/pkg/provisioning/bootguard/bootguard.go:331 +0x5a
main.(*templateCmdv2).Run(0x976ee0, 0x1?)
	/home/user/devel/converged-security-suite/cmd/bg-prov/cmd.go:910 +0x3d3
reflect.Value.call({0x6d2ae0?, 0x976ee0?, 0x44d1d6?}, {0x722762, 0x4}, {0xc000013b48, 0x1, 0x1?})
	/usr/lib/go/src/reflect/value.go:586 +0xb07
reflect.Value.Call({0x6d2ae0?, 0x976ee0?, 0x6dd540?}, {0xc000013b48?, 0x721240?, 0x0?})
	/usr/lib/go/src/reflect/value.go:370 +0xbc
github.com/alecthomas/kong.callMethod({0x72256c, 0x3}, {0x719760?, 0x976ee0?, 0x3?}, {0x6d2ae0?, 0x976ee0?, 0x0?}, 0x0?)
	/home/user/go/pkg/mod/github.com/alecthomas/[email protected]/callbacks.go:95 +0x4fa
github.com/alecthomas/kong.(*Context).RunNode(0xc00011a600, 0xc000167680, {0xc000125f00, 0x1, 0x1})
	/home/user/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:755 +0x60f
github.com/alecthomas/kong.(*Context).Run(0x6b83e0?, {0xc000125f00?, 0xc000125f30?, 0x4408b1?})
	/home/user/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:780 +0x14e
main.main()
	/home/user/devel/converged-security-suite/cmd/bg-prov/main.go:31 +0x29e

I can read-config, so I generated a config.json from an existing image. You can take a publically available image from SuperMicro for example, but I suspect any Sapphire Rapids (or W790?) image will suffice. This works, so I keep following the steps.

I get as far as:
/bg-prov bpm-gen-v-2 ./bpm_unsigned.bin ./oem_bios.bin --config=./oem.cfg
which just gives me

can't identify bootguard header
WriteBPM: can't identify bootguard header

I'm new to this, so I may be doing something terribly wrong here. Let's assume the fuses are not locked in the ME, so replacing keys here should be ok if I understand correctly. I'd like to resign an existing BIOS with my own keys.

[xaionaro]

Hello.

Do you mind sharing the files you used to reproduce this problem? Or otherwise could you try branch bugfix/cbnt-prov-typo and check if it works?

[65a]

You can download an example BIOS at https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X13SEM-TF/BIOS (I suspect all X13 LGA4677 boards will have the same issues). I see there is an SPR-SP branch too, which is probably needed as well for these boards.

Running bugfix branch, this problem seems unrelated to your change (codegen?):

$ ./bg-prov template-v-2 test
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x5a01be]

goroutine 1 [running]:
github.com/linuxboot/fiano/pkg/intel/metadata/bg/bgbootpolicy.(*Manifest).WriteTo(0x0, {0x79af60, 0xc0002318f0})
	/home/user/go/pkg/mod/github.com/linuxboot/[email protected]/pkg/intel/metadata/bg/bgbootpolicy/manifest_manifestcodegen.go:209 +0x3e
github.com/9elements/converged-security-suite/v2/pkg/provisioning/bootguard.(*BootGuard).WriteBPM(0xc000231800)
	/home/user/devel/converged-security-suite/pkg/provisioning/bootguard/bootguard.go:331 +0x5a
main.(*templateCmdv2).Run(0x976e40, 0x1?)
	/home/user/devel/converged-security-suite/cmd/bg-prov/cmd.go:910 +0x3d3
reflect.Value.call({0x6d2ae0?, 0x976e40?, 0x44d1d6?}, {0x722762, 0x4}, {0xc000013b48, 0x1, 0x1?})
	/usr/lib/go/src/reflect/value.go:586 +0xb07
reflect.Value.Call({0x6d2ae0?, 0x976e40?, 0x6dd540?}, {0xc000013b48?, 0x721240?, 0x0?})
	/usr/lib/go/src/reflect/value.go:370 +0xbc
github.com/alecthomas/kong.callMethod({0x72256c, 0x3}, {0x719760?, 0x976e40?, 0x3?}, {0x6d2ae0?, 0x976e40?, 0x0?}, 0x0?)
	/home/user/go/pkg/mod/github.com/alecthomas/[email protected]/callbacks.go:95 +0x4fa
github.com/alecthomas/kong.(*Context).RunNode(0xc00011a600, 0xc000167680, {0xc000125f00, 0x1, 0x1})
	/home/user/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:755 +0x60f
github.com/alecthomas/kong.(*Context).Run(0x6b83e0?, {0xc000125f00?, 0xc000125f30?, 0x4408b1?})
	/home/user/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:780 +0x14e
main.main()
	/home/user/devel/converged-security-suite/cmd/bg-prov/main.go:31 +0x29e

Continuing on:
./bg-prov read-config test bios.bin works fine, contents of test seem legitimate.
./bg-prov key-gen RSA3072 "" --path=sign works fine
This is a new problem, I think:

$ ./bg-prov km-gen-v-2 ./km_unsigned.bin signkm_priv.pem --config test --pkhashalg SHA384 --bpmpubkey signbpm_pub.pem --bpmhashalgo SHA384
bg-prov: error: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} AlgorithmIdentifier @2

Note that trying the above with 2048 keys/algo 14 also fails with a similar message.

[xaionaro]

github.com/linuxboot/fiano/pkg/intel/metadata/bg/bgbootpolicy.(*Manifest).WriteTo(0x0, {0x79af60, 0xc0002318f0})
	/home/user/go/pkg/mod/github.com/linuxboot/[email protected]/pkg/intel/metadata/bg/bgbootpolicy/manifest_manifestcodegen.go:209 +0x3e
github.com/9elements/converged-security-suite/v2/pkg/provisioning/bootguard.(*BootGuard).WriteBPM(0xc000231800)
	/home/user/devel/converged-security-suite/pkg/provisioning/bootguard/bootguard.go:331 +0x5a
main.(*templateCmdv2).Run(0x976e40, 0x1?)

Does not look right. Are you sure you are working from that branch? In that branch it should get to pkg/intel/metadata/cbnt instead of pkg/intel/metadata/bg from pkg/provisioning/bootguard/bootguard.go:331.

I hope I won't forget to investigate this on the next week :(

[ansiwen]

I have exactly the same issue on main branch. Also template-v-1 does not create a JSON file, but a binary, and looking at the code it seems that the template-v-1 and template-v-2 commands indeed don't create JSON files, but BPM files. See here:

converged-security-suite/cmd/bg-prov/cmd.go

Lines 949 to 955 in d249aa6

	bBPM, err := bootguard.WriteBPM()
	if err != nil {
	return err
	}
	if err = os.WriteFile(t.Path, bBPM, 0600); err != nil {
	return fmt.Errorf("unable to write BPM to file: %w", err)
	}

[65a]

I'm definitely still interested in getting this project working for SPR, though I ran into some other annoyances with Supermicro particularly DRMing their board to their own keys with an external FPGA (something they call RoT, but I might dispute the T). This may be bypassable, but I have another board which is hopefully less annoying. Let me know if there's anything I can test, I'll likely try again soon.

[zaolin]

Related to #355