On Thu May 07 20, Mimi Zohar wrote:
On Thu, 2020-05-07 at 00:35 -0700, Jerry Snitselaar wrote:
On Wed May 06 20, Ken Goldman wrote:
>On 5/5/2020 6:27 PM, Jerry Snitselaar wrote:
>>On some systems we've had reports of the value of pcr5 doesn't match
>>the digests in the tpm event log.
>>It looks like I'm able to reproduce here with 5.7-rc4 on a dell
>>system using this parser:
>>
>>https://github.com/ValdikSS/binary_bios_measurements_parser
>>
>>Any thoughts on where to start digging? Is there another tool I
>>should use to parse this?
>
>If you email me the event log in binary, I can run it through the IBM
>calculator and see if I get the same error.
>
>
A couple other data points:
- On the Dell system where I did this if I change it in the bios to use sha256
instead of sha1, then using tsseventextend to parse matches the value in the tpm.
In the sha256 case there is a final events log.
- I have a nuc5 here, which also extends into sha1, and the parse matches there.
- Javier has also reproduced it when passing through swtpm to a vm.
- I added some debugging code, and there is nothing extending pcr5 with tpm_pcr_extend.
- Ken's parse of the log also shows the disparity, which I've now done as well with
the tpm1.2 version of the tsseventextend tool.
Thanks, Jerry. You've eliminated the kernel extending into the PCR.
For SHA256, the event log has to be TPM 2.0 format. I've seen TPM
2.0's for SHA1 use the TPM 1.2 event log format. When using SHA1, is
it a TPM 1.2 or 2.0 event log format?
Mimi
It is the 1.2 event log format.
