1730785 – Missing TPM Event Log entry for initramfs measurement

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1730785 - Missing TPM Event Log entry for initramfs measurement

Summary: Missing TPM Event Log entry for initramfs measurement

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	grub2
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Peter Jones
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	IoT
TreeView+	depends on / blocked

Reported:	2019-07-17 15:37 UTC by nicolasoliver03
Modified:	2020-01-31 15:39 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-01-31 15:39:56 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description nicolasoliver03 2019-07-17 15:37:01 UTC

Description of problem:
Originally reported in https://github.com/rhboot/grub2/issues/55

Grub2 is not writing a log entry for the measurement of the loaded initramfs in the TPM Event Log.
Grub2 use the TPM 2.0 PCR banks to record measurements (hashes) of the components and configurations loaded during boot. In a simplified summary, it measures:

* All the configurations lines read by grub in PCR-8
* The kernel and initramfs loaded in PCR-9

Additionally to the measurements recorded in the TPM PCRs, grub2 also write the measurements events in the TPM Event Log.

The objective of this log (present in /sys/kernel/security/tpm0/binary_bios_measurements in binary format) is to provide additional information about
the components being measured in the different TPM PCR Bank, starting at platform reset and until the kernel and initramfs are loaded.

An additional usage of the TPM Event Log is in the remote attestation scenario, where a remote party can receive a TPM Event Log from a host,
and use it to reproduce the final values expected in the TPM PCRs. This can be achieved with iml2text tool, present in the openpts package.

The following command should output the TPM Event Log in a human readable format, including the aggregated PCRs calculated from the same log

sudo iml2text -i /sys/kernel/security/tpm0/binary_bios_measurements -P
Now, the problem is that the PCR-9 reconstructed from the TPM Event Log never matches the actual PCR-9 value taken from the TPM (i.e. with the tpm2_pcrlist tool).
If we inspect the events reported by iml2text on the PCR-9, we can only see a single event

iml2text -i binary_bios_measurements -p 9

# OUTPUT:
# Idx PCR Type Digest EventData
# -----------------------------------------------------------------------
# 77 9 0x0000000d a3d2744ea1acb343f49fe2a6441c0b057a0ac64c [Unknown Event:size=21]

The digest of the event corresponds with the loaded kernel.
But, the PCR-9 from the quote has a different value. As a test, you could take a digest of the loaded initramfs, and extend it in the value reported by
iml2text in the PCR-9, and the result will be the same as the PCR-9 reported by the TPM.

So, grub2 is measuring the loaded initramfs in the TPM PCR-9, but it is not recording an event for it in the TPM Event Log.
This causes any remote attestation process to fail always on the PCR-9 value.

The function that writes TPM Event Log in the grub2 codebase is grub_tpm2_log_event. Maybe the problem is in that area.

Version-Release number of selected component (if applicable):

Fedora release 29 (Twenty Nine)
grub2-install (GRUB) 2.03
Linux Kernel 5.0.16

How reproducible:
By inspecting the TPM Event Log in /sys/kernel/security/tpm0/binary_bios_measurements

Steps to Reproduce:
1. sudo cp /sys/kernel/security/tpm0/binary_bios_measurements .
2. sudo iml2text -i binary_bios_measurements -p 9 -P ### This will output the calculated PCR-9 value from the TPM Event Log
3. sudo tpm2_pcrlist --sel-list sha1:9 ### This will output the actual PCR-9 value taken from the TPM itself

Actual results:

The values taken in step 2 and 3 do not match

Expected results:

The values taken in step 2 and 3 should match

Additional info:

Tested in a Fedora Workstation with Kernel 5.0.16 and grub 2.03, the issue is reproducible.
Tested in a Fedora Server with Kernel 5.1.17 and grub 2.03, the issue seems to be solved.

Comment 1 Ben Cotton 2019-08-13 16:55:30 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 2 Ben Cotton 2019-08-13 19:01:19 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 3 Javier Martinez Canillas 2020-01-31 11:23:06 UTC

I'm not able to reproduce this issue anymore, on a F31 machine with a TPM 2.0 device I see that the PCR hashes and the values calculated (using the script from the https://github.com/ValdikSS/binary_bios_measurements_parser repo) from the TPM event log digests matches:

$ sudo ./binary_bios_measurements_parser.py
...
Final PCRs:
PCR-00: 74 72 60 E4 92 C6 57 85 55 0C CD 6B 89 DF D7 89 11 35 55 B4
PCR-01: E9 BB 94 5E 4C E0 D2 7B 0E D0 B6 40 B1 43 48 BF 96 D5 22 46
PCR-02: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
PCR-03: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
PCR-04: 73 D6 F9 04 39 A1 BF F7 2D 16 CC D8 4C 09 F1 A3 59 C5 D7 04
PCR-05: 5A EF B9 69 F0 CD 74 94 76 0B 41 30 53 C9 36 B7 9A 7C 8D F8
PCR-06: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
PCR-07: 3F 1D 3C F4 90 9B B8 6A A5 C6 D0 C1 17 AF A3 CA 97 6E F2 0B
PCR-08: 85 5B 4B DE EE 85 D6 23 63 2F 83 35 04 A8 F9 87 AC 33 F8 CF
PCR-09: 6A 12 19 B5 A4 BD 33 44 26 EF 96 BB 53 E1 80 5F 9D 20 21 AB
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 56 56 EA 58 88 CD 4B B9 83 C6 39 24 35 96 2B E4 37 F9 00 25
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

sudo tpm2_pcrread sha1
...
sha1:
  0 : 0x747260E492C65785550CCD6B89DFD789113555B4
  1 : 0xE9BB945E4CE0D27B0ED0B640B14348BF96D52246
  2 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
  3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
  4 : 0x73D6F90439A1BFF72D16CCD84C09F1A359C5D704
  5 : 0x5AEFB969F0CD7494760B413053C936B79A7C8DF8
  6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
  7 : 0x3F1D3CF4909BB86AA5C6D0C117AFA3CA976EF20B
  8 : 0x855B4BDEEE85D623632F833504A8F987AC33F8CF
  9 : 0x6A1219B5A4BD334426EF96BB53E1805F9D2021AB
  10: 0x2F0D01587A25650D9A48E51DE8F8E01B603BB330
  11: 0x0000000000000000000000000000000000000000
  12: 0x0000000000000000000000000000000000000000
  13: 0x0000000000000000000000000000000000000000
  14: 0x5656EA5888CD4BB983C6392435962BE437F90025
  15: 0x0000000000000000000000000000000000000000
  16: 0x0000000000000000000000000000000000000000
  17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  23: 0x0000000000000000000000000000000000000000

The value of PCR-10 is different, but that's expected since is used by IMA and the PCR is extended after ExitBootServices() have been called.

The version of the packages tested are:

shim-x64-15-8.x86_64
grub2-efi-x64-cdboot-2.02-104.fc31.x86_64
kernel-5.4.13-201.fc31.x86_64
tpm2-tools-4.0.1-1.fc31.x86_64

So I think this can be CLOSED with CURRENTRELEASE, since it seems the bug (probably in the kernel exposing an incorrect TPM Event log to user-space) has been fixed.

Comment 4 nicolasoliver03 2020-01-31 15:22:12 UTC

Agreed, a kernel update fixed this. Thank Javier!

Comment 5 Javier Martinez Canillas 2020-01-31 15:39:56 UTC

(In reply to nicolasoliver03 from comment #4)
> Agreed, a kernel update fixed this. Thank Javier!

Thanks for the confirmation!

Note You need to log in before you can comment on or make changes to this bug.