When looking at TPM EventLog it looks like we have some useful information in there. Here I just automate things I usually do when I try to blindly guess what the measurements (in TPM EventLog) mean.
Before
$ go run ./cmd/pcr0tool/ sum -compare-with-eventlog ~/pcr0tool-cases/case0/tpm_eventlog -registers ~/pcr0tool-cases/case0/registers.json ~/pcr0tool-cases/case0/firmware.fd
[...]
comparing with TPM EventLog result:
match: false
updated ACM Policy Status: <nil>
err: <nil>
issues: [extra entry in EventLog of type 8 (0x8) on evIdx==1 extra entry in EventLog of type 2147483658 (0x8000000A) on evIdx==2 PCR0_DATA measurement does not match the digest reported in EventLog and unable to brute force a possible bitflip: 62F28D9962FDD86F1B79252C3362DC3B66876202 != 87560D314D6332C2A1521F405C2C00F9599B69F9]
After
$ go run ./cmd/pcr0tool/ sum -compare-with-eventlog ~/pcr0tool-cases/case0/tpm_eventlog -registers ~/pcr0tool-cases/case0/registers.json ~/pcr0tool-cases/case0/firmware.fd
[...]
comparing with TPM EventLog result:
match: false
updated ACM Policy Status: <nil>
err: <nil>
issues:
* unexpected entry in EventLog of type EV_S_CRTM_VERSION (0x8) on evIdx==1; log entry analysis: reproduced the digest using measurement: {{"ForceData": "0x052B10A7C7D9654181402ADDE94AF63C"}}
* unexpected entry in EventLog of type EV_EFI_PLATFORM_FIRMWARE_BLOB2 (0x8000000A) on evIdx==2; log entry analysis: reproduced the digest using measurement: {{"Range": {"Offset":"0xac0000", "Length":"0x70000"}}}; related UEFI nodes: [bios_region volume:14E428FA-1A12-4875-B637-8B3CC87FDF07 file:968C1D9F-80C4-43B7-8CAE-668AA56C4E71 file:01FB5D53-4FF9-4AD9-ADF5-7DC63659A1B2 file:BDAD7D1A-4C48-4C75-B5BC-D002D17F6397 file:7ECD9C20-68B9-4A6F-B515-D64FF500B109 file:DACF705C-71DF-497D-AABE-10186B2E1DDE file:9B3F28D5-10A6-46C8-BA72-BD40B847A71A file:961C19BE-D1AC-4BA7-87AF-4AE0F09DF2A6 file:34989D8E-930A-4A95-AB04-2E6CFDFF6631 file:0D8039FF-49E9-4CC9-A806-BB7C31B0BCB0 file:6B844C5B-6B75-42CA-8E8E-1CB94412B59B file:1C8B7F78-1699-40E6-AF33-9B995D16B043 file:89E549B0-7CFE-449D-9BA3-10D8B2312D71 file:39E8CA1A-7A69-4A73-834A-D06381933286 file:D9DDCFF2-215A-480A-AA63-1DF1F5EDBC01 file:8ED25ADD-7C2D-4326-9186-85CCF74C79F6 file:9525E7F7-93CE-4094-B42A-F0DF7E2CF951]
* unexpected entry in EventLog of type EV_EFI_PLATFORM_FIRMWARE_BLOB2 (0x8000000A) on evIdx==3; log entry analysis: reproduced the digest using measurement: {{"Range": {"Offset":"0x9bf000", "Length":"0x40000"}}}; related UEFI nodes: [bios_region volume:013B9639-D6D5-410F-B7A9-F9173C56ECDA file:0EC4EC45-128B-4B1A-82B5-17BB9344E94B]
* missing entry (for measurement 'PCR0_DATA') in EventLog (expected event types are: 7 (0x7))
Specifically nice to see this stuff:
reproduced the digest using measurement: {{"ForceData": "0x052B10A7C7D9654181402ADDE94AF63C"}}
reproduced the digest using measurement: {{"Range": {"Offset":"0xac0000", "Length":"0x70000"}}}
When looking at TPM EventLog it looks like we have some useful information in there. Here I just automate things I usually do when I try to blindly guess what the measurements (in TPM EventLog) mean.
Before
After
Specifically nice to see this stuff:
reproduced the digest using measurement: {{"ForceData": "0x052B10A7C7D9654181402ADDE94AF63C"}}reproduced the digest using measurement: {{"Range": {"Offset":"0xac0000", "Length":"0x70000"}}}Indeed:
(which matches the Digest in the EventLog entry)
and
This is the entries in from the Log: