PCR register value will reset to deafult when power on reset

[saravanj24]

Hi We written the hash value in pcr index by using the PCR extend command. when power on reset the default value is updated automatically. We are planning to check the measured boot concept using TPM with raspberry pi. Is possible retrieve the hash we passed to pcr extend command? could please help on how to verify the measured boot

Thanks, saravanan

[jordithijsman]

When you boot to Linux there should be a file under /sys/kernel/security/tpm0/binary_bios_measurements. You can parse this using tpm2-tools like this: sudo tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements, which will give you a log of all entries recorded into the PCRs during boot. If you cross-reference this with a TPM quote you can verify the measured boot.

Keep in mind that a Raspberry Pi does not have a core root of trust for measurement (CRTM) that initializes the measurements so PCR values can never fully be trusted.

It is normal behavior for the PCRs to reset after a reboot, it will only hold the values of the most recent boot.