Open lcp opened 9 months ago
This week I spend a lot of time debugging an issue when the EFI binary measured is the one pointed in the event log, instead of a new one that is stored in a different place (new kernel).
I realized that the best tool to diagnose the issue is to collect the PCR extended in order that calculate the policy hash (https://github.com/okirch/pcr-oracle/pull/47).
In my PR this is a matter of adding one single debug
output, but this required to be collected later from the debug output.
When investigating the TPM unsealing failure, it'd be easier to identify the issue by comparing the predicted event log and the current event log. With '--create-testcase', the system status is snapshotted and '--replay-testcase' can reconstruct the events to be predicted.
This commit adds a new option, --compare-current, to compare the current TPM event log with the predicted events. It goes through the specified PCR indices in both current event log and the predicted events to identify the first different event.
The sample output:
By comparing the predicted events and the actual events, it shows that there are unexpected events in PCR 4 and PCR 7. Both the predicted and actual PCR 4 events pointer to the same EFI application, grub.efi, but with different digests, so the change of grub.efi is detected. As for PCR 7 events, the difference in the 'Data' section indicates that the Secure Boot was enabled later.