On Thu, 2024-11-28 at 08:20 +0100, Jiri Slaby wrote: > On 27. 11. 24, 17:24, James Bottomley wrote: [...] > > Well, it looks like you eliminated the TPM changes: > > > > https://bugzilla.suse.com/show_bug.cgi?id=1233752#c6 > > > > So it must be something in the logging or event recording code. > > The first thing to check is can you run a replay of the log to get > > the end PCR values? The binary for that is > > > > tsseventextend -sim -v -if > > /sys/kernel/security/tpm0/binary_bios_measurements > > I put this into bbm (attached). > > > You'll have to check the values it gives against the values in > > > > /sys/class/tpm/tpm0/tpm-sha256 > > I have only /sys/class/tpm/tpm0/pcr-sha256/. > grep -H '.*' /sys/class/tpm/tpm0/pcr-sha256/* > attached Yes, sorry, typo as you figured out. > > With that: > > $ for aa in /sys/class/tpm/tpm0/pcr-sha256/*; do sha=`cat $aa`; > echo > === $sha; if [[ ! $sha =~ [F0]{64} ]]; then sha=$(echo $sha | sed > 's@..@ > &@g'); grep -i "$sha" bbm; fi; done > > === > > 6C26A8BB35548545A189FFFC421134BE14D94B5E16DB91BA9628CBF67C69DDDA > > PCR 00: 6c 26 a8 bb 35 54 85 45 a1 89 ff fc 42 11 34 be 14 d9 4b > > 5e 16 db 91 ba 96 28 cb f6 7c 69 dd da > > === > > 9967D57B20DE03689395042372515F2B91A6ADAC4042B5E0139B44A21FB36F7D > > PCR 01: 99 67 d5 7b 20 de 03 68 93 95 04 23 72 51 5f 2b 91 a6 ad > > ac 40 42 b5 e0 13 9b 44 a2 1f b3 6f 7d > > === > > 002651E9DD78325EFFBC4AE276401522575216280406A0DDA2D41AE8CA2EE3DC > > === > > 0000000000000000000000000000000000000000000000000000000000000000 > > === > > 76E6D50D860B4CBAF4552CBFD4A83309F6DD855040657531DA796A386318CEAA > > === > > 0000000000000000000000000000000000000000000000000000000000000000 > > === > > 30EFACACDAC53DEA877ED268648596776B212A4FF556D9B7FF934BEC5702EDD8 > > PCR 14: 30 ef ac ac da c5 3d ea 87 7e d2 68 64 85 96 77 6b 21 2a > > 4f f5 56 d9 b7 ff 93 4b ec 57 02 ed d8 > > === > > 0000000000000000000000000000000000000000000000000000000000000000 > > === > > 0000000000000000000000000000000000000000000000000000000000000000 > > === > > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === > > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === > > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === > > C83EA442D306E65267328CC6DA4B539A8F7216C329E90E0AAE5527026E50637D > > PCR 02: c8 3e a4 42 d3 06 e6 52 67 32 8c c6 da 4b 53 9a 8f 72 16 > > c3 29 e9 0e 0a ae 55 27 02 6e 50 63 7d > > === > > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === > > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === > > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === > > 0000000000000000000000000000000000000000000000000000000000000000 > > === > > 3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 > > PCR 03: 3d 45 8c fe 55 cc 03 ea 1f 44 3f 15 62 be ec 8d f5 1c 75 > > e1 4a 9f cf 9a 72 34 a1 3f 19 8e 79 69 > > PCR 06: 3d 45 8c fe 55 cc 03 ea 1f 44 3f 15 62 be ec 8d f5 1c 75 > > e1 4a 9f cf 9a 72 34 a1 3f 19 8e 79 69 > > === > > 8C5ED4D1866768D7CDEC958584CA4FD9FA94D419EAE0BDEBB4284CF33A82CD9F > > PCR 04: 8c 5e d4 d1 86 67 68 d7 cd ec 95 85 84 ca 4f d9 fa 94 d4 > > 19 ea e0 bd eb b4 28 4c f3 3a 82 cd 9f > > === > > 0AC36B8B8CBD577A01949D77146BAB421E7111A8530DECCB4AC6A4899BD22740 > > PCR 05: 0a c3 6b 8b 8c bd 57 7a 01 94 9d 77 14 6b ab 42 1e 71 11 > > a8 53 0d ec cb 4a c6 a4 89 9b d2 27 40 > > === > > 3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 > > PCR 03: 3d 45 8c fe 55 cc 03 ea 1f 44 3f 15 62 be ec 8d f5 1c 75 > > e1 4a 9f cf 9a 72 34 a1 3f 19 8e 79 69 > > PCR 06: 3d 45 8c fe 55 cc 03 ea 1f 44 3f 15 62 be ec 8d f5 1c 75 > > e1 4a 9f cf 9a 72 34 a1 3f 19 8e 79 69 > > === > > 6508BC9385D1E735BAC5C87D870962270D5134F4F49ECFFF01ECDC5B4EAD9A56 > > PCR 07: 65 08 bc 93 85 d1 e7 35 ba c5 c8 7d 87 09 62 27 0d 51 34 > > f4 f4 9e cf ff 01 ec dc 5b 4e ad 9a 56 > > === > > 0000000000000000000000000000000000000000000000000000000000000000 > > === > > F5A2E8762B524BE1CCAFE763672BC31627C326A1470A9DC351566F2413FDEFC2 > > > > Probably also check sha1 to see if it matches. > > > for aa in /sys/class/tpm/tpm0/pcr-sha1/*; do sha=`cat $aa`; echo > > === $sha; if [[ ! $sha =~ [F0]{32} ]]; then sha=$(echo $sha | sed > > 's@..@ &@g'); grep -i "$sha" bbm; fi; done > > === A4399CFC6A5FD20EC6697913936CBEE35B8353C4 > > PCR 00: a4 39 9c fc 6a 5f d2 0e c6 69 79 13 93 6c be e3 5b 83 53 > > c4 > > === 24F81DFF31EE374162E759B0395247ADC7A6FFB8 > > PCR 01: 24 f8 1d ff 31 ee 37 41 62 e7 59 b0 39 52 47 ad c7 a6 ff > > b8 > > === 466B2B859CA97E60AEAADFD279A689E534D0CE7B > > === 0000000000000000000000000000000000000000 > > === 485E52A350F34D1EF4263C1E2C99D22A771C4C01 > > === 0000000000000000000000000000000000000000 > > === 87F3655072D45EA768F02ADB16EF946D42620224 > > PCR 14: 87 f3 65 50 72 d4 5e a7 68 f0 2a db 16 ef 94 6d 42 62 02 > > 24 > > === 0000000000000000000000000000000000000000 > > === 0000000000000000000000000000000000000000 > > === FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === DCFFB00B36562803DDE211D6E07C2D7F123279E3 > > PCR 02: dc ff b0 0b 36 56 28 03 dd e2 11 d6 e0 7c 2d 7f 12 32 79 > > e3 > > === FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > === 0000000000000000000000000000000000000000 > > === B2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 > > PCR 03: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 > > 36 > > PCR 06: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 > > 36 > > === DCD4E77C33E164FCC8F3D566AE83840F8265E47D > > PCR 04: dc d4 e7 7c 33 e1 64 fc c8 f3 d5 66 ae 83 84 0f 82 65 e4 > > 7d > > === 35871F5AFB0129A9535C35B6BF82A3DF075E124B > > PCR 05: 35 87 1f 5a fb 01 29 a9 53 5c 35 b6 bf 82 a3 df 07 5e 12 > > 4b > > === B2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 > > PCR 03: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 > > 36 > > PCR 06: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 > > 36 > > === 16F5D0A8B980EC71DAFAD1E515554482747A4FCE > > PCR 07: 16 f5 d0 a8 b9 80 ec 71 da fa d1 e5 15 55 44 82 74 7a 4f > > ce > > === 0000000000000000000000000000000000000000 > > === 8482CFF5AE0D9217ABB8BB82EAC487136DAFFC96 > > I have no idea if this tells you anything :). Yes, it tells me the entries in the log for PCR0-7,14 match the log entries (for both sha1 and sha256). However there are entries for PCR9,12 which don't match. The log shows shim starting at entry 32, grub starting at entry 37 and the kernel loading at entry 39 the kernel command line logged at 40 to PCR 12, which is mismatching. The next two entries (41,42) are for the mismatching PCR9 and are of the initrd and the options and come from the libstub code in the kernel early boot (efi-stub-helper.c). This code was last updated in 6.9, so it seems unlikely to have suddenly caused a problem. Event 43,44 are exit boot services (logged to PCR 5 which matches). line 40 is anomalous: grub is supposed to measure the options to the string PCR which should be 8 not 12 ... did you patch grub to change this? The log can't be corrupt because PCR8 is zero, so nothing got logged to it. And do you have the same thing for a working system? Regards, James
