zaolin commented 2 years ago

@xaionaro @rihter007 the firmware.bin is just the first 16 MB which includes FIT, BPM and KM

xaionaro commented 2 years ago

Started the investigation in this branch: https://github.com/9elements/converged-security-suite/tree/support/lenovo_x1_carbon_gen9

Added some tooling there. But got stuck on the very first measurement. PCR0_DATA does not match what it should.

xaionaro commented 2 years ago

Just for myself:

$ ./fittool show -f ~/Downloads/pcr0/firmware.bin
#   | Type                             | Address              | Size     | Version | Checksum valid  | Checksum
---------------------------------------------------------------------------------------------------------------
0   | FITHeaderEntry            (0x00) | 0x2020205f5449465f   | 15       | 0x0100  | true            | 165
1   | MicrocodeUpdateEntry      (0x01) | 0xffb81000           | 0        | 0x0100  | false           | 0
2   | MicrocodeUpdateEntry      (0x01) | 0xffb9d000           | 0        | 0x0100  | false           | 0
3   | MicrocodeUpdateEntry      (0x01) | 0xffbb9000           | 0        | 0x0100  | false           | 0
4   | MicrocodeUpdateEntry      (0x01) | 0xffbd5000           | 0        | 0x0100  | false           | 0
5   | SACM                      (0x02) | 0xffc40000           | 0        | 0x0100  | false           | 0
6   | BIOSStartupModuleEntry    (0x07) | 0xffc80000           | 24576    | 0x0100  | false           | 0
7   | BIOSStartupModuleEntry    (0x07) | 0xffce0000           | 36864    | 0x0100  | false           | 0
8   | BIOSStartupModuleEntry    (0x07) | 0xffd70000           | 102400   | 0x0100  | false           | 0
9   | BIOSStartupModuleEntry    (0x07) | 0xfff00000           | 4096     | 0x0100  | false           | 0
10  | BIOSStartupModuleEntry    (0x07) | 0xfff20000           | 12288    | 0x0100  | false           | 0
11  | BIOSStartupModuleEntry    (0x07) | 0xfff50000           | 45056    | 0x0100  | false           | 0
12  | TXTPolicyRecord           (0x0A) | 0x7a040100710070     | 0        | 0x0000  | false           | 0
13  | KeyManifestRecord         (0x0B) | 0xfff1b000           | 853      | 0x0100  | false           | 0
14  | BootPolicyManifestRecord  (0x0C) | 0xfff15000           | 1209     | 0x0100  | false           | 0

[xaionaro@void converged-security-suite]$ go run ./cmd/pcr0tool display_eventlog -event-log ~/Downloads/pcr0/eventlog.bin -pcr-index 0 -hash-algo 4
  # idx       type  hash    digest  data
  0  0           3    4 0000000000000000000000000000000000000000    537461727475704C6F63616C6974790003
  1  0           7    4 B46182FC7C3584C4355D8F4B11AE839DF90A392B    426F6F74204775617264204D6561737572656420532D4352544D00
  2  0           8    4 E6BECECF6165181092670F9E2AE24F81242CAD67    4E00330032004500540037003500570020000000
  3  0  2147483656    4 39961767AAD0DA9DE54635D5C50A05B62C0AAA8C    0000F0FF000000000000010000000000
  4  0  2147483656    4 989851F1373AA190029584E28529E434B0AFF628    0000C0FF000000000000080000000000
  5  0  2147483656    4 8652BD8997852B0E437632F360117161D5868449    000034FF000000000000430000000000
  6  0  2147483656    4 E7A2E3787E080F4B32917665981AE0DA844C73D7    0000A4FF000000000000140000000000
  7  0  2147483656    4 47D584AC30A73E7AA94A7D119D929A15F0B79227    000096FF0000000000000A0000000000
  8  0  2147483656    4 1BEC13051D74AA49082C14A6E56CCCC02FE4C308    000077FF0000000000001F0000000000
  9  0           1    4 BF7439ABEB5329A265DFC284B820FD67D126429C    414350492044415441
 10  0           1    4 4A412E183453B0FFA8227CA73243C261EF6DCB08    414350492044415441
 17  0          17    4 6BA0A2B9C298FFAFF045C436D53542D5765CEC34    496E74656C435378454576656E7430310000000004000000000300003000000012720F089FC4AC71B73C69814ECD0293C7F5B0FBED95C57C0D6E9195BBF79C8406304F94F394B09EA94988714CE4A86B02030000160000000F0000001700AA06010000000200000006000000010002050000160000000F0000000000581B00000000FFFFFFFFFFFFFFFF0100022D000016000000010000000000020001000000010000000000000001000102000030000000711144DF5B5533C1B5AF7C818A2A195CEC010575C266DF461EF1559C4DAC5606B84B2FB0B0FF55624975E79AFC99C9B002020000160000009600010014000B040000000000000000000000000100030400000100000002030000000400000073010000030200000400000000963031010600003000000058F91EE672008380DF9224E85D7BDD7DA5879C31291DF0F960E2464711E73EFCD67E1926C9D1FC6A11092B0E0AD0B0630206000016000000110014000000000000000000000000000000000001000107000030000000BF98F8A1E4E3F5631133B68C397178B92EE67B15F3C512BAD0F7F5BECC3C61F7C0468689ED4436E3D50CA96FA95860A002070000160000000B00E0000001F8070000000000000000000000000100010800003000000040F117E6E7CFA44007835CD039A4F6687CBAF572D5A30ACC7C327450E0FA925E59727E615FE53923B79EC6E9D47F59AC02080000160000000E0000000000041000000000000000000000000001000129000030000000A1CB5B039B4A10620DEF23E104FC01D55194EECB69AE2E852E4616B1F9D9046EBCE6D1A3451697B7C691D4CFE72DF911022900001600000005000400010061110000000000000000000000000100030300000100000000
 18  0          17    4 F07DF548DCA6DC4286EF4CE0D6DB12F02EA03E06    496E74656C43537845496E666F4576656E740000010000008680E0A001000000
 38  0           4    4 9069CA78E7450A285173431B3E52C5C25299E473    00000000

[xaionaro@void converged-security-suite]$ go run ./cmd/cbnt-prov/ bpm-show ~/Downloads/pcr0/firmware.bin
  --BPMH--
    Struct Info:
      ID: __ACBP__
      Version: 0x21 (33)
      Variable 0: 0x20 (32)
      Element Size: 0x0014 (20)
    Key Signature Offset: 0x01A8 (424)
    BPM Revision: 0x01
    BPM SVN: 0x01
    ACM SVN Auth: 0x02
    Reserved 0: 0x00
    NEM Data Stack: In Bytes: 0x00003000 (12288)
  --IBB Segments Element--
    Struct Info:
      ID: __IBBS__
      Version: 0x20 (32)
      Variable 0: 0x00
      Element Size: 0x012C (300)
    Reserved 0: 0x00
    Set Number: 0x00
    Reserved 1: 0x00
    PBET Value: PBET Value: 0x0F (15)
    Flags:
      Reserved 0: 0x00000080 (128)
      Supports Top Swap Remediation: BIOS does not support Top Swap remediation action
      TPM Failure Leaves Hierarchies Enabled: Do not leave enabled. Disable all Hierarchies or deactivate on failure.
      Authority Measure: Do not extend into the Authority PCR 7
      Locality 3 Startup: Issue TPM Start-up from Locality 3
      DMA Protection: Enable DMA Protection
    IBB MCHBAR: 0x        FED10000 (4275109888: 4.0 GiB)
    VT-d BAR: 0x        FED90000 (4275634176: 4.0 GiB)
    DMA Protection 0 Base Address: 0x00100000 (1048576: 1.0 MiB)
    DMA Protection 0 Limit Address: 0x00F00000 (15728640: 15 MiB)
    DMA Protection 1 Base Address: 0x               0
    DMA Protection 2 Limit Address: 0x         1000000 (16777216: 16 MiB)
    Post IBB Hash:
      Hash Alg: AlgNull
      Hash Buffer: empty (len: 0)
    IBB Entry Point: 0xFFFFFFF0 (4294967280: 4.0 GiB)
    Digest List:
      Size: 0x0098 (152)
      List: Array of "Hash List" of length 4:
        item #0: Hash Structure:
          Hash Alg: SHA384
          Hash Buffer: 0xE024F7B1A29C87A9D150E577CF3FC86AD252D02AE02F5FB6DB6EB1C2899606BAB309C3503151818A1860403071F9AF8A (len: 48)
        item #1: Hash Structure:
          Hash Alg: SHA1
          Hash Buffer: 0x44C4D23CC4A8C83E7128F066307AF48242DC6A7B (len: 20)
        item #2: Hash Structure:
          Hash Alg: SHA256
          Hash Buffer: 0x46D7AA30A1DD7818CD13BBEA529B4BD5ECB9B2E23EF6D171B6FCD2674B005603 (len: 32)
        item #3: Hash Structure:
          Hash Alg: SM3_256
          Hash Buffer: 0x6A7E84E6E287418B8B380706AB18651E41604E416920ACA83A1EDBCAF5B7B25C (len: 32)
    OBB Hash:
      Hash Alg: AlgNull
      Hash Buffer: empty (len: 0)
    Reserved 2: 0x000000
    IBBSegments: Array of "IBB Segments Element" of length 6:
      item #0: IBB Segment:
        Reserved: 0x0000
        Flags: 0x0000
        Base: 0xFFC80000 (4291297280: 4.0 GiB)
        Size: 0x00060000 (393216: 384 KiB)
      item #1: IBB Segment:
        Reserved: 0x0000
        Flags: 0x0000
        Base: 0xFFCE0000 (4291690496: 4.0 GiB)
        Size: 0x00090000 (589824: 576 KiB)
      item #2: IBB Segment:
        Reserved: 0x0000
        Flags: 0x0000
        Base: 0xFFD70000 (4292280320: 4.0 GiB)
        Size: 0x00190000 (1638400: 1.6 MiB)
      item #3: IBB Segment:
        Reserved: 0x0000
        Flags: 0x0000
        Base: 0xFFF00000 (4293918720: 4.0 GiB)
        Size: 0x00010000 (65536: 64 KiB)
      item #4: IBB Segment:
        Reserved: 0x0000
        Flags: 0x0000
        Base: 0xFFF20000 (4294049792: 4.0 GiB)
        Size: 0x00030000 (196608: 192 KiB)
      item #5: IBB Segment:
        Reserved: 0x0000
        Flags: 0x0000
        Base: 0xFFF50000 (4294246400: 4.0 GiB)
        Size: 0x000B0000 (720896: 704 KiB)
  --TXT--
    Struct Info:
      ID: __TXTS__
      Version: 0x20 (32)
      Variable 0: 0x00
      Element Size: 0x0028 (40)
    Reserved 0: 0x00
    Set Number: 0x00
    S Init Min SVN Auth: 0x00
    Reserved 1: 0x00
    Control Flags:
      Execution Profile: A (use default selection based on differentation between clients, UP, and MP servers)
      Memory Scrubbing Policy: BIOS if verified or backup action othersize
      Backup Action Policy: memory power down if profile D or BtG unbreakable shutdown otherwise
      Is SACM Requested To Extend Static PC Rs: Default setting. S-ACM is requested to extend static PCRs
      Reset AUX Control: AUX reset leaf will reset AUX index
    Pwr Down Interval: 62 (5m10s)
    PTT CMOS Offset 0: 0xFE (254)
    PTT CMOS Offset 1: 0xFF (255)
    ACPI Base Offset: 0x0400 (1024)
    Reserved 2: 0x0000
    ACPI MMIO Offset: 0xFE000000 (4261412864: 4.0 GiB)
    Digest List:
      Size: 0x0004
      List: Array of "Hash List" of length 0:
    Reserved 3: 0x000000
    Segment Count: 0x00

  --PCD--
    Struct Info:
      ID: __PCDS__
      Version: 0x20 (32)
      Variable 0: 0x00
      Element Size: 0x0034 (52)
    Reserved 0: 0x0000
    Data: 0x5F5F504452535F5F101900000004000050030007010401C101030007020401C101030007 (len: 36)

  --PME--
    not set!(optional)
  --Signature--
    Struct Info:
      ID: __PMSG__
      Version: 0x20 (32)
      Variable 0: 0x00
      Element Size: 0x0000
    Key Signature:
      Version: 0x10 (16)
      Key:
        Key Alg: RSA
        Version: 0x10 (16)
        Key Size:
          In Bits: 0x0C00 (3072)
          In Bytes: 0x0180 (384)
        Data: 0x0100010061537C7807FDEFD9F3DAF0E5636967DF93E09031D44CBE2687ED53B8CC3266241E73F1DE84A7D1659360D3111C40AE22347A07776DD05DAAE5E150597C4C95040BA82A0C957EE086CA8DECDDC9CE78959826AC4F2E752465605880522AA569E1FE0A864F03628BF5CE99172AA0E8639DC1281134CC980913755DB6CD16C83914F680B237D67369A9BF70BE8C258A925267DBE444F578341A24C0FC0B24A1679B7AEFD3D87D8BEE60BF6CC64D120DAD410C9A0DDA04526E82F2D5D498ADDA9DEEA496FF66CB931E2F9936134E9A86F61C0209B157CB46A626373174911C9A9772FC1AB50B8A26AC2C0B63537DF95522212AED7C8BAD6EE7E7D2BC8117DD7CD1C1F3C5B3FC139E2CAAD3A3B28A87372E79E8712697341D7979213529C3ACB1B6243D7D164A76175DF247ACA0F78B32C35D723F4CD865C6154B04849E5F6AF9D022B19FC98A403922909A2558C38B224B17E3C8960EDF16EB0BF636A7DDEFABE543FF2946AC8AA8FB5191D67CFE12CEC170F62B0C30A9B0B3B27990DA164FFA8EE3 (len: 388)
      Signature:
        Sig Scheme: RSAPSS
        Version: 0x10 (16)
        Key Size:
          In Bits: 0x0C00 (3072)
          In Bytes: 0x0180 (384)
        Hash Alg: SHA384
        Data: 0xA82FC7925B00101654A733A71F8EA137B58D071B7EE1569801703F7073E6324F27F1C619FC3E1DC1F0D92F21FB627F519497224664EAE8BF125FEB3868CFDD9E12646A0B53C55EFE38046AD98364F78AE6D29BB42CCAD472793232B37093AA07A7DB40184305B47095DDA9F5D42A647371B72A7EC05813C97EF3D0FD6728FE47FEBC1FD91F249249F251C171DB97FD35E26A40F4FFD4E5F81B7C2FB9F4468808114ECEB3100116025677402FFAC32F82F9C51216D27618AB54A58EF143C578A5CEF19FBCC5F03AFFF3BC2E2661E4E1CABC805AB8FE0000F387314D604C994AD5644245CB47C711D8E17FA207EB0DDAFC453D17925C6D69987C0508CF71F070C68555763CFBFFA7B1F36A3810E1F7F6B28E29B3126E7C6290435E4C2C432CAAA7D03351ADDA4343D1C3AC6E4B730426B2FEE319EB19B9EC180B8B16FACEB56DD3F0B66F52D8799CA83C237BE2D5F3A3C75789E31915E2DEF6AC016F52F4A749FD9133B77857B364769A4EA8F41CBF58AF5DECB368096BF231A07F1BB0B14023D9
   Boot Policy Manifest Pubkey Hash: 0x1de708dbb9e62835eb63496a4c6f0e62e1e115dfe1a4d6237dc9a0b35ecde2e9a2932debcf1be6a965f020a82b43376c

xaionaro commented 2 years ago

EventLog replays into the final PCR0 value dumped from TPM itself, so let's just analyze EventLog:

#                   : 0
PCR index           : 0
Event Type          : 3
Hash Algorithm      : 4
Digest              : 0000000000000000000000000000000000000000
Data                : ([]uint8) (len=17 cap=17) {
    > 00000000  53 74 61 72 74 75 70 4c  6f 63 61 6c 69 74 79 00  |StartupLocality.|
    > 00000010  03                                                |.|
}

Standard initialization with locality 3.

#                   : 1
PCR index           : 0
Event Type          : 7
Hash Algorithm      : 4
Digest              : B46182FC7C3584C4355D8F4B11AE839DF90A392B
Data                : ([]uint8) (len=27 cap=27) {
    > 00000000  42 6f 6f 74 20 47 75 61  72 64 20 4d 65 61 73 75  |Boot Guard Measu|
    > 00000010  72 65 64 20 53 2d 43 52  54 4d 00                 |red S-CRTM.|
}

We expect it to be PCR0_DATA, but I cannot reproduce it using provided TXT Public Space. I also tried to bruteforce possible bitflips in the register, but it also didn't help

#                   : 2
PCR index           : 0
Event Type          : 8
Hash Algorithm      : 4
Digest              : E6BECECF6165181092670F9E2AE24F81242CAD67
Data                : ([]uint8) (len=20 cap=20) {
    > 00000000  4e 00 33 00 32 00 45 00  54 00 37 00 35 00 57 00  |N.3.2.E.T.7.5.W.|
    > 00000010  20 00 00 00                                       | ...|
}

We expect it to be "PCD Vendor Version". Should be extractible pretty easy, but will check later.

#                   : 3
PCR index           : 0
Event Type          : 2147483656
Hash Algorithm      : 4
Digest              : 39961767AAD0DA9DE54635D5C50A05B62C0AAA8C
Data                : ([]uint8) (len=16 cap=16) {
    > 00000000  00 00 f0 ff 00 00 00 00  00 00 01 00 00 00 00 00  |................|
}

It looks like it measures 0xFFF00000-0xFFF10000. To be validated. But even if will be validated, then it is unclear where these pointers get from. FIT and BPM does not contain some of the pointers of this type of measurements (from this log). Though I see for example module ReportFvPei contains all these pointers, so I guess it is just might be hardcoded there or in some other code. To be validated as well.

#                   : 4
PCR index           : 0
Event Type          : 2147483656
Hash Algorithm      : 4
Digest              : 989851F1373AA190029584E28529E434B0AFF628
Data                : ([]uint8) (len=16 cap=16) {
    > 00000000  00 00 c0 ff 00 00 00 00  00 00 08 00 00 00 00 00  |................|
}

It looks like it measures 0xFFC00000-0xFFC80000. Same issues as above.

#                   : 5
PCR index           : 0
Event Type          : 2147483656
Hash Algorithm      : 4
Digest              : 8652BD8997852B0E437632F360117161D5868449
Data                : ([]uint8) (len=16 cap=16) {
    > 00000000  00 00 34 ff 00 00 00 00  00 00 43 00 00 00 00 00  |..4.......C.....|
}

It looks like it measures 0xFF340000-0xFF770000. Same issues as above.

#                   : 6
PCR index           : 0
Event Type          : 2147483656
Hash Algorithm      : 4
Digest              : E7A2E3787E080F4B32917665981AE0DA844C73D7
Data                : ([]uint8) (len=16 cap=16) {
    > 00000000  00 00 a4 ff 00 00 00 00  00 00 14 00 00 00 00 00  |................|
}

It looks like it measures 0xFFA40000-0xFFB80000. Same issues as above.

#                   : 7
PCR index           : 0
Event Type          : 2147483656
Hash Algorithm      : 4
Digest              : 47D584AC30A73E7AA94A7D119D929A15F0B79227
Data                : ([]uint8) (len=16 cap=16) {
    > 00000000  00 00 96 ff 00 00 00 00  00 00 0a 00 00 00 00 00  |................|
}

It looks like it measures 0xFF960000-0xFFA00000. Same issues as above.

#                   : 8
PCR index           : 0
Event Type          : 2147483656
Hash Algorithm      : 4
Digest              : 1BEC13051D74AA49082C14A6E56CCCC02FE4C308
Data                : ([]uint8) (len=16 cap=16) {
    > 00000000  00 00 77 ff 00 00 00 00  00 00 1f 00 00 00 00 00  |..w.............|
}

It looks like it measures 0xFF770000-0xFF960000. Same issues as above.

#                   : 9
PCR index           : 0
Event Type          : 1
Hash Algorithm      : 4
Digest              : BF7439ABEB5329A265DFC284B820FD67D126429C
Data                : ([]uint8) (len=9 cap=9) {
    > 00000000  41 43 50 49 20 44 41 54  41                       |ACPI DATA|
}

"ACPI DATA". It looks like this is ACPI static tables, but for some unknown reason they have EventType 0x1 (EV_POST_CODE) instead of 0x80000009 (EV_EFI_HANDOFF_TABLES). To be investigated how to extract ACPI static tables, and if this is indeed them.

#                   : 10
PCR index           : 0
Event Type          : 1
Hash Algorithm      : 4
Digest              : 4A412E183453B0FFA8227CA73243C261EF6DCB08
Data                : ([]uint8) (len=9 cap=9) {
    > 00000000  41 43 50 49 20 44 41 54  41                       |ACPI DATA|
}

Same here.

#                   : 17
PCR index           : 0
Event Type          : 17
Hash Algorithm      : 4
Digest              : 6BA0A2B9C298FFAFF045C436D53542D5765CEC34
Data                : ([]uint8) (len=642 cap=642) {
    > 00000000  49 6e 74 65 6c 43 53 78  45 45 76 65 6e 74 30 31  |IntelCSxEEvent01|
    > 00000010  00 00 00 00 04 00 00 00  00 03 00 00 30 00 00 00  |............0...|
    > 00000020  12 72 0f 08 9f c4 ac 71  b7 3c 69 81 4e cd 02 93  |.r.....q.<i.N...|
    > 00000030  c7 f5 b0 fb ed 95 c5 7c  0d 6e 91 95 bb f7 9c 84  |.......|.n......|
    > 00000040  06 30 4f 94 f3 94 b0 9e  a9 49 88 71 4c e4 a8 6b  |.0O......I.qL..k|
    > 00000050  02 03 00 00 16 00 00 00  0f 00 00 00 17 00 aa 06  |................|
    > 00000060  01 00 00 00 02 00 00 00  06 00 00 00 01 00 02 05  |................|
    > 00000070  00 00 16 00 00 00 0f 00  00 00 00 00 58 1b 00 00  |............X...|
    > 00000080  00 00 ff ff ff ff ff ff  ff ff 01 00 02 2d 00 00  |.............-..|
    > 00000090  16 00 00 00 01 00 00 00  00 00 02 00 01 00 00 00  |................|
    > 000000a0  01 00 00 00 00 00 00 00  01 00 01 02 00 00 30 00  |..............0.|
    > 000000b0  00 00 71 11 44 df 5b 55  33 c1 b5 af 7c 81 8a 2a  |..q.D.[U3...|..*|
    > 000000c0  19 5c ec 01 05 75 c2 66  df 46 1e f1 55 9c 4d ac  |.\...u.f.F..U.M.|
    > 000000d0  56 06 b8 4b 2f b0 b0 ff  55 62 49 75 e7 9a fc 99  |V..K/...UbIu....|
    > 000000e0  c9 b0 02 02 00 00 16 00  00 00 96 00 01 00 14 00  |................|
    > 000000f0  0b 04 00 00 00 00 00 00  00 00 00 00 00 00 01 00  |................|
    > 00000100  03 04 00 00 01 00 00 00  02 03 00 00 00 04 00 00  |................|
    > 00000110  00 73 01 00 00 03 02 00  00 04 00 00 00 00 96 30  |.s.............0|
    > 00000120  31 01 06 00 00 30 00 00  00 58 f9 1e e6 72 00 83  |1....0...X...r..|
    > 00000130  80 df 92 24 e8 5d 7b dd  7d a5 87 9c 31 29 1d f0  |...$.]{.}...1)..|
    > 00000140  f9 60 e2 46 47 11 e7 3e  fc d6 7e 19 26 c9 d1 fc  |.`.FG..>..~.&...|
    > 00000150  6a 11 09 2b 0e 0a d0 b0  63 02 06 00 00 16 00 00  |j..+....c.......|
    > 00000160  00 11 00 14 00 00 00 00  00 00 00 00 00 00 00 00  |................|
    > 00000170  00 00 00 00 00 01 00 01  07 00 00 30 00 00 00 bf  |...........0....|
    > 00000180  98 f8 a1 e4 e3 f5 63 11  33 b6 8c 39 71 78 b9 2e  |......c.3..9qx..|
    > 00000190  e6 7b 15 f3 c5 12 ba d0  f7 f5 be cc 3c 61 f7 c0  |.{..........<a..|
    > 000001a0  46 86 89 ed 44 36 e3 d5  0c a9 6f a9 58 60 a0 02  |F...D6....o.X`..|
    > 000001b0  07 00 00 16 00 00 00 0b  00 e0 00 00 01 f8 07 00  |................|
    > 000001c0  00 00 00 00 00 00 00 00  00 00 00 01 00 01 08 00  |................|
    > 000001d0  00 30 00 00 00 40 f1 17  e6 e7 cf a4 40 07 83 5c  |.0...@......@..\|
    > 000001e0  d0 39 a4 f6 68 7c ba f5  72 d5 a3 0a cc 7c 32 74  |.9..h|..r....|2t|
    > 000001f0  50 e0 fa 92 5e 59 72 7e  61 5f e5 39 23 b7 9e c6  |P...^Yr~a_.9#...|
    > 00000200  e9 d4 7f 59 ac 02 08 00  00 16 00 00 00 0e 00 00  |...Y............|
    > 00000210  00 00 00 04 10 00 00 00  00 00 00 00 00 00 00 00  |................|
    > 00000220  00 01 00 01 29 00 00 30  00 00 00 a1 cb 5b 03 9b  |....)..0.....[..|
    > 00000230  4a 10 62 0d ef 23 e1 04  fc 01 d5 51 94 ee cb 69  |J.b..#.....Q...i|
    > 00000240  ae 2e 85 2e 46 16 b1 f9  d9 04 6e bc e6 d1 a3 45  |....F.....n....E|
    > 00000250  16 97 b7 c6 91 d4 cf e7  2d f9 11 02 29 00 00 16  |........-...)...|
    > 00000260  00 00 00 05 00 04 00 01  00 61 11 00 00 00 00 00  |.........a......|
    > 00000270  00 00 00 00 00 00 00 01  00 03 03 00 00 01 00 00  |................|
    > 00000280  00 00                                             |..|
}

I have no idea what is this. Since the Digest of the next entry is reproducible by just hashing the Data, I guess this Data just was cut.

#                   : 18
PCR index           : 0
Event Type          : 17
Hash Algorithm      : 4
Digest              : F07DF548DCA6DC4286EF4CE0D6DB12F02EA03E06
Data                : ([]uint8) (len=32 cap=32) {
    > 00000000  49 6e 74 65 6c 43 53 78  45 49 6e 66 6f 45 76 65  |IntelCSxEInfoEve|
    > 00000010  6e 74 00 00 01 00 00 00  86 80 e0 a0 01 00 00 00  |nt..............|
}

And I have no idea what is this. But if we just hash Data we receive Digest.

#                   : 38
PCR index           : 0
Event Type          : 4
Hash Algorithm      : 4
Digest              : 9069CA78E7450A285173431B3E52C5C25299E473
Data                : ([]uint8) (len=4 cap=4) {
    > 00000000  00 00 00 00                                       |....|
}

Standard and well-known separator.

Total

Either we have other format of PCR0_DATA (or it not called "PCR0_DATA" anymore) or ACM_POLICY_STATUS is severely corrupted or our parsers work wrong (but they worked well for other firmwares).
I see no clear separation on PEI and DXE here. This is disturbing: for example, is DXE even measured at all?
I see no pointers for measurements which looks like PEI in both FIT and BPM, which is also concerning. Are these pointers hardcoded in a code (like ReportFvPei)?
I see two "ACPI DATA" measurements, are there any instruction how to get them?
I see two IntelCSxE events and I have no idea what is that. Is there any documentation on the topic?

xaionaro commented 2 years ago

OK, found some explanation for IntelCSxE in the Internet, but still cannot reproduce.

xaionaro commented 1 year ago

Started the investigation in this branch: https://github.com/9elements/converged-security-suite/tree/support/lenovo_x1_carbon_gen9

Added some tooling there. But got stuck on the very first measurement. PCR0_DATA does not match what it should.

Started a new branch: https://github.com/9elements/converged-security-suite/tree/feature/lenovo_x1_carbon_gen9

9elements / converged-security-suite

Reproduce PCR0: Lenovo X1 Carbon Gen9 test data #324

Total