If I understand correctly, you either need tboot, trustedgrub or
similar to get kernel measurements. Traditional Linux boot does not
If I misunderstood something or is referencing outdated information,
please correct me :)
PCR 0-7 are for low level (UEFI etc)
PCR 8 and up are for higher level parts like kernel.
OpenXT which is based upon tboot (Intel TXT) recommends focusing on
PCR0, PCR1, PCR2, PCR3, PCR17, PCR18, PCR19.
TrustedGrub I am not so familiar with, but here's a thread about their
If your processor support TXT, tboot is available from Ubuntu using
sudo apt install tboot. On a client device, tboot also requires the
correct ACM to be installed in order to complete measurements (on a
server, ACM might be provided in the BIOS)
I haven't gotten SecureBoot working with TrustedBoot. To my
understanding, Ubuntu and Intel lacks a complete chain Secure Boot
chain for tboot.
tboot provides a utility for reviewing the tboot startup after Linux
has completed booting.
On Thu, Aug 2, 2018 at 4:07 AM Arvind Kumar <arvind.kumar(a)iotium.io> wrote:
I have a hardware with TPM 2.0 on which I have installed ubuntu in UEFI mode. I need to
trigger UEFI to measure the boot components (uefi/shim/boot loader, kernel, initrd) into
respective PCRs. For which, I have following questions.
a. As soon as the TPM 2.0 is enabled from BIOS and device is booted, does UEFI start
the measurements and record them into PCRS by default or there is some config to tell UEFI
to start measurements ?
b. Should secure boot be enabled in order to trigger the UEFI to start above measurements
c. I enabled TPM 2.0 and installed ubuntu in UEFI mode, and I can see that PCR 0 to 7 are
populated with some values and all other PCRs are zeros. Are these boot measurements
correct, how can I verify ?
d. Is there any logs on TPM 2.0 or UEFI that I can refer to ?
Any help is appreciated.
tpm2 mailing list