PCR1 mismatch on Dell Precision 5570

[lcp]

There is another PCR mismatch in the laptop, and here is the event that causes it:

::: 06100: event type=EFI_VARIABLE_DRIVER_CONFIG pcr=1 digests=1 data=71 bytes
:::   --> EFI variable Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9: 29 bytes of data
:::   sha256     75fcc65085d44213ad1d54ede22099fb7e185888bf5e84cf14eafff069a4cde8
:::   Data:
:::         0000  43 d6 87 ec a4 eb b5 4b a1 e5 3f 3e 36 b2 0d a9 05 00 00 00 00 00 00 00 1d 00 00 00 00 00 00 00 C......K..?>6...................
:::         0020  53 00 65 00 74 00 75 00 70 00 00 00 01 01 02 01 00 01 01 00 01 01 00 00 00 01 01 01 01 01 00 00 S.e.t.u.p.......................
:::         0040  01 01 01 01 01 01 02                                                                            .......
:::   Firmware hashed entire event data
::: Read 3282 bytes from /sys/firmware/efi/efivars/Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
:::   Remarshaled event for EFI variable Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9:
:::         0000  43 d6 87 ec a4 eb b5 4b a1 e5 3f 3e 36 b2 0d a9 05 00 00 00 00 00 00 00 ce 0c 00 00 00 00 00 00 C......K..?>6...................
:::         0020  53 00 65 00 74 00 75 00 70 00 40 01 00 01 01 00 00 00 00 00 02 01 20 00 00 01 06 01 00 01 01 00 S.e.t.u.p.@.....................
:::         0040  00 00 00 00 00 00 01 01 01 03 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 00 01 00 00 ................................
:::         0060  00 00 00 00 94 11 00 00 03 01 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................................
:::         0080  00 00 00 00 00 00 00 00 01 20 40 00 00 00 00 00 03 4d 00 29 00 00 00 00 00 01 03 05 0b 0b 0b 0b ..........@......M.)............
:::         00a0  0b 03 08 08 08 08 08 00 00 0c 00 00 00 01 01 01 01 01 01 00 00 00 00 00 00 01 20 40 00 00 00 01 ...........................@....
...
:::         0ca0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
:::         0cc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
:::         0ce0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                         ........................
::: Digest for EFI_VARIABLE_DRIVER_CONFIG changed
:::   Old digest: sha256: 75fcc65085d44213ad1d54ede22099fb7e185888bf5e84cf14eafff069a4cde8
:::   New digest: sha256: eb780e72a6f93f39e457225f9abc17a5582f300a72314b9751e33acee11c0acf

Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9 is not in the "Globally Defined Variables" in UEFI SPEC, and the implementation varies among different platforms. For example, in the Minnowboard firmware, it's "NV+BS": https://github.com/tianocore/edk2-platforms/blob/master/Platform/Intel/Vlv2TbltDevicePkg/PlatformSetupDefaults.dsc#L10 But in WhitleyOpenBoard, it's "NV+BS+RT": https://github.com/tianocore/edk2-platforms/blob/master/Platform/Intel/WhitleyOpenBoardPkg/StructurePcd.dsc#L24 In general, it's a variable to reflect the system setings.

It seems to me that the firmware of the laptop doesn't count on "Setup" to record the system settings but adds the information gradually during the boot process. Thus, the content of "Setup" contains lots of additional information in Runtime.

I wonder if we should calculate PCR 1 and 3 only based on the data recorded in the TPM event log.

[okirch]

I think PCR 1 is mostly useless when it comes to sealing storage against. PCR 1 is described as holding "BIOS configuration", and I would tend to ignore that. So yes, I agree with you.