usb boot does not work in basic mode when CONFIG_TPM is y

[arhabd]

Please identify some basic details to help process the report

A. Provide Hardware Details

1. What board are you using? (Choose from the list of boards here)
   KGPE-D16

2. Does your computer have a dGPU or is it iGPU-only?

   • [ x ] dGPU (Distinct GPU other then internal GPU)
   • iGPU-only (Internal GPU, normally Intel GPU)

3. Who installed Heads on this computer?

   • Insurgo (Issues to be reported at https://github.com/linuxboot/heads/issues)
   • Nitrokey (Issues to be reported at https://github.com/Nitrokey/heads/issues)
   • Purism (Issues to be reported at https://source.puri.sm/firmware/pureboot/-/issues)
   • Novacustom (Issues to be reported at https://github.com/Dasharo/dasharo-issues)
   • HardnenedVault (Issues to be reported at https://github.com/hardenedvault/vaultboot/issues)
   • Other provider
   • [ x ] Self-installed

4. What PGP key is being used?

   • Librem Key (Nitrokey Pro 2 rebranded)
   • Nitrokey Pro
   • Nitrokey Pro 2
   • Nitrokey 3 NFC
   • Nitrokey 3 NFC Mini
   • Nitrokey Storage
   • Nitrokey Storage 2
   • Yubikey
   • [ x ] Other

5. Are you using the PGP key to provide HOTP verification?

   • Yes
   • [ x ] No
   • I don't know

B. Identify how the board was flashed

1. Is this problem related to updating heads or flashing it for the first time?

   • First-time flash
   • Updating heads
   • [ x ] first-time flash then reflashed internally to enable basic mode

2. If the problem is related to an update, how did you attempt to apply the update?

   • [ x ] Using the Heads menus
   • Flashrom via the Recovery Shell
   • External flashing

3. How was Heads initially flashed?

   • [ x ] External flashing
   • Internal-only / 1vyprep+1vyrain / skulls
   • Don't know

4. Was the board flashed with a maximized or non-maximized/legacy rom?

   • Maximized
   • Non-maximized / legacy
   • [ x ] I don't know

5. If Heads was externally flashed, was IFD unlocked?

   • Yes
   • No
   • [ x ] Don't know

C. Identify the rom related to this bug report

1. Did you download or build the rom at issue in this bug report?

   • I downloaded it
   • [ x ] I built it

2. If you downloaded your rom, where did you get it from?

   • Heads CircleCi
   • Purism
   • Nitrokey
   • Dasharo DTS (Novacustom)
   • Somewhere else (please identify)

   Please provide the release number or otherwise identify the rom downloaded

3. If you built your rom, which repository:branch did you use?

   • Heads:Master
   • [ 15h fork ] Other (please identify)

4. What version of coreboot did you use in building?
   { You can find this information from github commit ID or once flashed, by giving the complete version from Sytem Information under Options --> menu}
   whatever is used in the 15h fork

5. In building the rom, where did you get the blobs?

   • [ x ] No blobs required
   • Provided by the company that installed Heads on the device
   • Extracted from a backup rom taken from this device
   • Extracted from another backup rom taken from another device (please identify the board model)
   • Extracted from the online bios using the automated tools provided in Heads
   • I don't know

Please describe the problem

Describe the bug
A clear and concise description of what the bug is.
going into heads basic mode is supposed to turn off tpm verification and while it does so for the default boot option it still tries to extend pcr 4 when booting giving me an error while i understand the 15h fork is specificlly for testing and having tpm enabled i think this might be a bug in heads as it should try to extend the tpm while in basic mode

To Reproduce
Steps to reproduce the behavior:

1. flash heads with enabled tpm configuration
2. remove tpm module from the machine
3. enable basic mode
4. when trying to boot usb you will fail to boot usb while if you try the default boot you will see it works like expected in basic mode (if you have an os installed)
   Expected behavior
   A clear and concise description of what you expected to happen.
   it should not try and extend pcr/tpm while in basic mode

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
i think the root cause might lay in bin/usb-init where it checks if CONFIG_TPM is y but never checks if CONFIG_BASIC is y or n (like it is done in other parts of the boot process)

[arhabd]

I don't know if its distinct from #1886 do we expect heads to verify ISO while in basic mode? i would think yes

[tlaurion]

@arhabd iso detach signature validation is not applied in basic mode. It will boot dd'ed iso images from usb thumb drive though.

[tlaurion]

i think the root cause might lay in bin/usb-init where it checks if CONFIG_TPM is y but never checks if CONFIG_BASIC is y or n (like it is done in other parts of the boot process)

Right, this is a bug. Feel free to open PR to fix this if faster than me.