Package: src:linux
Version: 4.19.67-2+deb10u2
Severity: normal
Dear Maintainer,
* What led up to the situation?
We (Google Cloud) offer Debian VM Images as part of GCE. Recently, we've
been adding images which support UEFI/Secure Boot/vTPM as part of our
"Shielded VM" product (https://cloud.google.com/shielded-vm/).
We are setting up a Debian 10 image that supports these features, as
Debian 10 added Secure Boot support. However, the current cloud image
does not support a TPM as it is compiled with CONFIG_TCG_TPM=n (the
default). This was not an issue with Debian 9 or the normal Debian 10
kernel, as both of these kernels are built with CONFIG_TCG_TPM=m.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Swapping out the cloud kernel for the normal kernel (while keeping the
cloud image userland) allowed the TPM to function normally.
* What was the outcome of this action?
While changing the Debian 10 image to use the normal kernel allows the
vTPM to work with Debian, we would prefer to use the cloud image
(including the cloud kernel) for our default Debian 10 images.
* What outcome did you expect instead?
We would expect the cloud image to work with a TPM. The best way to do
this would be to add the following to the cloud-specific kernel config:
CONFIG_TCG_TPM=m
CONFIG_TCG_TIS_CORE=m
CONFIG_TCG_TIS=m
CONFIG_TCG_CRB=m
These are the minimal options needed to use a standards complying TPM
with Linux.
The normal Debain 10 kernel also sets:
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_XEN=m
CONFIG_TCG_VTPM_PROXY=m
Setting these might be useful, if only to reduce the difference in
configuration between the cloud kernel and the normal kernel. The other
TPM/TCG related kernel configs are for specific hardware devices, so it
doesn't make sense to include them in the cloud image.
-- Package-specific info:
** Version:
Linux version 4.19.0-6-cloud-amd64 (debian-kernel@lists.debian.org)
(gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u2
(2019-11-11)
** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-cloud-amd64
root=UUID=bf88aa2a-6281-4f23-90e1-6d597f6288c7 ro console=tty0
console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop
scsi_mod.use_blk_mq=Y
** Not tainted
** Kernel log:
[ 0.591931] NET: Registered protocol family 44
[ 0.592623] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 0.593701] PCI: CLS 0 bytes, default 64
[ 0.593773] Unpacking initramfs...
[ 0.798575] Freeing initrd memory: 12196K
[ 0.801776] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 0.803293] software IO TLB: mapped [mem 0xb77fb000-0xbb7fb000] (64MB)
[ 0.804913] clocksource: tsc: mask: 0xffffffffffffffff max_cycles:
0x1cd4a18fe72, max_idle_ns: 440795261703 ns
[ 0.807510] Initialise system trusted keyrings
[ 0.808380] Key type blacklist registered
[ 0.809331] workingset: timestamp_bits=40 max_order=20 bucket_order=0
[ 0.811513] zbud: loaded
[ 0.937162] Key type asymmetric registered
[ 0.937965] Asymmetric key parser 'x509' registered
[ 0.938693] Block layer SCSI generic (bsg) driver version 0.4
loaded (major 251)
[ 0.939962] io scheduler noop registered (default)
[ 0.941030] io scheduler deadline registered
[ 0.941863] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.964891] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200)
is a 16550A
[ 0.990404] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200)
is a 16550A
[ 1.014448] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200)
is a 16550A
[ 1.038234] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200)
is a 16550A
[ 1.040312] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU]
at 0x60,0x64 irq 1,12
[ 1.042747] i8042: Warning: Keylock active
[ 1.044843] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 1.046169] serio: i8042 AUX port at 0x60,0x64 irq 12
[ 1.047435] mousedev: PS/2 mouse device common for all mice
[ 1.049190] NET: Registered protocol family 10
[ 1.056699] Segment Routing with IPv6
[ 1.057830] mip6: Mobile IPv6
[ 1.058779] NET: Registered protocol family 17
[ 1.059981] mpls_gso: MPLS GSO support
[ 1.060997] sched_clock: Marking stable (1059180096,
1771706)->(1167732719, -106780917)
[ 1.063046] registered taskstats version 1
[ 1.064137] Loading compiled-in X.509 certificates
[ 1.096876] Loaded X.509 cert 'Debian Secure Boot CA:
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 1.099603] Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def'
[ 1.101519] AppArmor: AppArmor sha1 policy hashing enabled
[ 1.104745] Freeing unused kernel image memory: 1468K
[ 1.112173] Write protecting the kernel read-only data: 16384k
[ 1.113986] Freeing unused kernel image memory: 2028K
[ 1.115323] Freeing unused kernel image memory: 1364K
[ 1.116872] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 1.118627] x86/mm: Checking user space page tables
[ 1.119696] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 1.121167] Run /init as init process
[ 1.186390] cryptd: max_cpu_qlen set to 1000
[ 1.190706] PCI Interrupt Link [LNKC] enabled at IRQ 11
[ 1.192004] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[ 1.208017] AVX2 version of gcm_enc/dec engaged.
[ 1.209032] AES CTR mode by8 optimization enabled
[ 1.222603] PCI Interrupt Link [LNKD] enabled at IRQ 10
[ 1.224103] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[ 1.230984] PCI Interrupt Link [LNKA] enabled at IRQ 10
[ 1.232015] virtio-pci 0000:00:05.0: virtio_pci: leaving for legacy driver
[ 1.254299] input: AT Translated Set 2 keyboard as
/devices/platform/i8042/serio0/input/input0
[ 1.263076] SCSI subsystem initialized
[ 1.307326] scsi host0: Virtio SCSI HBA
[ 1.321719] virtio_net virtio1 ens4: renamed from eth0
[ 1.342941] scsi 0:0:1:0: Direct-Access Google PersistentDisk
1 PQ: 0 ANSI: 6
[ 1.364067] sd 0:0:1:0: [sda] 20971520 512-byte logical blocks:
(10.7 GB/10.0 GiB)
[ 1.365394] sd 0:0:1:0: [sda] 4096-byte physical blocks
[ 1.366681] sd 0:0:1:0: [sda] Write Protect is off
[ 1.367516] sd 0:0:1:0: [sda] Mode Sense: 1f 00 00 08
[ 1.368190] sd 0:0:1:0: [sda] Write cache: enabled, read cache:
enabled, doesn't support DPO or FUA
[ 1.376629] sda: sda1 sda14 sda15
[ 1.378554] sd 0:0:1:0: [sda] Attached SCSI disk
[ 1.549482] EXT4-fs (sda1): mounted filesystem with ordered data
mode. Opts: (null)
[ 1.859392] systemd[1]: Inserted module 'autofs4'
[ 1.995171] systemd[1]: systemd 241 running in system mode. (+PAM
+AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2
+IDN -PCRE2 default-hierarchy=hybrid)
[ 1.999547] systemd[1]: Detected virtualization kvm.
[ 2.000501] systemd[1]: Detected architecture x86-64.
[ 2.001459] systemd[1]: Running with unpopulated /etc.
[ 2.017409] systemd[1]: Set hostname to <debian>.
[ 2.018308] systemd[1]: System cannot boot: Missing /etc/machine-id
and /etc is mounted read-only.
[ 2.020203] systemd[1]: Booting up is supported only when:
[ 2.021145] systemd[1]: 1) /etc/machine-id exists and is populated.
[ 2.022074] systemd[1]: 2) /etc/machine-id exists and is empty.
[ 2.023035] systemd[1]: 3) /etc/machine-id is missing and /etc is writable.
[ 2.573976] EXT4-fs (sda1): re-mounted. Opts: discard,errors=remount-ro
[ 2.954736] systemd-journald[218]: Received request to flush
runtime journal from PID 1
[ 3.196430] EFI Variables Facility v0.08 2004-May-17
[ 3.204535] pstore: Using compression: deflate
[ 3.205269] pstore: Registered efi as persistent store backend
[ 3.228039] input: Power Button as
/devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
[ 3.233576] ACPI: Power Button [PWRF]
[ 3.234288] input: Sleep Button as
/devices/LNXSYSTM:00/LNXSLPBN:00/input/input3
[ 3.240738] RAPL PMU: API unit is 2^-32 Joules, 3 fixed counters,
10737418240 ms ovfl timer
[ 3.242440] RAPL PMU: hw unit of domain pp0-core 2^-0 Joules
[ 3.243842] RAPL PMU: hw unit of domain package 2^-0 Joules
[ 3.245163] RAPL PMU: hw unit of domain dram 2^-16 Joules
[ 3.250749] sd 0:0:1:0: Attached scsi generic sg0 type 0
[ 3.252936] ACPI: Sleep Button [SLPF]
[ 3.745268] audit: type=1400 audit(1575576042.491:2):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/sbin/haveged" pid=283 comm="apparmor_parser"
[ 3.759253] audit: type=1400 audit(1575576042.503:3):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/sbin/chronyd" pid=284 comm="apparmor_parser"
[ 3.765021] audit: type=1400 audit(1575576042.511:4):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="nvidia_modprobe" pid=285 comm="apparmor_parser"
[ 3.767905] audit: type=1400 audit(1575576042.511:5):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="nvidia_modprobe//kmod" pid=285 comm="apparmor_parser"
[ 3.777383] audit: type=1400 audit(1575576042.523:6):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/bin/man" pid=286 comm="apparmor_parser"
[ 3.779521] audit: type=1400 audit(1575576042.523:7):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="man_filter" pid=286 comm="apparmor_parser"
[ 3.784463] audit: type=1400 audit(1575576042.523:8):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="man_groff" pid=286 comm="apparmor_parser"
** Model information
sys_vendor: Google
product_name: Google Compute Engine
product_version:
chassis_vendor: Google
chassis_version:
bios_vendor: Google
bios_version: Google
board_vendor: Google
board_name: Google Compute Engine
board_version:
** Loaded modules:
nls_ascii
nls_cp437
vfat
fat
crct10dif_pclmul
crc32_pclmul
ghash_clmulni_intel
sg
intel_rapl_perf
button
evdev
efi_pstore
serio_raw
efivars
efivarfs
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
crc32c_generic
fscrypto
ecb
crc32c_intel
sd_mod
virtio_scsi
scsi_mod
virtio_net
net_failover
failover
aesni_intel
aes_x86_64
crypto_simd
cryptd
glue_helper
virtio_pci
virtio_ring
virtio
** Network interface configuration:
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
# Cloud images dynamically generate config fragments for newly
# attached interfaces. See /etc/udev/rules.d/75-cloud-ifupdown.rules
# and /etc/network/cloud-ifupdown-helper. Dynamically generated
# configuration fragments are stored in /run:
source-directory /run/network/interfaces.d
** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 42:01:0a:a8:00:04 brd ff:ff:ff:ff:ff:ff
inet 10.168.0.4/32 brd 10.168.0.4 scope global dynamic ens4
valid_lft 75718sec preferred_lft 75718sec
inet6 fe80::4001:aff:fea8:4/64 scope link
valid_lft forever preferred_lft forever
*** Device statistics:
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 1932 12 0 0 0 0 0 0
1932 12 0 0 0 0 0 0
ens4: 1489255 6206 0 0 0 0 0 0
551580 5276 0 0 0 0 0 0
*** Protocol statistics:
Ip:
Forwarding: 2
6014 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
6012 incoming packets delivered
5066 requests sent out
2 dropped because of missing route
Icmp:
3 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
destination unreachable: 3
3 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 3
IcmpMsg:
InType3: 3
OutType3: 3
Tcp:
558 active connection openings
2 passive connection openings
0 failed connection attempts
0 connection resets received
6 connections established
5864 segments received
4919 segments sent out
0 segments retransmitted
0 bad segments received
10 resets sent
Udp:
142 packets received
3 packets to unknown port received
0 packet receive errors
145 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
TcpExt:
6 TCP sockets finished time wait in fast timer
195 delayed acks sent
Quick ack mode was activated 9 times
416 packet headers predicted
2318 acknowledgments not containing data payload received
910 predicted acknowledgments
Detected reordering 5 times using SACK
TCPDSACKOldSent: 8
5 connections reset due to unexpected data
TCPSackShiftFallback: 4
TCPRcvCoalesce: 595
TCPOrigDataSent: 2228
TCPKeepAlive: 667
TCPDelivered: 2696
IpExt:
InOctets: 1397703
OutOctets: 471432
InNoECTPkts: 6014
** PCI devices:
not available
** USB devices:
not available
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-cloud-amd64 (SMP w/1 CPU core)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8),
LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-4.19.0-6-cloud-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.133+deb10u1
ii kmod 26-1
ii linux-base 4.6
Versions of packages linux-image-4.19.0-6-cloud-amd64 recommends:
ii apparmor 2.13.2-10
ii firmware-linux-free 3.4
Versions of packages linux-image-4.19.0-6-cloud-amd64 suggests:
pn debian-kernel-handbook <none>
pn grub-pc | grub-efi-amd64 | extlinux <none>
pn linux-doc-4.19 <none>
Versions of packages linux-image-4.19.0-6-cloud-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature