Package: src:linux Version: 4.19.67-2+deb10u2 Severity: normal Dear Maintainer, * What led up to the situation? We (Google Cloud) offer Debian VM Images as part of GCE. Recently, we've been adding images which support UEFI/Secure Boot/vTPM as part of our "Shielded VM" product (https://cloud.google.com/shielded-vm/). We are setting up a Debian 10 image that supports these features, as Debian 10 added Secure Boot support. However, the current cloud image does not support a TPM as it is compiled with CONFIG_TCG_TPM=n (the default). This was not an issue with Debian 9 or the normal Debian 10 kernel, as both of these kernels are built with CONFIG_TCG_TPM=m. * What exactly did you do (or not do) that was effective (or ineffective)? Swapping out the cloud kernel for the normal kernel (while keeping the cloud image userland) allowed the TPM to function normally. * What was the outcome of this action? While changing the Debian 10 image to use the normal kernel allows the vTPM to work with Debian, we would prefer to use the cloud image (including the cloud kernel) for our default Debian 10 images. * What outcome did you expect instead? We would expect the cloud image to work with a TPM. The best way to do this would be to add the following to the cloud-specific kernel config: CONFIG_TCG_TPM=m CONFIG_TCG_TIS_CORE=m CONFIG_TCG_TIS=m CONFIG_TCG_CRB=m These are the minimal options needed to use a standards complying TPM with Linux. The normal Debain 10 kernel also sets: CONFIG_HW_RANDOM_TPM=y CONFIG_TCG_XEN=m CONFIG_TCG_VTPM_PROXY=m Setting these might be useful, if only to reduce the difference in configuration between the cloud kernel and the normal kernel. The other TPM/TCG related kernel configs are for specific hardware devices, so it doesn't make sense to include them in the cloud image. -- Package-specific info: ** Version: Linux version 4.19.0-6-cloud-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) ** Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-cloud-amd64 root=UUID=bf88aa2a-6281-4f23-90e1-6d597f6288c7 ro console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop scsi_mod.use_blk_mq=Y ** Not tainted ** Kernel log: [ 0.591931] NET: Registered protocol family 44 [ 0.592623] pci 0000:00:00.0: Limiting direct PCI/PCI transfers [ 0.593701] PCI: CLS 0 bytes, default 64 [ 0.593773] Unpacking initramfs... [ 0.798575] Freeing initrd memory: 12196K [ 0.801776] PCI-DMA: Using software bounce buffering for IO (SWIOTLB) [ 0.803293] software IO TLB: mapped [mem 0xb77fb000-0xbb7fb000] (64MB) [ 0.804913] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1cd4a18fe72, max_idle_ns: 440795261703 ns [ 0.807510] Initialise system trusted keyrings [ 0.808380] Key type blacklist registered [ 0.809331] workingset: timestamp_bits=40 max_order=20 bucket_order=0 [ 0.811513] zbud: loaded [ 0.937162] Key type asymmetric registered [ 0.937965] Asymmetric key parser 'x509' registered [ 0.938693] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251) [ 0.939962] io scheduler noop registered (default) [ 0.941030] io scheduler deadline registered [ 0.941863] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled [ 0.964891] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A [ 0.990404] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A [ 1.014448] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A [ 1.038234] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A [ 1.040312] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12 [ 1.042747] i8042: Warning: Keylock active [ 1.044843] serio: i8042 KBD port at 0x60,0x64 irq 1 [ 1.046169] serio: i8042 AUX port at 0x60,0x64 irq 12 [ 1.047435] mousedev: PS/2 mouse device common for all mice [ 1.049190] NET: Registered protocol family 10 [ 1.056699] Segment Routing with IPv6 [ 1.057830] mip6: Mobile IPv6 [ 1.058779] NET: Registered protocol family 17 [ 1.059981] mpls_gso: MPLS GSO support [ 1.060997] sched_clock: Marking stable (1059180096, 1771706)->(1167732719, -106780917) [ 1.063046] registered taskstats version 1 [ 1.064137] Loading compiled-in X.509 certificates [ 1.096876] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' [ 1.099603] Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def' [ 1.101519] AppArmor: AppArmor sha1 policy hashing enabled [ 1.104745] Freeing unused kernel image memory: 1468K [ 1.112173] Write protecting the kernel read-only data: 16384k [ 1.113986] Freeing unused kernel image memory: 2028K [ 1.115323] Freeing unused kernel image memory: 1364K [ 1.116872] x86/mm: Checked W+X mappings: passed, no W+X pages found. [ 1.118627] x86/mm: Checking user space page tables [ 1.119696] x86/mm: Checked W+X mappings: passed, no W+X pages found. [ 1.121167] Run /init as init process [ 1.186390] cryptd: max_cpu_qlen set to 1000 [ 1.190706] PCI Interrupt Link [LNKC] enabled at IRQ 11 [ 1.192004] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver [ 1.208017] AVX2 version of gcm_enc/dec engaged. [ 1.209032] AES CTR mode by8 optimization enabled [ 1.222603] PCI Interrupt Link [LNKD] enabled at IRQ 10 [ 1.224103] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver [ 1.230984] PCI Interrupt Link [LNKA] enabled at IRQ 10 [ 1.232015] virtio-pci 0000:00:05.0: virtio_pci: leaving for legacy driver [ 1.254299] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input0 [ 1.263076] SCSI subsystem initialized [ 1.307326] scsi host0: Virtio SCSI HBA [ 1.321719] virtio_net virtio1 ens4: renamed from eth0 [ 1.342941] scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6 [ 1.364067] sd 0:0:1:0: [sda] 20971520 512-byte logical blocks: (10.7 GB/10.0 GiB) [ 1.365394] sd 0:0:1:0: [sda] 4096-byte physical blocks [ 1.366681] sd 0:0:1:0: [sda] Write Protect is off [ 1.367516] sd 0:0:1:0: [sda] Mode Sense: 1f 00 00 08 [ 1.368190] sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 1.376629] sda: sda1 sda14 sda15 [ 1.378554] sd 0:0:1:0: [sda] Attached SCSI disk [ 1.549482] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null) [ 1.859392] systemd[1]: Inserted module 'autofs4' [ 1.995171] systemd[1]: systemd 241 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid) [ 1.999547] systemd[1]: Detected virtualization kvm. [ 2.000501] systemd[1]: Detected architecture x86-64. [ 2.001459] systemd[1]: Running with unpopulated /etc. [ 2.017409] systemd[1]: Set hostname to <debian>. [ 2.018308] systemd[1]: System cannot boot: Missing /etc/machine-id and /etc is mounted read-only. [ 2.020203] systemd[1]: Booting up is supported only when: [ 2.021145] systemd[1]: 1) /etc/machine-id exists and is populated. [ 2.022074] systemd[1]: 2) /etc/machine-id exists and is empty. [ 2.023035] systemd[1]: 3) /etc/machine-id is missing and /etc is writable. [ 2.573976] EXT4-fs (sda1): re-mounted. Opts: discard,errors=remount-ro [ 2.954736] systemd-journald[218]: Received request to flush runtime journal from PID 1 [ 3.196430] EFI Variables Facility v0.08 2004-May-17 [ 3.204535] pstore: Using compression: deflate [ 3.205269] pstore: Registered efi as persistent store backend [ 3.228039] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input2 [ 3.233576] ACPI: Power Button [PWRF] [ 3.234288] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input3 [ 3.240738] RAPL PMU: API unit is 2^-32 Joules, 3 fixed counters, 10737418240 ms ovfl timer [ 3.242440] RAPL PMU: hw unit of domain pp0-core 2^-0 Joules [ 3.243842] RAPL PMU: hw unit of domain package 2^-0 Joules [ 3.245163] RAPL PMU: hw unit of domain dram 2^-16 Joules [ 3.250749] sd 0:0:1:0: Attached scsi generic sg0 type 0 [ 3.252936] ACPI: Sleep Button [SLPF] [ 3.745268] audit: type=1400 audit(1575576042.491:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/haveged" pid=283 comm="apparmor_parser" [ 3.759253] audit: type=1400 audit(1575576042.503:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/chronyd" pid=284 comm="apparmor_parser" [ 3.765021] audit: type=1400 audit(1575576042.511:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=285 comm="apparmor_parser" [ 3.767905] audit: type=1400 audit(1575576042.511:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=285 comm="apparmor_parser" [ 3.777383] audit: type=1400 audit(1575576042.523:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=286 comm="apparmor_parser" [ 3.779521] audit: type=1400 audit(1575576042.523:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=286 comm="apparmor_parser" [ 3.784463] audit: type=1400 audit(1575576042.523:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=286 comm="apparmor_parser" ** Model information sys_vendor: Google product_name: Google Compute Engine product_version: chassis_vendor: Google chassis_version: bios_vendor: Google bios_version: Google board_vendor: Google board_name: Google Compute Engine board_version: ** Loaded modules: nls_ascii nls_cp437 vfat fat crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sg intel_rapl_perf button evdev efi_pstore serio_raw efivars efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb crc32c_intel sd_mod virtio_scsi scsi_mod virtio_net net_failover failover aesni_intel aes_x86_64 crypto_simd cryptd glue_helper virtio_pci virtio_ring virtio ** Network interface configuration: # Include files from /etc/network/interfaces.d: source-directory /etc/network/interfaces.d # Cloud images dynamically generate config fragments for newly # attached interfaces. See /etc/udev/rules.d/75-cloud-ifupdown.rules # and /etc/network/cloud-ifupdown-helper. Dynamically generated # configuration fragments are stored in /run: source-directory /run/network/interfaces.d ** Network status: *** IP interfaces and addresses: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc pfifo_fast state UP group default qlen 1000 link/ether 42:01:0a:a8:00:04 brd ff:ff:ff:ff:ff:ff inet 10.168.0.4/32 brd 10.168.0.4 scope global dynamic ens4 valid_lft 75718sec preferred_lft 75718sec inet6 fe80::4001:aff:fea8:4/64 scope link valid_lft forever preferred_lft forever *** Device statistics: Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 1932 12 0 0 0 0 0 0 1932 12 0 0 0 0 0 0 ens4: 1489255 6206 0 0 0 0 0 0 551580 5276 0 0 0 0 0 0 *** Protocol statistics: Ip: Forwarding: 2 6014 total packets received 2 with invalid addresses 0 forwarded 0 incoming packets discarded 6012 incoming packets delivered 5066 requests sent out 2 dropped because of missing route Icmp: 3 ICMP messages received 0 input ICMP message failed ICMP input histogram: destination unreachable: 3 3 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 3 IcmpMsg: InType3: 3 OutType3: 3 Tcp: 558 active connection openings 2 passive connection openings 0 failed connection attempts 0 connection resets received 6 connections established 5864 segments received 4919 segments sent out 0 segments retransmitted 0 bad segments received 10 resets sent Udp: 142 packets received 3 packets to unknown port received 0 packet receive errors 145 packets sent 0 receive buffer errors 0 send buffer errors UdpLite: TcpExt: 6 TCP sockets finished time wait in fast timer 195 delayed acks sent Quick ack mode was activated 9 times 416 packet headers predicted 2318 acknowledgments not containing data payload received 910 predicted acknowledgments Detected reordering 5 times using SACK TCPDSACKOldSent: 8 5 connections reset due to unexpected data TCPSackShiftFallback: 4 TCPRcvCoalesce: 595 TCPOrigDataSent: 2228 TCPKeepAlive: 667 TCPDelivered: 2696 IpExt: InOctets: 1397703 OutOctets: 471432 InNoECTPkts: 6014 ** PCI devices: not available ** USB devices: not available -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-cloud-amd64 (SMP w/1 CPU core) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages linux-image-4.19.0-6-cloud-amd64 depends on: ii initramfs-tools [linux-initramfs-tool] 0.133+deb10u1 ii kmod 26-1 ii linux-base 4.6 Versions of packages linux-image-4.19.0-6-cloud-amd64 recommends: ii apparmor 2.13.2-10 ii firmware-linux-free 3.4 Versions of packages linux-image-4.19.0-6-cloud-amd64 suggests: pn debian-kernel-handbook <none> pn grub-pc | grub-efi-amd64 | extlinux <none> pn linux-doc-4.19 <none> Versions of packages linux-image-4.19.0-6-cloud-amd64 is related to: pn firmware-amd-graphics <none> pn firmware-atheros <none> pn firmware-bnx2 <none> pn firmware-bnx2x <none> pn firmware-brcm80211 <none> pn firmware-cavium <none> pn firmware-intel-sound <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> pn firmware-iwlwifi <none> pn firmware-libertas <none> pn firmware-linux-nonfree <none> pn firmware-misc-nonfree <none> pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> pn firmware-realtek <none> pn firmware-samsung <none> pn firmware-siano <none> pn firmware-ti-connectivity <none> pn xen-hypervisor <none> -- no debconf information
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature