Hardware test matrix¶
Modern (as of 2024) test results¶
These results are based on the use of TrenchBoot in combination with AEM on the specified hardware running Qubes OS. The tests were carried out either automatically via openQA using this test or manually by installing and verifying AEM with TrenchBoot. The procedure is very similar in both cases:
- Installation of ACMs on Intel platforms or SKL on AMD platforms.
- Installation of TrenchBoot's versions of AEM, Xen and GRUB2 (necessary until all of the changes are upstreamed).
- AEM setup procedure which is detailed in its README.
- Reboot so that AEM has a chance to seal the secrets taking values of DRTM PCRs into account.
- Reboot once again to verify that AEM has successfully unsealed the secrets and PCR values are correct with respect to TPM event log.
- An extra manual step in both cases (openQA only prints event log) is to check that hashes from the log correspond to on-disk files.
Devices and configurations on which TrenchBoot is known to work (availability years can be approximate; automatic tests don't override manual tests):
| Tested device | TPM family | Available | Notes |
|---|---|---|---|
| Asus KGPE-D16 (AMD Opteron family 15h models 00h-0fh server) (v0.4 by @SergiiDmytruk) |
TPM 1.2 | 2005-2015 | stock BIOS |
| Dell OptiPlex 9010 (v0.3 by openQA) |
TPM 1.2 | 2012-2017 | coreboot SeaBIOS firmware, bad 1st entry in event log |
| HP Thin Client t630 (v0.4 by @krystian-hebel) |
TPM 2.0 | 2016-2020 | CSM legacy boot BIOS updates in 2024 |
Devices and configurations on which TrenchBoot is known to not work:
| Tested device | TPM family | Available | Notes |
|---|---|---|---|
| Supermicro M11SDV-8CT (AMD EPYC 3000 Snowy Owl server) (v0.4 by openQA) |
TPM 2.0 | 2019-today | CSM legacy boot, unexpected PCR values |
Legacy (before 2022) test results¶
The origin of the following results is not always known. AMD platforms used to be tested on CI via testing-trenchboot.
Devices and configurations on which TrenchBoot is known to work (availability years can be approximate):
| Tested device | TPM family | Available | Notes |
|---|---|---|---|
| Intel Kaby Lake server | TPM 2.0 | 2016-2020 | UEFI firmware |
| Intel Skylake server | TPM 2.0 | 2015-2019 | UEFI firmware |
| Intel Tiger Lake client | TPM 2.0 | 2020-2023 | UEFI firmware |
| PC Engines APU2 platform series (AMD family 16h models 30h-3fh embedded) |
TPM 1.2 | 2016-2023 | coreboot firmware |
| PC Engines APU2 platform series (AMD family 16h models 30h-3fh embedded) |
TPM 2.0 | 2016-2023 | coreboot firmware |
Devices and configurations on which TrenchBoot is known to not work:
| Tested device | TPM family | Notes |
|---|---|---|
| Asus KGPE-D16 (AMD Opteron family 15h models 00h-0fh server) |
TPM 2.0 | coreboot firmware TPM issue |
| Supermicro M11SDV-8CT (AMD EPYC 3000 Snowy Owl server) |
TPM 2.0 | UEFI boot |
Hardware quirks and workarounds¶
These are difficulties/things of note one has to face when using these platforms today. They were probably more usable years ago, but something has changed in software that nobody tested on these devices and now experience isn't very smooth.
| Device | Notes |
|---|---|
| Asus KGPE-D16 (AMD Opteron family 15h models 00h-0fh server) |
IOMMU has no extended features: can't use INVALIDATE_IOMMU_ALL in SKL. |
| Dell OptiPlex 9010 | 1. Installer has issues rebooting without reboot=pci kernel option. |
| (continued) | 2. Xen sometimes has issues rebooting, boot cycle is the workaround. |
| (continued) | 3. First entry in DRTM TPM event log contains the result of PCR extend operation instead of its input due to ACM bug. |
| HP Thin Client t630 | Starting Qubes OS installation in legacy mode requires extra steps (see). |
| Supermicro M11SDV-8CT (AMD EPYC 3000 Snowy Owl server) |
Problematic USB controller for Qubes OS (resets the system). |
| (continued) | Works without sys-usb VM or if USB controller is disabled. |