PCR0 from tpm2_eventlog reconstruction and tpm2_pcrread is not in sync

[hairongchen]

• ENV: uname -a Linux dev 5.19.0-38-generic #39~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 21:16:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux root@dev:~# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"

• Tools apt-get install libtss2-dev tpm2-tools tpm2-abrmd libtss2-esys-3.0.2-0

• result from tpm2_pcrread sha1: sha256: 0 : 0xB0D493459184236DADF51D4DBF4769F943B0D4364F87ACDFB097D548CD9B87C0 1 : 0x8C0C8C1443D860B479E7CFBF42CDE85B986E4246E94D79081FC9A082A349500D 2 : 0xCD358F93E85D6F951A94F94CBC92F62261CFC6B5C1DCE9394835FB3B9DBF0079 3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 4 : 0x269593C7F7B58605D251EE80B2B2640B8A48E6E90176AE78B09797DF34FA2717 5 : 0xB52A399392B949AD53AD34C51014DFED4BA848022E47B85BBE592151E296FBF4 6 : 0x35330F15D00EAB64B106A410C877CE36938A6D155D4B0F31BC9120220818A38E 7 : 0x6492D93B6D2ACA03973EAE023F57E1B840734130363F411CE5AD8F8CDA5A328E 8 : 0x9D11C53C98D29201AAC0EF7E599B1A629C6A2FC3E8F1E880C69574724DF0DF17 9 : 0x4B4F39CEF208081E246B3A1C3ACAA31B8EC0E60BF9BD2AD8DDFB9BC2B1FDE28D 10: 0x3197092C9B41DEEEC0C0047ED61BAFF525B2021DB93D82F785547BE490DC4665 11: 0x0000000000000000000000000000000000000000000000000000000000000000 12: 0x0000000000000000000000000000000000000000000000000000000000000000 13: 0x0000000000000000000000000000000000000000000000000000000000000000 14: 0x306F9D8B94F17D93DC6E7CF8F5C79D652EB4C6C4D13DE2DDDC24AF416E13ECAF 15: 0x0000000000000000000000000000000000000000000000000000000000000000 16: 0x0000000000000000000000000000000000000000000000000000000000000000 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23: 0x0000000000000000000000000000000000000000000000000000000000000000 sha384:

• result from tpm2_eventlog tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements

version: 1 events:

• EventNum: 0 PCRIndex: 0 EventType: EV_NO_ACTION Digest: "0000000000000000000000000000000000000000" EventSize: 33 SpecID:

  • Signature: Spec ID Event03 platformClass: 0 specVersionMinor: 0 specVersionMajor: 2 specErrata: 0 uintnSize: 2 numberOfAlgorithms: 1 Algorithms:
  • Algorithm[0]: algorithmId: sha256 digestSize: 32 vendorInfoSize: 0 ... ...

• EventNum: 136 PCRIndex: 5 EventType: EV_EFI_ACTION DigestCount: 1 Digests:

  • AlgorithmId: sha256 Digest: "b54f7542cbd872a81a9d9dea839b2b8d747c7ebd5ea6615c40f42f44a6dbeba0" EventSize: 40 Event: |- Exit Boot Services Returned with Success pcrs: sha256: 0 : 0x36de6a245dba31a65bb044f92cffe77a0edb1b69d70842afe4c5aac65820a800 1 : 0x8c0c8c1443d860b479e7cfbf42cde85b986e4246e94d79081fc9a082a349500d 2 : 0xcd358f93e85d6f951a94f94cbc92f62261cfc6b5c1dce9394835fb3b9dbf0079 3 : 0x3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 4 : 0x269593c7f7b58605d251ee80b2b2640b8a48e6e90176ae78b09797df34fa2717 5 : 0xb52a399392b949ad53ad34c51014dfed4ba848022e47b85bbe592151e296fbf4 6 : 0x35330f15d00eab64b106a410c877ce36938a6d155d4b0f31bc9120220818a38e 7 : 0x6492d93b6d2aca03973eae023f57e1b840734130363f411ce5ad8f8cda5a328e 8 : 0x9d11c53c98d29201aac0ef7e599b1a629c6a2fc3e8f1e880c69574724df0df17 9 : 0x4b4f39cef208081e246b3a1c3acaa31b8ec0e60bf9bd2ad8ddfb9bc2b1fde28d 14 : 0x306f9d8b94f17d93dc6e7cf8f5c79d652eb4c6c4d13de2dddc24af416e13ecaf

• fwupdmgr security --force

Host Security ID: HSI:1! (v1.7.9)

HSI-1 ✔ CSME manufacturing mode: Locked ✔ CSME override: Locked ✔ CSME v0:15.0.21.1549: Valid ✔ Intel DCI debugger: Disabled ✔ SPI BIOS region: Locked ✔ SPI lock: Enabled ✔ SPI write: Disabled ✔ TPM empty PCRs: Valid ✔ TPM v2.0: Found ✔ UEFI platform key: Valid

HSI-2 ✔ Intel BootGuard: Enabled ✔ Intel BootGuard ACM protected: Valid ✔ Intel BootGuard OTP fuse: Valid ✔ Intel BootGuard verified boot: Valid ✔ Intel DCI debugger: Locked ✔ TPM PCR0 reconstruction: Valid ✘ IOMMU: Not found

HSI-3 ✔ Intel BootGuard error policy: Valid ✔ Pre-boot DMA protection: Enabled ✘ Intel CET Enabled: Not supported ✘ Suspend-to-idle: Disabled ✘ Suspend-to-ram: Enabled

HSI-4 ✔ Intel SMAP: Enabled ✘ Encrypted RAM: Not supported

Runtime Suffix -! ✔ Linux kernel: Untainted ✔ Linux kernel lockdown: Enabled ✔ fwupd plugins: Untainted ✘ Linux swap: Unencrypted

This system has HSI runtime issues. » https://github.com/fwupd/fwupd/wiki/Host-security-ID-runtime-issues

[JuergenReppSIT]

@hairongchen Could you please check whether there are more EV_NO_ACTION_EVENTS in the log: tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements | grep NO_ACTION There is a fix #3230 if beside the first specid event there are more EV_NO_ACTION events which should not be extended to PCR0.

[hairongchen]

Hi, there are two of them in the beginning of the result: tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements | grep NO_ACTION EventType: EV_NO_ACTION EventType: EV_NO_ACTION

---

version: 1 events:

• EventNum: 0 PCRIndex: 0 EventType: EV_NO_ACTION Digest: "0000000000000000000000000000000000000000" EventSize: 33 SpecID:
  • Signature: Spec ID Event03 platformClass: 0 specVersionMinor: 0 specVersionMajor: 2 specErrata: 0 uintnSize: 2 numberOfAlgorithms: 1 Algorithms:
  • Algorithm[0]: algorithmId: sha256 digestSize: 32 vendorInfoSize: 0
• EventNum: 1 PCRIndex: 0 EventType: EV_NO_ACTION DigestCount: 1 Digests:
  • AlgorithmId: sha256 Digest: "0000000000000000000000000000000000000000000000000000000000000000" EventSize: 17 Event: "537461727475704c6f63616c6974790003"
• EventNum: 2 PCRIndex: 0 EventType: EV_S_CRTM_CONTENTS DigestCount: 1 Digests:
  • AlgorithmId: sha256 Digest: "398a3cc6711bae8a7cd16f12d8893dbb6afa30852cf87ddeba868c083c11bff3" EventSize: 27 Event: BlobBase: 0x61754720746f6f42 BlobLength: 0x757361654d206472

[JuergenReppSIT]

@hairongchen Thank you for the information. That explains the out of syn. If you could compile and install the current master the error should not occur.

[hairongchen]

@hairongchen Thank you for the information. That explains the out of syn. If you could compile and install the current master the error should not occur.

The fix would work, Thanks!