[RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[Ard Biesheuvel]

This series enables measurement of the initrd data loaded directly by the
EFI stub into the TPM, using the TCG2 protocol exposed by the firmware (if
available). This ensures that the initrd observed and used by the OS is the
same one that got measured into the TPM, which is more difficult to guarantee
in the current situation.

This is posted as an RFC since it is mostly an invitation to discuss how
we can fit this into a longer term strategy for arch-agnostic secure and
measured boot that does not hinge on the Shim+GRUB tandem, or on deep
knowledge on the part of the bootloader regarding device trees, bootparams
structs, allocation and placement policies of various artifacts etc etc

Open questions:
- Should we do this?
- Are Linux systems in the field using PCR value prediction when updating the
  initrd? Does this approach interfere with that?
- Which PCR and event type to use
- Is a separator event needed here, given that the initrd measurement is
  recorded even if no initrd was loaded by the stub?

Note that the EFI stub ignores the initrd provided directly via bootparams or
the device tree, and it would be nice if we could keep doing that.

Build tested only.

Cc: Peter Jones <pjones@redhat.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Matthew Garrett <mjg59@google.com>
Cc: Daniel Kiper <daniel.kiper@oracle.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Ard Biesheuvel (7):
  efi/libstub: whitespace cleanup
  efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()
  efi/libstub: x86/mixed: increase supported argument count
  efi/libstub: move TPM related prototypes into efistub.h
  efi/libstub: add prototype of
    efi_tcg2_protocol::hash_log_extend_event()
  efi/libstub: consolidate initrd handling across architectures
  efi/libstub: measure loaded initrd info into the TPM

 arch/x86/boot/compressed/efi_thunk_64.S       | 17 ++++--
 arch/x86/include/asm/efi.h                    | 13 +++--
 arch/x86/platform/efi/efi_thunk_64.S          | 17 ++++--
 .../firmware/efi/libstub/efi-stub-helper.c    | 56 +++++++++++++++----
 drivers/firmware/efi/libstub/efi-stub.c       | 10 +---
 drivers/firmware/efi/libstub/efistub.h        | 34 ++++++++++-
 drivers/firmware/efi/libstub/x86-stub.c       | 26 ++++-----
 include/linux/efi.h                           | 13 +----
 8 files changed, 123 insertions(+), 63 deletions(-)

-- 
2.17.1

[RFC PATCH 1/7] efi/libstub: whitespace cleanup

[Ard Biesheuvel]

Trivial whitespace cleanup.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 include/linux/efi.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/efi.h b/include/linux/efi.h
index d7c0e73af2b9..0ac54295ec0b 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -29,10 +29,10 @@
 #include <asm/page.h>
 
 #define EFI_SUCCESS		0
-#define EFI_LOAD_ERROR          ( 1 | (1UL << (BITS_PER_LONG-1)))
+#define EFI_LOAD_ERROR		( 1 | (1UL << (BITS_PER_LONG-1)))
 #define EFI_INVALID_PARAMETER	( 2 | (1UL << (BITS_PER_LONG-1)))
 #define EFI_UNSUPPORTED		( 3 | (1UL << (BITS_PER_LONG-1)))
-#define EFI_BAD_BUFFER_SIZE     ( 4 | (1UL << (BITS_PER_LONG-1)))
+#define EFI_BAD_BUFFER_SIZE	( 4 | (1UL << (BITS_PER_LONG-1)))
 #define EFI_BUFFER_TOO_SMALL	( 5 | (1UL << (BITS_PER_LONG-1)))
 #define EFI_NOT_READY		( 6 | (1UL << (BITS_PER_LONG-1)))
 #define EFI_DEVICE_ERROR	( 7 | (1UL << (BITS_PER_LONG-1)))
-- 
2.17.1

[RFC PATCH 2/7] efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()

[Ard Biesheuvel]

efi_tcg2_protocol::get_event_log() takes a protocol pointer as the
first argument, not a EFI handle.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/libstub/efistub.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index 2d7abcd99de9..2bc389ec7fcd 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -672,7 +672,7 @@ typedef union efi_tcg2_protocol efi_tcg2_protocol_t;
 union efi_tcg2_protocol {
 	struct {
 		void *get_capability;
-		efi_status_t (__efiapi *get_event_log)(efi_handle_t,
+		efi_status_t (__efiapi *get_event_log)(efi_tcg2_protocol_t *,
 						       efi_tcg2_event_log_format,
 						       efi_physical_addr_t *,
 						       efi_physical_addr_t *,
-- 
2.17.1

[RFC PATCH 3/7] efi/libstub: x86/mixed: increase supported argument count

[Ard Biesheuvel]

Increase the number of arguments supported by mixed mode calls, so that
we will be able to call into the TCG2 protocol to measure the initrd
and extend the associated PCR. This involves the the TCG2 protocol's
hash_log_extend_event() method, which takes five arguments, three of
which are u64 and need to be split, producing a total of 8 outgoing
arguments.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/boot/compressed/efi_thunk_64.S | 17 ++++++++++++-----
 arch/x86/include/asm/efi.h              |  9 +++++----
 arch/x86/platform/efi/efi_thunk_64.S    | 17 +++++++++++++----
 3 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S
index c4bb0f9363f5..e0f10c0aecfa 100644
--- a/arch/x86/boot/compressed/efi_thunk_64.S
+++ b/arch/x86/boot/compressed/efi_thunk_64.S
@@ -27,8 +27,6 @@ SYM_FUNC_START(__efi64_thunk)
 	push	%rbp
 	push	%rbx
 
-	leaq	1f(%rip), %rbp
-
 	movl	%ds, %eax
 	push	%rax
 	movl	%es, %eax
@@ -36,19 +34,28 @@ SYM_FUNC_START(__efi64_thunk)
 	movl	%ss, %eax
 	push	%rax
 
+	movq	0x30(%rsp), %rbp
+	movq	0x38(%rsp), %rbx
+	movq	0x40(%rsp), %rax
+
 	/*
 	 * Convert x86-64 ABI params to i386 ABI
 	 */
-	subq	$32, %rsp
+	subq	$48, %rsp
 	movl	%esi, 0x0(%rsp)
 	movl	%edx, 0x4(%rsp)
 	movl	%ecx, 0x8(%rsp)
 	movl	%r8d, 0xc(%rsp)
 	movl	%r9d, 0x10(%rsp)
+	movl	%ebp, 0x14(%rsp)
+	movl	%ebx, 0x18(%rsp)
+	movl	%eax, 0x1c(%rsp)
 
-	leaq	0x14(%rsp), %rbx
+	leaq	0x20(%rsp), %rbx
 	sgdt	(%rbx)
 
+	leaq	1f(%rip), %rbp
+
 	/*
 	 * Switch to gdt with 32-bit segments. This is the firmware GDT
 	 * that was installed when the kernel started executing. This
@@ -67,7 +74,7 @@ SYM_FUNC_START(__efi64_thunk)
 	pushq	%rax
 	lretq
 
-1:	addq	$32, %rsp
+1:	addq	$48, %rsp
 	movq	%rdi, %rax
 
 	pop	%rbx
diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
index bc9758ef292e..b921b593e0a3 100644
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -45,13 +45,14 @@ extern unsigned long efi_fw_vendor, efi_config_table;
 
 #define __efi_nargs(...) __efi_nargs_(__VA_ARGS__)
 #define __efi_nargs_(...) __efi_nargs__(0, ##__VA_ARGS__,	\
+	__efi_arg_sentinel(9), __efi_arg_sentinel(8),		\
 	__efi_arg_sentinel(7), __efi_arg_sentinel(6),		\
 	__efi_arg_sentinel(5), __efi_arg_sentinel(4),		\
 	__efi_arg_sentinel(3), __efi_arg_sentinel(2),		\
 	__efi_arg_sentinel(1), __efi_arg_sentinel(0))
-#define __efi_nargs__(_0, _1, _2, _3, _4, _5, _6, _7, n, ...)	\
+#define __efi_nargs__(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, n, ...)	\
 	__take_second_arg(n,					\
-		({ BUILD_BUG_ON_MSG(1, "__efi_nargs limit exceeded"); 8; }))
+		({ BUILD_BUG_ON_MSG(1, "__efi_nargs limit exceeded"); 10; }))
 #define __efi_arg_sentinel(n) , n
 
 /*
@@ -168,8 +169,8 @@ extern u64 efi_setup;
 extern efi_status_t __efi64_thunk(u32, ...);
 
 #define efi64_thunk(...) ({						\
-	__efi_nargs_check(efi64_thunk, 6, __VA_ARGS__);			\
-	__efi64_thunk(__VA_ARGS__);					\
+	__efi_nargs_check(efi64_thunk, 9, __VA_ARGS__);			\
+	__efi64_thunk(__VA_ARGS__, 0ULL, 0ULL, 0ULL);			\
 })
 
 static inline bool efi_is_mixed(void)
diff --git a/arch/x86/platform/efi/efi_thunk_64.S b/arch/x86/platform/efi/efi_thunk_64.S
index 26f0da238c1c..2f2a625b84a4 100644
--- a/arch/x86/platform/efi/efi_thunk_64.S
+++ b/arch/x86/platform/efi/efi_thunk_64.S
@@ -33,8 +33,18 @@ SYM_CODE_START(__efi64_thunk)
 	 * Switch to 1:1 mapped 32-bit stack pointer.
 	 */
 	movq	%rsp, %rax
-	movq	efi_scratch(%rip), %rsp
-	push	%rax
+	movq	(efi_scratch - 0x2c)(%rip), %rsp
+	movq	%rax, 0x24(%rsp)
+
+	/*
+	 * Copy args passed via the stack
+	 */
+	movq	0x18(%rax), %rbp
+	movq	0x20(%rax), %rbx
+	movq	0x28(%rax), %rax
+	movl	%ebp, 0x18(%rsp)
+	movl	%ebx, 0x1c(%rsp)
+	movl	%eax, 0x20(%rsp)
 
 	/*
 	 * Calculate the physical address of the kernel text.
@@ -47,7 +57,6 @@ SYM_CODE_START(__efi64_thunk)
 	subq	%rax, %rbp
 	subq	%rax, %rbx
 
-	subq	$28, %rsp
 	movl	%ebx, 0x0(%rsp)		/* return address */
 	movl	%esi, 0x4(%rsp)
 	movl	%edx, 0x8(%rsp)
@@ -60,7 +69,7 @@ SYM_CODE_START(__efi64_thunk)
 	pushq	%rdi			/* EFI runtime service address */
 	lretq
 
-1:	movq	24(%rsp), %rsp
+1:	movq	0x20(%rsp), %rsp
 	pop	%rbx
 	pop	%rbp
 	retq
-- 
2.17.1

[RFC PATCH 4/7] efi/libstub: move TPM related prototypes into efistub.h

[Ard Biesheuvel]

Move TPM related definitions that are only used in the EFI stub into
efistub.h, which is a local header.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/libstub/efistub.h | 9 +++++++++
 include/linux/efi.h                    | 9 ---------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index 2bc389ec7fcd..2c621bf4760f 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -848,4 +848,13 @@ asmlinkage void __noreturn efi_enter_kernel(unsigned long entrypoint,
 
 void efi_handle_post_ebs_state(void);
 
+#ifdef CONFIG_RESET_ATTACK_MITIGATION
+void efi_enable_reset_attack_mitigation(void);
+#else
+static inline void
+efi_enable_reset_attack_mitigation(void) { }
+#endif
+
+void efi_retrieve_tpm2_eventlog(void);
+
 #endif
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 0ac54295ec0b..1160e0c6d779 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1091,13 +1091,6 @@ enum efi_secureboot_mode {
 };
 enum efi_secureboot_mode efi_get_secureboot(void);
 
-#ifdef CONFIG_RESET_ATTACK_MITIGATION
-void efi_enable_reset_attack_mitigation(void);
-#else
-static inline void
-efi_enable_reset_attack_mitigation(void) { }
-#endif
-
 #ifdef CONFIG_EFI_EMBEDDED_FIRMWARE
 void efi_check_for_embedded_firmwares(void);
 #else
@@ -1106,8 +1099,6 @@ static inline void efi_check_for_embedded_firmwares(void) { }
 
 efi_status_t efi_random_get_seed(void);
 
-void efi_retrieve_tpm2_eventlog(void);
-
 /*
  * Arch code can implement the following three template macros, avoiding
  * reptition for the void/non-void return cases of {__,}efi_call_virt():
-- 
2.17.1

[RFC PATCH 5/7] efi/libstub: add prototype of efi_tcg2_protocol::hash_log_extend_event()

[Ard Biesheuvel]

Define the right prototype for efi_tcg2_protocol::hash_log_extend_event()
so we can start using it to measure the initrd into the TPM if it was
loaded by the EFI stub itself.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/include/asm/efi.h             |  4 ++++
 drivers/firmware/efi/libstub/efistub.h | 22 +++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
index b921b593e0a3..73316cd67086 100644
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -303,6 +303,10 @@ static inline u32 efi64_convert_status(efi_status_t status)
 #define __efi64_argmap_query_mode(gop, mode, size, info)		\
 	((gop), (mode), efi64_zero_upper(size), efi64_zero_upper(info))
 
+/* TCG2 protocol */
+#define __efi64_argmap_hash_log_extend_event(prot, fl, addr, size, ev)	\
+	((prot), (fl), 0ULL, (u64)(addr), 0ULL, (u64)(size), 0ULL, ev)
+
 /*
  * The macros below handle the plumbing for the argument mapping. To add a
  * mapping for a specific EFI method, simply define a macro
diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index 2c621bf4760f..c96085133648 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -667,6 +667,20 @@ union apple_properties_protocol {
 
 typedef u32 efi_tcg2_event_log_format;
 
+#define EFI_TCG2_EVENT_HEADER_VERSION	0x1
+
+struct efi_tcg2_event {
+	u32		event_size;
+	struct {
+		u32	header_size;
+		u16	header_version;
+		u32	pcr_index;
+		u32	event_type;
+	}		event_header;
+	/* u8[] event follows here */
+} __packed;
+
+typedef struct efi_tcg2_event efi_tcg2_event_t;
 typedef union efi_tcg2_protocol efi_tcg2_protocol_t;
 
 union efi_tcg2_protocol {
@@ -677,7 +691,11 @@ union efi_tcg2_protocol {
 						       efi_physical_addr_t *,
 						       efi_physical_addr_t *,
 						       efi_bool_t *);
-		void *hash_log_extend_event;
+		efi_status_t (__efiapi *hash_log_extend_event)(efi_tcg2_protocol_t *,
+							       u64,
+							       efi_physical_addr_t,
+							       u64,
+							       const efi_tcg2_event_t *);
 		void *submit_command;
 		void *get_active_pcr_banks;
 		void *set_active_pcr_banks;
@@ -857,4 +875,6 @@ efi_enable_reset_attack_mitigation(void) { }
 
 void efi_retrieve_tpm2_eventlog(void);
 
+void efi_tpm_measure_initrd(unsigned long addr, unsigned long size);
+
 #endif
-- 
2.17.1

[RFC PATCH 6/7] efi/libstub: consolidate initrd handling across architectures

[Ard Biesheuvel]

Before adding TPM measurement of the initrd contents, refactor the
initrd handling slightly to be more self-contained and consistent.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/libstub/efi-stub-helper.c | 13 +++++++---
 drivers/firmware/efi/libstub/efi-stub.c        | 10 ++------
 drivers/firmware/efi/libstub/efistub.h         |  1 -
 drivers/firmware/efi/libstub/x86-stub.c        | 26 ++++++++------------
 4 files changed, 21 insertions(+), 29 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index aa8da0a49829..72a7e7c4d403 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -20,10 +20,10 @@
 
 bool efi_nochunk;
 bool efi_nokaslr = !IS_ENABLED(CONFIG_RANDOMIZE_BASE);
-bool efi_noinitrd;
 int efi_loglevel = CONSOLE_LOGLEVEL_DEFAULT;
 bool efi_novamap;
 
+static bool efi_noinitrd;
 static bool efi_nosoftreserve;
 static bool efi_disable_pci_dma = IS_ENABLED(CONFIG_EFI_DISABLE_PCI_DMA);
 
@@ -643,8 +643,10 @@ efi_status_t efi_load_initrd(efi_loaded_image_t *image,
 {
 	efi_status_t status;
 
-	if (!load_addr || !load_size)
-		return EFI_INVALID_PARAMETER;
+	if (efi_noinitrd) {
+		*load_addr = *load_size = 0;
+		return EFI_SUCCESS;
+	}
 
 	status = efi_load_initrd_dev_path(load_addr, load_size, hard_limit);
 	if (status == EFI_SUCCESS) {
@@ -655,7 +657,10 @@ efi_status_t efi_load_initrd(efi_loaded_image_t *image,
 		if (status == EFI_SUCCESS && *load_size > 0)
 			efi_info("Loaded initrd from command line option\n");
 	}
-
+	if (status != EFI_SUCCESS) {
+		efi_err("Failed to load initrd: 0x%lx\n", status);
+		*load_addr = *load_size = 0;
+	}
 	return status;
 }
 
diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c
index 914a343c7785..ccc4e6f10ae6 100644
--- a/drivers/firmware/efi/libstub/efi-stub.c
+++ b/drivers/firmware/efi/libstub/efi-stub.c
@@ -122,7 +122,6 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
 	enum efi_secureboot_mode secure_boot;
 	struct screen_info *si;
 	efi_properties_table_t *prop_tbl;
-	unsigned long max_addr;
 
 	efi_system_table = sys_table_arg;
 
@@ -228,13 +227,8 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
 	if (!fdt_addr)
 		efi_info("Generating empty DTB\n");
 
-	if (!efi_noinitrd) {
-		max_addr = efi_get_max_initrd_addr(image_addr);
-		status = efi_load_initrd(image, &initrd_addr, &initrd_size,
-					 ULONG_MAX, max_addr);
-		if (status != EFI_SUCCESS)
-			efi_err("Failed to load initrd!\n");
-	}
+	efi_load_initrd(image, &initrd_addr, &initrd_size, ULONG_MAX,
+			efi_get_max_initrd_addr(image_addr));
 
 	efi_random_get_seed();
 
diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index c96085133648..a8f08bf2cbb5 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -31,7 +31,6 @@
 
 extern bool efi_nochunk;
 extern bool efi_nokaslr;
-extern bool efi_noinitrd;
 extern int efi_loglevel;
 extern bool efi_novamap;
 
diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
index 3672539cb96e..1b4c15489bd6 100644
--- a/drivers/firmware/efi/libstub/x86-stub.c
+++ b/drivers/firmware/efi/libstub/x86-stub.c
@@ -673,6 +673,7 @@ unsigned long efi_main(efi_handle_t handle,
 	unsigned long bzimage_addr = (unsigned long)startup_32;
 	unsigned long buffer_start, buffer_end;
 	struct setup_header *hdr = &boot_params->hdr;
+	unsigned long addr, size;
 	efi_status_t status;
 
 	efi_system_table = sys_table_arg;
@@ -758,22 +759,15 @@ unsigned long efi_main(efi_handle_t handle,
 	 * arguments will be processed only if image is not NULL, which will be
 	 * the case only if we were loaded via the PE entry point.
 	 */
-	if (!efi_noinitrd) {
-		unsigned long addr, size;
-
-		status = efi_load_initrd(image, &addr, &size,
-					 hdr->initrd_addr_max, ULONG_MAX);
-
-		if (status != EFI_SUCCESS) {
-			efi_err("Failed to load initrd!\n");
-			goto fail;
-		}
-		if (size > 0) {
-			efi_set_u64_split(addr, &hdr->ramdisk_image,
-					  &boot_params->ext_ramdisk_image);
-			efi_set_u64_split(size, &hdr->ramdisk_size,
-					  &boot_params->ext_ramdisk_size);
-		}
+	status = efi_load_initrd(image, &addr, &size, hdr->initrd_addr_max,
+				 ULONG_MAX);
+	if (status != EFI_SUCCESS)
+		goto fail;
+	if (size > 0) {
+		efi_set_u64_split(addr, &hdr->ramdisk_image,
+				  &boot_params->ext_ramdisk_image);
+		efi_set_u64_split(size, &hdr->ramdisk_size,
+				  &boot_params->ext_ramdisk_size);
 	}
 
 	/*
-- 
2.17.1

[RFC PATCH 7/7] efi/libstub: measure loaded initrd info into the TPM

[Ard Biesheuvel]

Modify the initrd loading sequence so that the contents of the initrd
loaded by the EFI stub are measured into the TPM. Note that this also
includes the measurement of a zero sized input if the stub's initrd
loader fails for any reason, or simply succeeds with no result, which
it does for legacy reasons when using the initrd= command line option.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/libstub/efi-stub-helper.c | 53 +++++++++++++++-----
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index 72a7e7c4d403..d8cf1911171a 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -625,6 +625,22 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image,
 				    load_addr, load_size);
 }
 
+static const struct {
+	efi_tcg2_event_t	event_data;
+	u8			description[];
+} initrd_tcg2_event = {
+	{
+		sizeof(initrd_tcg2_event),
+		{
+			sizeof(initrd_tcg2_event.event_data.event_header),
+			EFI_TCG2_EVENT_HEADER_VERSION,
+			0,
+			0
+		},
+	},
+	"Linux initrd"
+};
+
 /**
  * efi_load_initrd() - Load initial RAM disk
  * @image:	EFI loaded image protocol
@@ -641,25 +657,36 @@ efi_status_t efi_load_initrd(efi_loaded_image_t *image,
 			     unsigned long soft_limit,
 			     unsigned long hard_limit)
 {
+	efi_guid_t tcg2_guid = EFI_TCG2_PROTOCOL_GUID;
+	efi_tcg2_protocol_t *tcg2 = NULL;
 	efi_status_t status;
 
 	if (efi_noinitrd) {
 		*load_addr = *load_size = 0;
-		return EFI_SUCCESS;
+		status = EFI_SUCCESS;
+	} else {
+		status = efi_load_initrd_dev_path(load_addr, load_size, hard_limit);
+		if (status == EFI_SUCCESS) {
+			efi_info("Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path\n");
+		} else if (status == EFI_NOT_FOUND) {
+			status = efi_load_initrd_cmdline(image, load_addr, load_size,
+							 soft_limit, hard_limit);
+			if (status == EFI_SUCCESS && *load_size > 0)
+				efi_info("Loaded initrd from command line option\n");
+		}
+		if (status != EFI_SUCCESS) {
+			efi_err("Failed to load initrd: 0x%lx\n", status);
+			*load_addr = *load_size = 0;
+		}
 	}
 
-	status = efi_load_initrd_dev_path(load_addr, load_size, hard_limit);
-	if (status == EFI_SUCCESS) {
-		efi_info("Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path\n");
-	} else if (status == EFI_NOT_FOUND) {
-		status = efi_load_initrd_cmdline(image, load_addr, load_size,
-						 soft_limit, hard_limit);
-		if (status == EFI_SUCCESS && *load_size > 0)
-			efi_info("Loaded initrd from command line option\n");
-	}
-	if (status != EFI_SUCCESS) {
-		efi_err("Failed to load initrd: 0x%lx\n", status);
-		*load_addr = *load_size = 0;
+	efi_bs_call(locate_protocol, &tcg2_guid, NULL, (void **)&tcg2);
+	if (tcg2) {
+		efi_status_t s = efi_call_proto(tcg2, hash_log_extend_event,
+						0, *load_addr, *load_size,
+						&initrd_tcg2_event.event_data);
+		if (s != EFI_SUCCESS)
+			efi_warn("Failed to measure initrd data into PCR #xx: 0x%lx\n", s);
 	}
 	return status;
 }
-- 
2.17.1

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[Matthew Garrett]

On Mon, Nov 2, 2020 at 9:06 AM Ard Biesheuvel <ardb@kernel.org> wrote:

> This is posted as an RFC since it is mostly an invitation to discuss how
> we can fit this into a longer term strategy for arch-agnostic secure and
> measured boot that does not hinge on the Shim+GRUB tandem, or on deep
> knowledge on the part of the bootloader regarding device trees, bootparams
> structs, allocation and placement policies of various artifacts etc etc

My initial concern was that we'd potentially do double measurement if
a separate bootloader loaded the initrd and then called the EFI entry
point, but it looks like you'll only measure if the stub loaded the
initrd itself, in which case this seems fine.

> Open questions:
> - Should we do this?

I think so. The initramfs is clearly part of our initial TCB.

> - Are Linux systems in the field using PCR value prediction when updating the
>   initrd? Does this approach interfere with that?

I'm not aware of any distro that's tried to solve this problem. I do
have an idea for how to (basically, build a generic initramfs and then
allow the bootloader to override specific configuration files - grub
has support for reading files and creating an additional cpio on the
fly), but handwave.

> - Which PCR and event type to use

Grub is measuring the initramfs (and all binaries) into PCR 9 with EV_IPL.

> - Is a separator event needed here, given that the initrd measurement is
>   recorded even if no initrd was loaded by the stub?

I think probably, but we should probably have a longer discussion
around when we should be logging separators (grub doesn't generate any
at the moment, and I don't think shim does either, and that's
definitely suboptimal for the PCR 7 case). We should probably look at
what Windows is doing here.

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[Ard Biesheuvel]

On Mon, 2 Nov 2020 at 20:39, Matthew Garrett <mjg59@google.com> wrote:
>
> On Mon, Nov 2, 2020 at 9:06 AM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> > This is posted as an RFC since it is mostly an invitation to discuss how
> > we can fit this into a longer term strategy for arch-agnostic secure and
> > measured boot that does not hinge on the Shim+GRUB tandem, or on deep
> > knowledge on the part of the bootloader regarding device trees, bootparams
> > structs, allocation and placement policies of various artifacts etc etc
>
> My initial concern was that we'd potentially do double measurement if
> a separate bootloader loaded the initrd and then called the EFI entry
> point, but it looks like you'll only measure if the stub loaded the
> initrd itself, in which case this seems fine.
>
> > Open questions:
> > - Should we do this?
>
> I think so. The initramfs is clearly part of our initial TCB.
>
> > - Are Linux systems in the field using PCR value prediction when updating the
> >   initrd? Does this approach interfere with that?
>
> I'm not aware of any distro that's tried to solve this problem. I do
> have an idea for how to (basically, build a generic initramfs and then
> allow the bootloader to override specific configuration files - grub
> has support for reading files and creating an additional cpio on the
> fly), but handwave.
>
> > - Which PCR and event type to use
>
> Grub is measuring the initramfs (and all binaries) into PCR 9 with EV_IPL.
>
> > - Is a separator event needed here, given that the initrd measurement is
> >   recorded even if no initrd was loaded by the stub?
>
> I think probably, but we should probably have a longer discussion
> around when we should be logging separators (grub doesn't generate any
> at the moment, and I don't think shim does either, and that's
> definitely suboptimal for the PCR 7 case). We should probably look at
> what Windows is doing here.

Does Shim use PCR 7 for the MOK key database? Are there any specific
requirements from MS on which PCRs Shim must touch?

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[Matthew Garrett]

On Mon, Nov 2, 2020 at 12:24 PM Ard Biesheuvel <ardb@kernel.org> wrote:
> Does Shim use PCR 7 for the MOK key database? Are there any specific
> requirements from MS on which PCRs Shim must touch?

Yes, shim extends PCR 7 in the same way the firmware does. There's no
requirement from MS on this, it just seemed like the right solution.

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[Ilias Apalodimas]

Hi Ard,

On Mon, Nov 02, 2020 at 06:06:27PM +0100, Ard Biesheuvel wrote:
> This series enables measurement of the initrd data loaded directly by the
> EFI stub into the TPM, using the TCG2 protocol exposed by the firmware (if
> available). This ensures that the initrd observed and used by the OS is the
> same one that got measured into the TPM, which is more difficult to guarantee
> in the current situation.
> 

I like this. The OS gets the ability to 'self-measure' one critical component.
This can of course be done in the bootloader or GRUB, but having the functionality
in the stub will allow you to boot with a verified initrd, if even GRUB isn't 
there or the bootloader doesn't measure the initrd.

> This is posted as an RFC since it is mostly an invitation to discuss how
> we can fit this into a longer term strategy for arch-agnostic secure and
> measured boot that does not hinge on the Shim+GRUB tandem, or on deep
> knowledge on the part of the bootloader regarding device trees, bootparams
> structs, allocation and placement policies of various artifacts etc etc
> 
> Open questions:
> - Should we do this?

I think so. I can't find any arguments why we shouldn't.

> - Are Linux systems in the field using PCR value prediction when updating the
>   initrd? Does this approach interfere with that?
> - Which PCR and event type to use

No idea. I think distros will have an opinion on that

> - Is a separator event needed here, given that the initrd measurement is
>   recorded even if no initrd was loaded by the stub?

I think having the event make sense, but if we going to make a standard 
measurement for the initrd, we need to discuss this a bit more.

> 
> Note that the EFI stub ignores the initrd provided directly via bootparams or
> the device tree, and it would be nice if we could keep doing that.
> 
> Build tested only.


Cheers
/Ilias

> 
> Cc: Peter Jones <pjones@redhat.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Arvind Sankar <nivedita@alum.mit.edu>
> Cc: Matthew Garrett <mjg59@google.com>
> Cc: Daniel Kiper <daniel.kiper@oracle.com>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> 
> Ard Biesheuvel (7):
>   efi/libstub: whitespace cleanup
>   efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()
>   efi/libstub: x86/mixed: increase supported argument count
>   efi/libstub: move TPM related prototypes into efistub.h
>   efi/libstub: add prototype of
>     efi_tcg2_protocol::hash_log_extend_event()
>   efi/libstub: consolidate initrd handling across architectures
>   efi/libstub: measure loaded initrd info into the TPM
> 
>  arch/x86/boot/compressed/efi_thunk_64.S       | 17 ++++--
>  arch/x86/include/asm/efi.h                    | 13 +++--
>  arch/x86/platform/efi/efi_thunk_64.S          | 17 ++++--
>  .../firmware/efi/libstub/efi-stub-helper.c    | 56 +++++++++++++++----
>  drivers/firmware/efi/libstub/efi-stub.c       | 10 +---
>  drivers/firmware/efi/libstub/efistub.h        | 34 ++++++++++-
>  drivers/firmware/efi/libstub/x86-stub.c       | 26 ++++-----
>  include/linux/efi.h                           | 13 +----
>  8 files changed, 123 insertions(+), 63 deletions(-)
> 
> -- 
> 2.17.1
> 

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[Ard Biesheuvel]

On Tue, 3 Nov 2020 at 06:52, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> Hi Ard,
>
> On Mon, Nov 02, 2020 at 06:06:27PM +0100, Ard Biesheuvel wrote:
> > This series enables measurement of the initrd data loaded directly by the
> > EFI stub into the TPM, using the TCG2 protocol exposed by the firmware (if
> > available). This ensures that the initrd observed and used by the OS is the
> > same one that got measured into the TPM, which is more difficult to guarantee
> > in the current situation.
> >
>
> I like this. The OS gets the ability to 'self-measure' one critical component.
> This can of course be done in the bootloader or GRUB, but having the functionality
> in the stub will allow you to boot with a verified initrd, if even GRUB isn't
> there or the bootloader doesn't measure the initrd.
>

Well, that is one aspect of it. But the most important issue is that
the LoadFile2 protocol or the initrd= method are ambiguous: any initrd
loaded by the bootloader and passed via bootparams or DT might be
superseded by the EFI stub's initrd loader, and even if the command
line is measured as well, 'initrd=foo.bin' does not give any
guarantees about the contents of that file.

So measuring what actually gets loaded by the stub and passed to the
kernel is the most robust way to deal with this, and measuring 'no
stub-loaded initrd' if none is provided is important there.

But that does raise a question regarding double measurement:
unconditionally taking measurements might break existing boot flows
when upgrading the kernel. The alternative is to measure only if an
initrd was provided, but that is fragile as well.

So as Matthew suggested, it would be good to have a more high level
talk about the policies here, and about what kind of complications we
are prepared to put up with to make changes like this one possible.


> > This is posted as an RFC since it is mostly an invitation to discuss how
> > we can fit this into a longer term strategy for arch-agnostic secure and
> > measured boot that does not hinge on the Shim+GRUB tandem, or on deep
> > knowledge on the part of the bootloader regarding device trees, bootparams
> > structs, allocation and placement policies of various artifacts etc etc
> >
> > Open questions:
> > - Should we do this?
>
> I think so. I can't find any arguments why we shouldn't.
>
> > - Are Linux systems in the field using PCR value prediction when updating the
> >   initrd? Does this approach interfere with that?
> > - Which PCR and event type to use
>
> No idea. I think distros will have an opinion on that
>

PCR #9 with EV_IPL seems like the de facto standard, so I will stick with that.


> > - Is a separator event needed here, given that the initrd measurement is
> >   recorded even if no initrd was loaded by the stub?
>
> I think having the event make sense, but if we going to make a standard
> measurement for the initrd, we need to discuss this a bit more.
>

The question is about separator events: in the above case, for
instance, not extending the PCR if no initrd measurement is taken
could open the door to hacks where a rogue initrd is passed via
bootparams while the system is configured to use LoadFile2, and in
some way (EBS hook?), the firmware manages to extend the 'desired'
value into the PCR instead of the hash of the actual initrd that is
loaded. If we measure a separator event unconditionally after
measuring the initrd (or not), this cannot happen.

This might sound a bit convoluted, but real-world hacks typically are.

> >
> > Note that the EFI stub ignores the initrd provided directly via bootparams or
> > the device tree, and it would be nice if we could keep doing that.
> >
> > Build tested only.
>
>
> Cheers
> /Ilias
>
> >
> > Cc: Peter Jones <pjones@redhat.com>
> > Cc: Leif Lindholm <leif@nuviainc.com>
> > Cc: Arvind Sankar <nivedita@alum.mit.edu>
> > Cc: Matthew Garrett <mjg59@google.com>
> > Cc: Daniel Kiper <daniel.kiper@oracle.com>
> > Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> >
> > Ard Biesheuvel (7):
> >   efi/libstub: whitespace cleanup
> >   efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()
> >   efi/libstub: x86/mixed: increase supported argument count
> >   efi/libstub: move TPM related prototypes into efistub.h
> >   efi/libstub: add prototype of
> >     efi_tcg2_protocol::hash_log_extend_event()
> >   efi/libstub: consolidate initrd handling across architectures
> >   efi/libstub: measure loaded initrd info into the TPM
> >
> >  arch/x86/boot/compressed/efi_thunk_64.S       | 17 ++++--
> >  arch/x86/include/asm/efi.h                    | 13 +++--
> >  arch/x86/platform/efi/efi_thunk_64.S          | 17 ++++--
> >  .../firmware/efi/libstub/efi-stub-helper.c    | 56 +++++++++++++++----
> >  drivers/firmware/efi/libstub/efi-stub.c       | 10 +---
> >  drivers/firmware/efi/libstub/efistub.h        | 34 ++++++++++-
> >  drivers/firmware/efi/libstub/x86-stub.c       | 26 ++++-----
> >  include/linux/efi.h                           | 13 +----
> >  8 files changed, 123 insertions(+), 63 deletions(-)
> >
> > --
> > 2.17.1
> >

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[James Bottomley]

On Mon, 2020-11-02 at 18:06 +0100, Ard Biesheuvel wrote:
> This series enables measurement of the initrd data loaded directly by
> the EFI stub into the TPM, using the TCG2 protocol exposed by the
> firmware (if available). This ensures that the initrd observed and
> used by the OS is the same one that got measured into the TPM, which
> is more difficult to guarantee in the current situation.
> 
> This is posted as an RFC since it is mostly an invitation to discuss
> how we can fit this into a longer term strategy for arch-agnostic
> secure and measured boot that does not hinge on the Shim+GRUB tandem,
> or on deep knowledge on the part of the bootloader regarding device
> trees, bootparams structs, allocation and placement policies of
> various artifacts etc etc

For background: IBM research is currently working with the Keylime
people to get a boot log attestation service for both the cloud and
less hyperscale instances.  As part of this we're currently working
through what the linux boot system (shim + grub + kernel) currently
logs today and how useful it actually is to a security enforcing
attestation system ... as in do we log useful stuff you can actually
make decisions on once we've used the TPM based attestation to verify
the correctness of the entire log.

> Open questions:
> - Should we do this?

Well, if you're going to essentially replicate the log events shim and
grub currently do, we should really define what we want to go in there.
At the moment shim logs mostly with events that are defined in the UEFI
spec and grub uses EV_IPL with the contents changing meaning depending
on which PCR is being logged through.  Shim also is a bit non-standard
in that it logs the Mok variables with EV_IPL events as well.

> - Are Linux systems in the field using PCR value prediction when
> updating the initrd? Does this approach interfere with that?

So initrd is the nastiest piece of this because it changes any time
anything is updated that triggers an initrd rebuild.  Since it's an end
to end hash of a cpio file with timestamps, the value is essentially
meaningless because the timestamp updates cause it to change on every
generation regardless of whether the contents actually changes.

Ideally I'd like something that's more characteristic of "this is
actually an initrd I created" than some random hash but it's very
difficult to generate that securely.

> - Which PCR and event type to use

Grub logs data (commands and command lines) through PCR 8 with the hash
being the hash of the event string.  It logs binaries through PCR 9
with the event string being the root relative path and the hash value
the end to end hash of the binary.  I'm not necessarily a fan of this
... Microsoft uses opaque EV_EFI_TAG events instead.

Grub also uses the shim lock protocol to check the kernel signature and
that will log both an EV_EFI_BOOT_SERVICES_APPLICATION with a NULL path
and EV_EFI_VARIABLE_AUTHORITY.

> - Is a separator event needed here, given that the initrd measurement
> is   recorded even if no initrd was loaded by the stub?

Neither grub nor shim currently record separators ... again it's an
open question of whether they actually should.

James

> Note that the EFI stub ignores the initrd provided directly via
> bootparams or the device tree, and it would be nice if we could keep
> doing that.
> 
> Build tested only.
> 
> Cc: Peter Jones <pjones@redhat.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Arvind Sankar <nivedita@alum.mit.edu>
> Cc: Matthew Garrett <mjg59@google.com>
> Cc: Daniel Kiper <daniel.kiper@oracle.com>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> 
> Ard Biesheuvel (7):
>   efi/libstub: whitespace cleanup
>   efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()
>   efi/libstub: x86/mixed: increase supported argument count
>   efi/libstub: move TPM related prototypes into efistub.h
>   efi/libstub: add prototype of
>     efi_tcg2_protocol::hash_log_extend_event()
>   efi/libstub: consolidate initrd handling across architectures
>   efi/libstub: measure loaded initrd info into the TPM
> 
>  arch/x86/boot/compressed/efi_thunk_64.S       | 17 ++++--
>  arch/x86/include/asm/efi.h                    | 13 +++--
>  arch/x86/platform/efi/efi_thunk_64.S          | 17 ++++--
>  .../firmware/efi/libstub/efi-stub-helper.c    | 56 +++++++++++++++
> ----
>  drivers/firmware/efi/libstub/efi-stub.c       | 10 +---
>  drivers/firmware/efi/libstub/efistub.h        | 34 ++++++++++-
>  drivers/firmware/efi/libstub/x86-stub.c       | 26 ++++-----
>  include/linux/efi.h                           | 13 +----
>  8 files changed, 123 insertions(+), 63 deletions(-)
> 

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[James Bottomley]

On Mon, 2020-11-02 at 12:26 -0800, Matthew Garrett wrote:
> On Mon, Nov 2, 2020 at 12:24 PM Ard Biesheuvel <ardb@kernel.org>
> wrote:
> > Does Shim use PCR 7 for the MOK key database? Are there any
> > specific requirements from MS on which PCRs Shim must touch?
> 
> Yes, shim extends PCR 7 in the same way the firmware does. There's no
> requirement from MS on this, it just seemed like the right solution.

That's not fully correct: it extends PCR 7 for the
EV_EFI_VARIABLE_AUTHORITY event, but it measures the actual contents of
the variables to PCR 14 using an EV_IPL event.  I'm actually trying to
persuade Peter that we should replace this latter with an
EV_EFI_VARIABLE_DRIVER_CONFIG event through PCR 7 instead.

James

Re: [RFC PATCH 7/7] efi/libstub: measure loaded initrd info into the TPM

[James Bottomley]

On Mon, 2020-11-02 at 18:06 +0100, Ard Biesheuvel wrote:
> Modify the initrd loading sequence so that the contents of the initrd
> loaded by the EFI stub are measured into the TPM. Note that this also
> includes the measurement of a zero sized input if the stub's initrd
> loader fails for any reason, or simply succeeds with no result, which
> it does for legacy reasons when using the initrd= command line
> option.
> 
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  drivers/firmware/efi/libstub/efi-stub-helper.c | 53 +++++++++++++++-
> ----
>  1 file changed, 40 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c
> b/drivers/firmware/efi/libstub/efi-stub-helper.c
> index 72a7e7c4d403..d8cf1911171a 100644
> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
> @@ -625,6 +625,22 @@ efi_status_t
> efi_load_initrd_cmdline(efi_loaded_image_t *image,
>  				    load_addr, load_size);
>  }
>  
> +static const struct {
> +	efi_tcg2_event_t	event_data;
> +	u8			description[];
> +} initrd_tcg2_event = {
> +	{
> +		sizeof(initrd_tcg2_event),
> +		{
> +			sizeof(initrd_tcg2_event.event_data.event_heade
> r),
> +			EFI_TCG2_EVENT_HEADER_VERSION,
> +			0,
> +			0
> +		},
> +	},
> +	"Linux initrd"
> +};
> +
>  /**
>   * efi_load_initrd() - Load initial RAM disk
>   * @image:	EFI loaded image protocol
> @@ -641,25 +657,36 @@ efi_status_t efi_load_initrd(efi_loaded_image_t
> *image,
>  			     unsigned long soft_limit,
>  			     unsigned long hard_limit)
>  {
> +	efi_guid_t tcg2_guid = EFI_TCG2_PROTOCOL_GUID;
> +	efi_tcg2_protocol_t *tcg2 = NULL;
>  	efi_status_t status;
>  
>  	if (efi_noinitrd) {
>  		*load_addr = *load_size = 0;
> -		return EFI_SUCCESS;
> +		status = EFI_SUCCESS;
> +	} else {
> +		status = efi_load_initrd_dev_path(load_addr, load_size,
> hard_limit);
> +		if (status == EFI_SUCCESS) {
> +			efi_info("Loaded initrd from
> LINUX_EFI_INITRD_MEDIA_GUID device path\n");
> +		} else if (status == EFI_NOT_FOUND) {
> +			status = efi_load_initrd_cmdline(image,
> load_addr, load_size,
> +							 soft_limit,
> hard_limit);
> +			if (status == EFI_SUCCESS && *load_size > 0)
> +				efi_info("Loaded initrd from command
> line option\n");
> +		}
> +		if (status != EFI_SUCCESS) {
> +			efi_err("Failed to load initrd: 0x%lx\n",
> status);
> +			*load_addr = *load_size = 0;
> +		}
>  	}
>  
> -	status = efi_load_initrd_dev_path(load_addr, load_size,
> hard_limit);
> -	if (status == EFI_SUCCESS) {
> -		efi_info("Loaded initrd from
> LINUX_EFI_INITRD_MEDIA_GUID device path\n");
> -	} else if (status == EFI_NOT_FOUND) {
> -		status = efi_load_initrd_cmdline(image, load_addr,
> load_size,
> -						 soft_limit,
> hard_limit);
> -		if (status == EFI_SUCCESS && *load_size > 0)
> -			efi_info("Loaded initrd from command line
> option\n");
> -	}
> -	if (status != EFI_SUCCESS) {
> -		efi_err("Failed to load initrd: 0x%lx\n", status);
> -		*load_addr = *load_size = 0;
> +	efi_bs_call(locate_protocol, &tcg2_guid, NULL, (void **)&tcg2);
> +	if (tcg2) {
> +		efi_status_t s = efi_call_proto(tcg2,
> hash_log_extend_event,
> +						0, *load_addr,
> *load_size,
> +						&initrd_tcg2_event.even
> t_data);
> +		if (s != EFI_SUCCESS)
> +			efi_warn("Failed to measure initrd data into
> PCR #xx: 0x%lx\n", s);

Both shim and grub currently work for both TPMs 1.2 and 2.0.  I get
that TPM 1.2 should be going away, but it is taking quite a long time
to exit the ecosystem so I don't think we can get away with being TPM
2.0 only here.

James

Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[James Bottomley]

On Mon, 2020-11-02 at 11:39 -0800, Matthew Garrett wrote:
> We should probably look at what Windows is doing here.

Here's a windows laptop log parsed using a tool we're working on.  It's
the same format as the Intel TSS log parser tool (yaml) simply with
additional fields.

The bootloader as measured by UEFI is event 25.  Everything after that
is windows specific.  You can see they do use an event separator but
only as they're about to call ExitBootServices and they only do
EV_COMPACT_HASH and EV_EVENT_TAG

James

---
events:
- EventNum: 0
  PCRIndex: 0
  EventType: EV_NO_ACTION
  Digest: '0000000000000000000000000000000000000000'
  EventSize: 33
  SpecID:
  - Signature: Spec ID Event03
    platformClass: 0
    specVersionMinor: 0
    specVersionMajor: 2
    specErrata: 0
    uintnSize: 2
    numberOfAlgorithms: 1
    Algorithms:
    - Algorithm[0]: null
      algorithmId: sha256
      digestSize: 32
    vendorInfoSize: 0
- EventNum: 1
  PCRIndex: 0
  EventType: EV_S_CRTM_VERSION
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: b4bff3baca8e02911e6480498e17c2e1f29e8e3f15c6d66357b6f7726103dcbb
  EventSize: 32
  Event: 4100560043004e0032003200570057002800560031002e003100320029000000
- EventNum: 2
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_DRIVER_CONFIG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e
  EventSize: 53
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 10
    VariableDataLength: 1
    UnicodeName: SecureBoot
    VariableData:
      Enabled: 'Yes'
- EventNum: 3
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_DRIVER_CONFIG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 99bd2dfa6bc84d71dfb6a0597f234c3624e36dbb6382d888f3bf71abb67a4934
  EventSize: 888
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 2
    VariableDataLength: 852
    UnicodeName: PK
    VariableData:
    - SignatureType: a5c059a1-94e4-4aa7-87b5-ab155c2bf072
      SignatureListSize: 852
      SignatureHeaderSize: 0
      SignatureSize: 824
      Keys:
      - SignatureOwner: e04fd794-033e-46a0-81d2-048e8da1432e
        SignatureData: 308203243082020ca0030201020210994f8b12db0c8db2496ed70ffb2dd913300d06092a864886f70d01010b05003025312330210603550403131a5472757374202d204c656e6f766f204365727469666963617465301e170d3132303632303032313634375a170d3339313233313233353935395a301b3119301706035504031310496465617061642050726f647563747330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1ec191df82e40a9100b226f1c5b998c82166b5269f10222f7dd7b32e31779326d08d9eed2f1185baa62806d6559a592360d2a52787df61b4a2e212e136af60d24dc8bd992e1b23b3c661f16379fd69dc69e1c551499124b1e7f61d30a5bd43fe5ed89e37a42585be5946d776a4c6e405dd9761ffce654558803ecf9a673eb6b5c0ea356a341f84dc3a04885c92ded5ad1bca7e40964cd60b6f4bd5a1809d112f6dad18daec9a2b6dfaf57f474bbfa6b509a6c6211849238fe76b63db95815676d7dc9c9396073f60f0f539ce0c7741f276ecc692daaf1c4ff351457df050a4f7e38257ccbf5c058e48f27696cac4a8bd4c983dff3390ee2be80d5b61d3ca9a90203010001a35a305830560603551d01044f304d801062ee607e868018908830aaabd42db922a1273025312330210603550403131a5472757374202d204c656e6f766f20436572746966696361746582105ed2e5ff6bf8fd9e400960460aa2c007300d06092a864886f70d01010b05000382010100881d467574672a997af7d1915f9e5df15c8272646ff37144f1436df98c6374ac1cf8f5fcf942a9cf1b57016a4c4dc06757fc69b32db5b6a8c06e0c13e21702d999a9a1bb0c12cc6822ab787cd689414cb58f530e5d9aa5bbe4da7638339af372d0def9521a6967b855b94afff1a4d332299895cb6c42827fb68335c1e5aaea703803b5762f4ab5197725647dd2217247d70c5032c8cc4c21d2b63b615a4df492b61f5dc21eb9794cfb25f7db66b8e42c3a2b14fe9ff492a8d351f5964956eb7bcbcfd6ab2f367243112cf0758735cee13a13d087d6bb5061dc2e9d244f10edfe93c5bd78ca505f13a12060d1f2520fba0142b999317e16595fefb2b4f2542765
- EventNum: 4
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_DRIVER_CONFIG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 63c0ee78eb49b91ac213b03768a827ebf9b12370f65851b19a883bf32eaf2a14
  EventSize: 1598
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 3
    VariableDataLength: 1560
    UnicodeName: KEK
    VariableData:
    - SignatureType: a5c059a1-94e4-4aa7-87b5-ab155c2bf072
      SignatureListSize: 1560
      SignatureHeaderSize: 0
      SignatureSize: 1532
      Keys:
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 308205e8308203d0a003020102020a610ad188000000000003300d06092a864886f70d01010b0500308191310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313b3039060355040313324d6963726f736f667420436f72706f726174696f6e205468697264205061727479204d61726b6574706c61636520526f6f74301e170d3131303632343230343132395a170d3236303632343230353132395a308180310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312a3028060355040313214d6963726f736f667420436f72706f726174696f6e204b454b204341203230313130820122300d06092a864886f70d01010105000382010f003082010a0282010100c4e8b58abfad5726b026c3eae7fb577a44025d070dda4ae5742ae6b00fec6debec7fb9e35a63327c11174f0ee30ba73815938ec6f5e084b19a9b2ce7f5b791d609e1e2c004a8ac301cdf48f306509a64a7517fc8854f8f2086cefe2fe19fff82c0ede9cdcef4536a623a0b43b9e225fdfe05f9d4c414ab11e223898d70b7a41d4decaee59cfa16c2d7c1cbd4e8c42fe599ee248b03ec8df28beac34afb4311120b7eb547926cdce60489ebf53304eb10012a71e5f983133cff25092f687646ffba4fbedcad712a58aafb0ed2793de49b653bcc292a9ffc7259a2ebae92eff6351380c602ece45fcc9d76cdef6392c1af79408479877fe352a8e89d7b07698f150203010001a382014f3082014b301006092b06010401823715010403020100301d0603551d0e0416041462fc43cda03ea4cb6712d25bd955ac7bccb68a5f301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d2304183016801445665243e17e5811bfd64e9e2355083b3a226aa8305c0603551d1f045530533051a04fa04d864b687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963436f725468695061724d6172526f6f5f323031302d31302d30352e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963436f725468695061724d6172526f6f5f323031302d31302d30352e637274300d06092a864886f70d01010b05000382020100d48488f514941802ca2a3cfb2a921c0cd7a0d1f1e85266a8eea2b5757a9000aa2da4765aea79b7b9376a517b1064f6e164f20267bef7a81b78bdbace8858640cd657c819a35f05d6dbc6d069ce484b32b7eb5dd230f5c0f5b8ba7807a32bfe9bdb345684ec82caae4125709c6be9fe900fd7961fe5e7941fb22a0c8d4bff2829107bf7d77ca5d176b905c879ed0f90929cc2fedf6f7e6c0f7bd4c145dd345196390fe55e56d8180596f407a642b3a077fd0819f27156cc9f8623a487cba6fd587ed4696715917e81f27f13e50d8b8a3c8784ebe3cebd43e5ad2d84938e6a2b5a7c44fa52aa81c82d1cbbe052df0011f89a3dc160b0e133b5a388d165190a1ae7ac7ca4c182874e38b12f0dc514876ffd8d2ebc39b6e7e6c3e0e4cd2784ef9442ef298b9046413b811b67d8f9435965cb0dbcfd00924ff4753ba7a924fc50414079e02d4f0a6a27766e52ed96697baf0ff78705d045c2ad5314811ffb3004aa373661da4a691b34d868edd602cf6c940cd3cf6c2279adb1f0bc03a24660a9c407c22182f1fdf2e8793260bfd8aca522144bcac1d84beb7d3f5735b2e64f75b4b060032253ae91791dd69b411f15865470b2de0d350f7cb03472ba97603bf079eba2b21c5da216b887c5e91bf6b597256f389fe391fa8a7998c3690eb7a31c200597f8ca14ae00d7c4f3c01410756b34a01bb59960f35cb0c5574e36d23284bf9e
- EventNum: 5
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_DRIVER_CONFIG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: e938fba630de62bbc22df8ccd40c6b349830155f1049f8da54520ae97a5e37b0
  EventSize: 4029
  Event:
    VariableName: cbb219d7-3a3d-9645-a3bc-dad00e67656f
    UnicodeNameLength: 2
    VariableDataLength: 3993
    UnicodeName: db
    VariableData:
    - SignatureType: a5c059a1-94e4-4aa7-87b5-ab155c2bf072
      SignatureListSize: 1543
      SignatureHeaderSize: 0
      SignatureSize: 1515
      Keys:
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 308205d7308203bfa003020102020a61077656000000000008300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303130301e170d3131313031393138343134325a170d3236313031393138353134325a308184310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312e302c060355040313254d6963726f736f66742057696e646f77732050726f64756374696f6e20504341203230313130820122300d06092a864886f70d01010105000382010f003082010a0282010100dd0cbba2e42e09e3e7c5f79669bc0021bd693333efad04cb5480ee0683bbc52084d9f7d28bf338b0aba4ad2d7c627905ffe34a3f04352070e3c4e76be09cc03675e98a31dd8d70e5dc37b5744696285b8760232cbfdc47a567f751279e72eb07a6c9b91e3b53357ce5d3ec27b9871cfeb9c923096fa84691c16e963c41d3cba33f5d026a4dec691f25285c36fffd43150a94e019b4cfdfc212e2c25b27ee2778308b5b2a096b22895360162cc0681d53baec49f39d618c85680973445d7da2542bdd79f715cf355d6c1c2b5ccebc9c238b6f6eb526d93613c34fd627aeb9323b41922ce1c7cd77e8aa544ef75c0b048765b44318a8b2e06d1977ec5a24fa48030203010001a38201433082013f301006092b06010401823715010403020100301d0603551d0e04160414a92902398e16c49778cd90f99e4f9ae17c55af53301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014d5f656cb8fe8a25c6268d13d94905bd7ce9a18c430560603551d1f044f304d304ba049a0478645687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f4365724175745f323031302d30362d32332e63726c305a06082b06010505070101044e304c304a06082b06010505073002863e687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f4365724175745f323031302d30362d32332e637274300d06092a864886f70d01010b0500038202010014fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e
    - SignatureType: a5c059a1-94e4-4aa7-87b5-ab155c2bf072
      SignatureListSize: 1600
      SignatureHeaderSize: 0
      SignatureSize: 1572
      Keys:
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 30820610308203f8a003020102020a6108d3c4000000000004300d06092a864886f70d01010b0500308191310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313b3039060355040313324d6963726f736f667420436f72706f726174696f6e205468697264205061727479204d61726b6574706c61636520526f6f74301e170d3131303632373231323234355a170d3236303632373231333234355a308181310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312b3029060355040313224d6963726f736f667420436f72706f726174696f6e2055454649204341203230313130820122300d06092a864886f70d01010105000382010f003082010a0282010100a5086c4cc745096a4b0ca4c0877f06750c43015464e0167f07ed927d0bb273bf0c0ac64a4561a0c5162d96d3f52ba0fb4d499b4180903cb954fde6bcd19dc4a4188a7f418a5c59836832bb8c47c9ee71bc214f9a8a7cff443f8d8f32b22648ae75b5eec94c1e4a197ee4829a1d78774d0cb0bdf60fd316d3bcfa2ba551385df5fbbadb7802dbffec0a1b96d583b81913e9b6c07b407be11f2827c9faef565e1ce67e947ec0f044b27939e5dab2628b4dbf3870e2682414c933a40837d558695ed37cedc1045308e74eb02a876308616f631559eab22b79d70c61678a5bfd5ead877fba86674f71581222042222ce8bef547100ce503558769508ee6ab1a201d50203010001a382017630820172301206092b060104018237150104050203010001302306092b060104018237150204160414f8c16bb77f77534af325371d4ea1267b0f207080301d0603551d0e0416041413adbf4309bd82709c8cd54f316ed522988a1bd4301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d2304183016801445665243e17e5811bfd64e9e2355083b3a226aa8305c0603551d1f045530533051a04fa04d864b687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963436f725468695061724d6172526f6f5f323031302d31302d30352e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963436f725468695061724d6172526f6f5f323031302d31302d30352e637274300d06092a864886f70d01010b05000382020100350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358
    - SignatureType: a5c059a1-94e4-4aa7-87b5-ab155c2bf072
      SignatureListSize: 850
      SignatureHeaderSize: 0
      SignatureSize: 822
      Keys:
      - SignatureOwner: e04fd794-033e-46a0-81d2-048e8da1432e
        SignatureData: 308203223082020aa003020102021090a1987d32a9f6bf478ae288af9a3bbc300d06092a864886f70d01010b05003025312330210603550403131a5472757374202d204c656e6f766f204365727469666963617465301e170d3138313031303032303231375a170d3339313233313233353935395a3019311730150603550403130e4156593734302d3135313749434830820122300d06092a864886f70d01010105000382010f003082010a0282010100c604c8ce9824e5b33415144a3c2e918645206acb3270894fe291f9087438cfcb03bface9bd6971dddfd53efa6bfad8fe3021391b63815eabf7307bd76d701150b998ce238fe7e90bf63b2da85cf55505604e1f53ea6d0b0b056390e648525750685d7890bc797637b541864bd611b85702cc327ab979e96097d9c217da3ae66d555b4cea1f5cdf65b8461dc638dbc21efb3d0beb7e4d4379e172064a7b7f117336c1383d415c6acd53e69db28229137af237b0bc66aed119a555701e0d76ab7ba2ba7d9aea3b14bb52316ed843816429930e9b5ddb59463031617525bb159d81b6c8c73157e72b0e764a322d227a4d8759a6894cfcbf77bb0b8bb2101a9c38e10203010001a35a305830560603551d01044f304d801062ee607e868018908830aaabd42db922a1273025312330210603550403131a5472757374202d204c656e6f766f20436572746966696361746582105ed2e5ff6bf8fd9e400960460aa2c007300d06092a864886f70d01010b050003820101002238cd3a0caeb4b266ecec850285a56b0dd971ee5d1d79880bd54f9ad3dc3c823af591cf4967fa07f47b2d92f22d6fb1e6a5f489e3b160a0763e63f5858c767eac2b9460850cad8444bb0751688e66bc5615998f125bdcb4b11d1763875f94641a310a6e896fb68f3ebdc67742b335e09d0414285babb59fb2060727c85fe78b6abc93c1de2d857ed145dba37165c508e258c2a99e0f9d051c5a5bf7f4f1adc4d0bb6ce7d7755e95ed812da519c1323924b6bd078ce84f0db22f14b3e2b28a21a68ef267836dc1e6e4fd8f7b02f2e849cb91f0a87bd75764e47e6b81c26429873d17da82c102d76f36b5d5d7ee168329f579d1b67f030802ee606d41b07c5fb9
- EventNum: 6
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_DRIVER_CONFIG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 37f3fc46a22afd57abb467c81982d6274362009ad60141e4b8e939ddc5789df5
  EventSize: 4050
  Event:
    VariableName: cbb219d7-3a3d-9645-a3bc-dad00e67656f
    UnicodeNameLength: 3
    VariableDataLength: 4012
    UnicodeName: dbx
    VariableData:
    - SignatureType: c1c41626-504c-4092-aca9-41f936934328
      SignatureListSize: 4012
      SignatureHeaderSize: 0
      SignatureSize: 48
      Keys:
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 363384d14d1f2e0b7815626484c459ad57a318ef4396266048d058c5a19bbf76
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: e6ca68e94146629af03f69c2f86e6bef62f930b37c6fbcc878b78df98c0334e5
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 075eea060589548ba060b2feed10da3c20c7fe9b17cd026b94e8a683b8115238
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 07e6c6a858646fb1efc67903fe28b116011f2367fe92e6be2b36999eff39d09e
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 09df5f4e511208ec78b96d12d08125fdb603868de39f6f72927852599b659c26
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 0bbb4392daac7ab89b30a4ac657531b97bfaab04f90b0dafe5f9b6eb90a06374
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 0c189339762df336ab3dd006a463df715a39cfb0f492465c600e6c6bd7bd898c
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 0d0dbeca6f29eca06f331a7d72e4884b12097fb348983a2a14a0d73f4f10140f
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 0dc9f3fb99962148c3ca833632758d3ed4fc8d0b0007b95b31e6528f2acd5bfc
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 106faceacfecfd4e303b74f480a08098e2d0802b936f8ec774ce21f31686689c
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 174e3a0b5b43c6a607bbd3404f05341e3dcf396267ce94f8b50e2e23a9da920c
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 18333429ff0562ed9f97033e1148dceee52dbe2e496d5410b5cfd6c864d2d10f
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 2b99cf26422e92fe365fbf4bc30d27086c9ee14b7a6fff44fb2f6b9001699939
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 2bbf2ca7b8f1d91f27ee52b6fb2a5dd049b85a2b9b529c5d6662068104b055f8
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 2c73d93325ba6dcbe589d4a4c63c5b935559ef92fbf050ed50c4e2085206f17d
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 2e70916786a6f773511fa7181fab0f1d70b557c6322ea923b2a8d3b92b51af7d
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 306628fa5477305728ba4a467de7d0387a54f569d3769fce5e75ec89d28d1593
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 3608edbaf5ad0f41a414a1777abf2faf5e670334675ec3995e6935829e0caad2
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 3841d221368d1583d75c0a02e62160394d6c4e0a6760b6f607b90362bc855b02
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 3fce9b9fdf3ef09d5452b0f95ee481c2b7f06d743a737971558e70136ace3e73
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 4397daca839e7f63077cb50c92df43bc2d2fb2a8f59f26fc7a0e4bd4d9751692
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 47cc086127e2069a86e03a6bef2cd410f8c55a6d6bdb362168c31b2ce32a5adf
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 518831fe7382b514d03e15c621228b8ab65479bd0cbfa3c5c1d0f48d9c306135
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 5ae949ea8855eb93e439dbc65bda2e42852c2fdf6789fa146736e3c3410f2b5c
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 6b1d138078e4418aa68deb7bb35e066092cf479eeb8ce4cd12e7d072ccb42f66
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 6c8854478dd559e29351b826c06cb8bfef2b94ad3538358772d193f82ed1ca11
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 6f1428ff71c9db0ed5af1f2e7bbfcbab647cc265ddf5b293cdb626f50a3a785e
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 71f2906fd222497e54a34662ab2497fcc81020770ff51368e9e3d9bfcbfd6375
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 726b3eb654046a30f3f83d9b96ce03f670e9a806d1708a0371e62dc49d2c23c1
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 72e0bd1867cf5d9d56ab158adf3bddbc82bf32a8d8aa1d8c5e2f6df29428d6d8
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 7827af99362cfaf0717dade4b1bfe0438ad171c15addc248b75bf8caa44bb2c5
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 81a8b965bb84d3876b9429a95481cc955318cfaa1412d808c8a33bfd33fff0e4
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 82db3bceb4f60843ce9d97c3d187cd9b5941cd3de8100e586f2bda5637575f67
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 895a9785f617ca1d7ed44fc1a1470b71f3f1223862d9ff9dcc3ae2df92163daf
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 8ad64859f195b5f58dafaa940b6a6167acd67a886e8f469364177221c55945b9
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 8bf434b49e00ccf71502a2cd900865cb01ec3b3da03c35be505fdf7bd563f521
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 8d8ea289cfe70a1c07ab7365cb28ee51edd33cf2506de888fbadd60ebf80481c
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 9998d363c491be16bd74ba10b94d9291001611736fdca643a36664bc0f315a42
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 9e4a69173161682e55fde8fef560eb88ec1ffedcaf04001f66c0caf707b2b734
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: a6b5151f3655d3a2af0d472759796be4a4200e5495a7d869754c4848857408a7
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: a7f32f508d4eb0fead9a087ef94ed1ba0aec5de6f7ef6ff0a62b93bedf5d458d
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: ad6826e1946d26d3eaf3685c88d97d85de3b4dcb3d0ee2ae81c70560d13c5720
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: aeebae3151271273ed95aa2e671139ed31a98567303a332298f83709a9d55aa1
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: afe2030afb7d2cda13f9fa333a02e34f6751afec11b010dbcd441fdf4c4002b3
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: b54f1ee636631fad68058d3b0937031ac1b90ccb17062a391cca68afdbe40d55
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: b8f078d983a24ac433216393883514cd932c33af18e7dd70884c8235f4275736
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: b97a0889059c035ff1d54b6db53b11b9766668d9f955247c028b2837d7a04cd9
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: bc87a668e81966489cb508ee805183c19e6acd24cf17799ca062d2e384da0ea7
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: c409bdac4775add8db92aa22b5b718fb8c94a1462c1fe9a416b95d8a3388c2fc
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: c617c1a8b1ee2a811c28b5a81b4c83d7c98b5b0c27281d610207ebe692c2967f
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: c90f336617b8e7f983975413c997f10b73eb267fd8a10cb9e3bdbfc667abdb8b
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: cb6b858b40d3a098765815b592c1514a49604fafd60819da88d7a76e9778fef7
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: ce3bfabe59d67ce8ac8dfd4a16f7c43ef9c224513fbc655957d735fa29f540ce
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: d8cbeb9735f5672b367e4f96cdc74969615d17074ae96c724d42ce0216f8f3fa
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: e92c22eb3b5642d65c1ec2caf247d2594738eebb7fb3841a44956f59e2b0d1fa
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: fddd6e3d29ea84c7743dad4a1bdbc700b5fec1b391f932409086acc71dd6dbd8
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: fe63a84f782cc9d3fcf2ccf9fc11fbd03760878758d26285ed12669bdc6e6d01
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: fecfb232d12e994b6d485d2c7167728aa5525984ad5ca61e7516221f079a1436
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: ca171d614a8d7e121c93948cd0fe55d39981f9d11aa96e03450a415227c2c65b
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 55b99b0de53dbcfe485aa9c737cf3fb616ef3d91fab599aa7cab19eda763b5ba
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 77dd190fa30d88ff5e3b011a0ae61e6209780c130b535ecb87e6f0888a0b6b2f
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: c83cb13922ad99f560744675dd37cc94dcad5a1fcba6472fee341171d939e884
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 3b0287533e0cc3d0ec1aa823cbf0a941aad8721579d1c499802dd1c3a636b8a9
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 939aeef4f5fa51e23340c3f2e49048ce8872526afdf752c3a7f3a3f2bc9f6049
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 64575bd912789a2e14ad56f6341f52af6bf80cf94400785975e9f04e2d64d745
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 45c7c8ae750acfbb48fc37527d6412dd644daed8913ccd8a24c94d856967df8e
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 81d8fb4c9e2e7a8225656b4b8273b7cba4b03ef2e9eb20e0a0291624eca1ba86
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: b92af298dc08049b78c77492d6551b710cd72aada3d77be54609e43278ef6e4d
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: e19dae83c02e6f281358d4ebd11d7723b4f5ea0e357907d5443decc5f93c1e9d
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 39dbc2288ef44b5f95332cb777e31103e840dba680634aa806f5c9b100061802
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 32f5940ca29dd812a2c145e6fc89646628ffcc7c7a42cae512337d8d29c40bbd
      - SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
        SignatureData: 10d45fcba396aef3153ee8f6ecae58afe8476a280a2026fc71f6217dcf49ba2f
- EventNum: 7
  PCRIndex: 7
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 8
  PCRIndex: 2
  EventType: EV_EFI_BOOT_SERVICES_DRIVER
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 324ab169c198be9c7f4ea3c643642b87590aeda064dbed3ce817d243790547ad
  EventSize: 84
  Event:
    ImageLocationInMemory: 794439704
    ImageLengthInMemory: 132528
    ImageLinkTimeAddress: 0
    LengthOfDevicePath: 52
    DevicePath: PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x0)/Offset(0xee00,0x1fdff)
- EventNum: 9
  PCRIndex: 1
  EventType: EV_EFI_HANDOFF_TABLES
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: d2238e9d71970be3640cbbc06d58ece1078e18b2a22c35c9bff7faeea0dcc87e
  EventSize: 32
  Event: 01000000000000004415fdf294972c4a992ee5bbcf20e3940060d13e00000000
- EventNum: 10
  PCRIndex: 5
  EventType: EV_EFI_VARIABLE_BOOT
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 9d516d59bf697cabc00ae022bbfcdf88f8227c026a00e1aa8a02c6173fd2e87a
  EventSize: 58
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 9
    VariableDataLength: 8
    UnicodeName: BootOrder
    VariableData:
    - Boot0003
    - Boot2001
    - Boot2002
    - Boot2003
- EventNum: 11
  PCRIndex: 5
  EventType: EV_EFI_VARIABLE_BOOT
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: fb953c3ade37d7438f53d77c10044adb24ab7519b40cc0302034e4e0e93cf165
  EventSize: 348
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 8
    VariableDataLength: 300
    UnicodeName: Boot0003
    VariableData:
      Enabled: 'Yes'
      FilePathListLength: 116
      Description: Windows Boot Manager
      DevicePath: HD(1,GPT,f6f2ba16-bb89-4242-8dd2-cecbf146c7ce,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)
- EventNum: 12
  PCRIndex: 5
  EventType: EV_EFI_VARIABLE_BOOT
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 0c7c99b95a506ed44fb0816181e8e3a3a02d28c14df69d7e440b1ca64fef8c74
  EventSize: 90
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 8
    VariableDataLength: 42
    UnicodeName: Boot2001
    VariableData:
      Enabled: 'Yes'
      FilePathListLength: 4
      Description: EFI USB Device
      DevicePath: <bad path>
- EventNum: 13
  PCRIndex: 5
  EventType: EV_EFI_VARIABLE_BOOT
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 2acfbd80332f202797d5cef9f3be599db9ed7fa826c7c8dbbb216f813a1d74b1
  EventSize: 88
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 8
    VariableDataLength: 40
    UnicodeName: Boot2002
    VariableData:
      Enabled: 'Yes'
      FilePathListLength: 4
      Description: EFI DVD/CDROM
      DevicePath: <bad path>
- EventNum: 14
  PCRIndex: 5
  EventType: EV_EFI_VARIABLE_BOOT
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: fb1bc2fbbbf7e3cc3ab77af1eb4f0fe772dace6b26c7bad60b66fc1f9d54babe
  EventSize: 84
  Event:
    VariableName: 61dfe48b-ca93-d211-aa0d-00e098032b8c
    UnicodeNameLength: 8
    VariableDataLength: 36
    UnicodeName: Boot2003
    VariableData:
      Enabled: 'Yes'
      FilePathListLength: 4
      Description: EFI Network
      DevicePath: <bad path>
- EventNum: 15
  PCRIndex: 5
  EventType: EV_EFI_ACTION
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba
  EventSize: 40
  Event: Calling EFI Application from Boot Option
- EventNum: 16
  PCRIndex: 0
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 17
  PCRIndex: 1
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 18
  PCRIndex: 2
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 19
  PCRIndex: 3
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 20
  PCRIndex: 4
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 21
  PCRIndex: 5
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 22
  PCRIndex: 6
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
  EventSize: 4
  Event: '00000000'
- EventNum: 23
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_AUTHORITY
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 30bf464ee37f1bc0c7b1a5bf25eced275347c3ab1492d5623ae9f7663be07dd5
  EventSize: 1551
  Event:
    VariableName: cbb219d7-3a3d-9645-a3bc-dad00e67656f
    UnicodeNameLength: 2
    VariableDataLength: 1515
    UnicodeName: db
    VariableData:
      SignatureOwner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
      SignatureData: 308205d7308203bfa003020102020a61077656000000000008300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303130301e170d3131313031393138343134325a170d3236313031393138353134325a308184310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312e302c060355040313254d6963726f736f66742057696e646f77732050726f64756374696f6e20504341203230313130820122300d06092a864886f70d01010105000382010f003082010a0282010100dd0cbba2e42e09e3e7c5f79669bc0021bd693333efad04cb5480ee0683bbc52084d9f7d28bf338b0aba4ad2d7c627905ffe34a3f04352070e3c4e76be09cc03675e98a31dd8d70e5dc37b5744696285b8760232cbfdc47a567f751279e72eb07a6c9b91e3b53357ce5d3ec27b9871cfeb9c923096fa84691c16e963c41d3cba33f5d026a4dec691f25285c36fffd43150a94e019b4cfdfc212e2c25b27ee2778308b5b2a096b22895360162cc0681d53baec49f39d618c85680973445d7da2542bdd79f715cf355d6c1c2b5ccebc9c238b6f6eb526d93613c34fd627aeb9323b41922ce1c7cd77e8aa544ef75c0b048765b44318a8b2e06d1977ec5a24fa48030203010001a38201433082013f301006092b06010401823715010403020100301d0603551d0e04160414a92902398e16c49778cd90f99e4f9ae17c55af53301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014d5f656cb8fe8a25c6268d13d94905bd7ce9a18c430560603551d1f044f304d304ba049a0478645687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f4365724175745f323031302d30362d32332e63726c305a06082b06010505070101044e304c304a06082b06010505073002863e687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f4365724175745f323031302d30362d32332e637274300d06092a864886f70d01010b0500038202010014fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e
- EventNum: 24
  PCRIndex: 5
  EventType: EV_EFI_GPT_EVENT
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: af6a177bc8d8464d0a8132ac60293a56aa2e350eea122d8f316d28bab7c63b4b
  EventSize: 612
  Event:
    Header:
      Signature: EFI PART
      Revision: 0x10000
      HeaderSize: 92
      HeaderCRC32: 0x4607d893
      MyLBA: 0x1
      AlternateLBA: 0x3b9e12af
      FirstUsableLBA: 0x22
      LastUsableLBA: 0x3b9e128e
      DiskGuid: d1a0ad52-7e5f-4717-965b-24975d685054
      PartitionEntryLBA: 0x2
      NumberOfPartitionEntries: 128
      SizeOfPartitionEntry: 128
      PartitionEntryArrayCRC: 0xb2f4c60f
    NumberOfPartitions: 4
    Partitions:
    - PartitionTypeGUID: c12a7328-f81f-11d2-ba4b-00a0c93ec93b
      UniquePartitionGUID: f6f2ba16-bb89-4242-8dd2-cecbf146c7ce
      StartingLBA: 0x800
      EndingLBA: 0x827ff
      Attributes: 0x8000000000000000
      PartitionName: EFI system partition
    - PartitionTypeGUID: e3c9e316-0b5c-4db8-817d-f92df00215ae
      UniquePartitionGUID: 1a5731d6-a09d-43b3-886a-e342560c5f49
      StartingLBA: 0x82800
      EndingLBA: 0x8a7ff
      Attributes: 0x8000000000000000
      PartitionName: Microsoft reserved partition
    - PartitionTypeGUID: ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
      UniquePartitionGUID: 3bd5aaaf-ce3b-4609-80ab-c52f79c80999
      StartingLBA: 0x8a800
      EndingLBA: 0x3b7ecfff
      Attributes: 0x0
      PartitionName: Basic data partition
    - PartitionTypeGUID: de94bba4-06d1-4d40-a16a-bfd50179d6ac
      UniquePartitionGUID: 60d1f406-21e0-46c5-9023-c773cb2172fc
      StartingLBA: 0x3b7ed000
      EndingLBA: 0x3b9e0fff
      Attributes: 0x8000000000000001
      PartitionName: Basic data partition
- EventNum: 25
  PCRIndex: 4
  EventType: EV_EFI_BOOT_SERVICES_APPLICATION
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 41796e6fd1976f3750bfb26d6b00e773478ea8d0fe1b67f638bbbc098bf8008a
  EventSize: 176
  Event:
    ImageLocationInMemory: 760659992
    ImageLengthInMemory: 1557816
    ImageLinkTimeAddress: 268435456
    LengthOfDevicePath: 144
    DevicePath: PciRoot(0x0)/Pci(0x17,0x0)/Sata(512,32768,0)/HD(1,GPT,f6f2ba16-bb89-4242-8dd2-cecbf146c7ce,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)
- EventNum: 26
  PCRIndex: 11
  EventType: EV_COMPACT_HASH
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 097328e8c957de2428283954f6a1ee8ff7ad7def12e100a600178407f5decf24
  EventSize: 4
  Event: '10000000'
- EventNum: 27
  PCRIndex: 12
  EventType: EV_EVENT_TAG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: c14b8ee083b10861666ed0c22ba3994c124f87cc62eaa8df10d318e511e3e077
  EventSize: 280
  Event: 0100014010010000070002000800000001004101000000000600020008000000000d00000000000002000200080000007500000000000000030001403800000004000700200000006c94a7b550209afdf06c87441a9795f81567e1459fa03d5ed6a36c84ef8adcd70700070008000000005034000000000003000140380000000400070020000000fd49bb8148d48b1adc6ee72fccece025fe97b41213b68685e6b4ad6147698de7070007000800000000e09000000000000900020004000000010000000a00020004000000000000000300020004000000010000000100040001000000000300050001000000002100050001000000000200050001000000010500020004000000000000000b0002000400000000000000
- EventNum: 28
  PCRIndex: 13
  EventType: EV_EVENT_TAG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 081567da817e25da71e1363864081a4aaaac979388f90fd27c320ff02253e9d7
  EventSize: 916
  Event: 010001408c0300000900020004000000010000000a00020004000000000000000100040001000000000300050001000000002100050001000000000200050001000000010500020004000000000000000b0002000400000000000000290005003400000001000000140000000b0020000000000000000000ece4c1841c6a72fa3f782e2b2139e338d78abd41761f8952f5691797712bacda020004002e00000080a19aad7073d301200000000b0076dea1e54ada0c2e765bdb30099a573965ace595bd9af0dd82429c3ef3780cf3030001406201000001000700560000005c004500460049005c004d006900630072006f0073006f00660074005c0042006f006f0074005c0065006e002d00550053005c0062006f006f0074006d006700660077002e006500660069002e004d005500490000000200070008000000002001000000000003000700040000000c80000004000700200000006c94a7b550209afdf06c87441a9795f81567e1459fa03d5ed6a36c84ef8adcd70a0007000100000001050007004c0000004d006900630072006f0073006f00660074002000570069006e0064006f00770073002000500072006f00640075006300740069006f006e00200050004300410020003200300031003100000008000700240000004d006900630072006f0073006f00660074002000570069006e0064006f007700730000000600070013000000330000023241fb59996dcc4dff0000000002320900070014000000ff82bc38e1da5e596df374c53e3617f7eda36b060300014054010000010007003c0000005c00570049004e0044004f00570053005c00730079007300740065006d00330032005c00770069006e006c006f00610064002e0065006600690000000200070008000000000020000000000003000700040000000c8000000400070020000000fd49bb8148d48b1adc6ee72fccece025fe97b41213b68685e6b4ad6147698de70a0007000100000001050007004c0000004d006900630072006f0073006f00660074002000570069006e0064006f00770073002000500072006f00640075006300740069006f006e00200050004300410020003200300031003100000008000700240000004d006900630072006f0073006f00660074002000570069006e0064006f0077007300000006000700130000003300000266bd1580efa75cd6d30000000002660900070014000000a4341b9fd50fb9964283220a36a1ef6f6faa78400b0007000400000001000000
- EventNum: 29
  PCRIndex: 14
  EventType: EV_EVENT_TAG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 56b5e2611e00f475c7f1c5f1eb2df5173e01c61099423775b9650e9a666ea4a8
  EventSize: 302
  Event: 020006002601000030820122300d06092a864886f70d01010105000382010f003082010a0282010100dd0cbba2e42e09e3e7c5f79669bc0021bd693333efad04cb5480ee0683bbc52084d9f7d28bf338b0aba4ad2d7c627905ffe34a3f04352070e3c4e76be09cc03675e98a31dd8d70e5dc37b5744696285b8760232cbfdc47a567f751279e72eb07a6c9b91e3b53357ce5d3ec27b9871cfeb9c923096fa84691c16e963c41d3cba33f5d026a4dec691f25285c36fffd43150a94e019b4cfdfc212e2c25b27ee2778308b5b2a096b22895360162cc0681d53baec49f39d618c85680973445d7da2542bdd79f715cf355d6c1c2b5ccebc9c238b6f6eb526d93613c34fd627aeb9323b41922ce1c7cd77e8aa544ef75c0b048765b44318a8b2e06d1977ec5a24fa48030203010001
- EventNum: 30
  PCRIndex: 12
  EventType: EV_EVENT_TAG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: e65898200a0403ac304056ee60c14bfc1964bda495f358b4a2a985b04531b3b3
  EventSize: 6051
  Event: 010001409b1700000900020004000000010000000a0002000400000000000000030001403800000004000700200000002a24945417ae8dd109958de57db82aa32f5da3398c876338e767f76890c6ddf0070007000800000000a01f000000000003000140380000000400070020000000ac85a09f1021140b3250c9ec4f5b94e690c1974be6efd005bc4d95e5ac38866f070007000800000000407c00000000000300014038000000040007002000000032c83aecb3cea9c0e6276e9ac61d40324d2bbff5c326c49ec6740e368e57671b07000700080000000000c002000000000300014038000000040007002000000008c8089ba7150f28c8821989186f95891f0d85a7a9ac845386e704672d62b1ac0700070008000000000000030000000003000140380000000400070020000000971fe367e613c98c6282771f75d2386cdf369f5f9cbd4f5f81baf9a969d5131c07000700080000000000e90200000000030001403800000004000700200000003c0365e1d3c24e6a0235ab4d160081ef27ebe21a4e71b04aab6f57a0b1f5148f07000700080000000000ea02000000000300014038000000040007002000000052e46a70ff6892437796f4bc81243db28faf52c270fb76b79e24bd9d718cc7d907000700080000000000ea020000000003000140380000000400070020000000cc70cb5fe2f01f54c93227f02123025a1f39fb8cfa54410c01e79788b87b4b5707000700080000000000ea020000000003000140380000000400070020000000ce97c9e21a2d579f150cb1cb24a0505b5df20f9aabb661de7814585577b6120007000700080000000000ea020000000003000140380000000400070020000000db24856eb4084ce839f65eddf7254e54bde0510b1faea3890fa12ee34b7fb33007000700080000000000eb020000000003000140380000000400070020000000898412c88d76ef6e0bef9b4340ae2cacbed174922dcd029e00b001a936b2196d07000700080000000000ee020000000003000140380000000400070020000000a425409a4886699584e82933e5c89e1f3dc48163493efa10786266d3a0ddd09a07000700080000000000f502000000000300014038000000040007002000000038962e739417217077888f561d0a2e3a9bde186f1ad0f6df481ae3f06e85b59b07000700080000000000f70200000000030001403800000004000700200000007b1e8f3773bdeb7d7792e82f1d9847074051029728a9bc4563b2c89ef02d67a2070007000800000000004004000000000300014038000000040007002000000070b0347b4d51d75dbe626193e4d6cec80f4c9d6931a355cc3a4516135bc1b23407000700080000000000f8020000000003000140380000000400070020000000138848a7643bd1f7fefd86102bc2e8a3
- EventNum: 31
  PCRIndex: 13
  EventType: EV_EVENT_TAG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 51489a05ccd19aef31d0ca7eeab0d3decd9a18c786e634fe773c01c05b769595
  EventSize: 33144
  Event: 01000140708100000900020004000000010000000a000200040000000000000001000500010000000008000500040000000400010009000500120000005c00570049004e0044004f00570053000000040005000800000000000000000000000500050001000000000600050001000000000a000500080000000000000000000000120005000800000000000000000000002200050001000000002400050001000000002500050001000000002600050001000000000e00050004000000010000001400050004000000010000000100040001000000000300050001000000002100050001000000000200050001000000010500020004000000000000000b0002000400000000000000290005003400000001000000140000000b0020000000000000000000ece4c1841c6a72fa3f782e2b2139e338d78abd41761f8952f5691797712bacda020004002e00000080a19aad7073d301200000000b0076dea1e54ada0c2e765bdb30099a573965ace595bd9af0dd82429c3ef3780cf3130005002e000000806642a57073d301200000000b001bab1978c5b1129914361dc69ea6093a31472053d2c62945551eb2772e387cde030001408d01000001000700560000005c00570049004e0044004f00570053005c00730079007300740065006d00330032005c0044005200490056004500520053005c00660069006c0065005f0074007200610063006b00650072002e007300790073000000020007000800000000b005000000000003000700040000000480000004000700140000009fbf39df5d9c9115dee98929f1803646048146390a00070001000000010500070074000000530079006d0061006e00740065006300200043006c0061007300730020003300200045007800740065006e006400650064002000560061006c00690064006100740069006f006e00200043006f006400650020005300690067006e0069006e00670020004300410020002d00200047003200000008000700360000004100630072006f006e0069007300200049006e007400650072006e006100740069006f006e0061006c00200047004d0042004800000006000700100000007701f7622847c9d6407e2f567e2764000900070014000000d275846016ee7a1501b2ed00b56cd8af7c88312603000140da01000001000700780000005c00570049004e0044004f00570053005c00530079007300740065006d00330032005c0064007200690076006500720073005c004e00470043007800360034005c0031003600310034003000350030002e003000320037005c00530059004d0045004600410053004900360034002e005300590053000000020007000800000000501e000000000003000700040000000c8000000400070020000000c07019c1c2e5504f735f33a0190b
- EventNum: 32
  PCRIndex: 14
  EventType: EV_EVENT_TAG
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 8b845a66c7bdd3f2b642061dbfceb384a5d025a3eda93f15a0054ad503a0caeb
  EventSize: 1216
  Event: 01000140b8040000020006002601000030820122300d06092a864886f70d01010105000382010f003082010a0282010100dd0cbba2e42e09e3e7c5f79669bc0021bd693333efad04cb5480ee0683bbc52084d9f7d28bf338b0aba4ad2d7c627905ffe34a3f04352070e3c4e76be09cc03675e98a31dd8d70e5dc37b5744696285b8760232cbfdc47a567f751279e72eb07a6c9b91e3b53357ce5d3ec27b9871cfeb9c923096fa84691c16e963c41d3cba33f5d026a4dec691f25285c36fffd43150a94e019b4cfdfc212e2c25b27ee2778308b5b2a096b22895360162cc0681d53baec49f39d618c85680973445d7da2542bdd79f715cf355d6c1c2b5ccebc9c238b6f6eb526d93613c34fd627aeb9323b41922ce1c7cd77e8aa544ef75c0b048765b44318a8b2e06d1977ec5a24fa48030203010001020006002601000030820122300d06092a864886f70d01010105000382010f003082010a0282010100e90e64507967b5c4e3fd09004c9e94acf75668ea44d8cfc5584fa9a5767c6d45bad33992b4a41ef9f96582e417d28ffd449c08e86593ce2c5584bf7d08e32e2ba8412b18b7a24b6e494c6b1507ded1d2c2891e7194cdb57f4bb4af08d8cc88d66b17943a93ce263fece6fe349857d51d5d49f6b22a2ed585bb593ff890b42b8374ca2bb33b46e3f04649c1176654c91cbd1dc455625772f867b9252034de5da6a5955eab2880cdd5b29ee503b563d3b214c8c1c88a260a597f07ecff0eed8012354c12a6be525bf5a6dae08b0b4877d68547d510b9c6e8aaee8b6a2d055c60c6b42a5b9c231c5f45e31a141e6f37cb1933806a894da36a66637893d530cf951f0203010001020006002601000030820122300d06092a864886f70d01010105000382010f003082010a0282010100d01802eeeda28d0858630f26d7dd227b88f6e4c7ec3b261878d3c7a420538d837ca53f7ea5c82b47df0df5a6d9c31d259360cf7cdcea032cbe787f5c486da702d949f8a1ebeb9a617c9fc026d6dc15d8b8107c20ba5ef428f6a8eaa75c7cc69c9090343cb622acfeba0c3a1ed65e84b65bf0a38170788a8d46527bfcdb49f3291311744f8d16b3c2e3a02dc703049dccc372e10e0cfb028ef126177b6eaef8b7338ba6614b45dff22544c7f7b0982336dc28790ae89b7288a8d8e8ae7b7f0a6445a5f057929a7706451eeb9fe866f37a7d92815f002d1eb8f656135a620db747a18f72ef835e82e09498e1aca5ad8637e0a7d3bab13e7aeb45a8f1c1447de2030203010001020006002601000030820122300d06092a864886f70d01010105000382010f003082010a0282010100a39c308409a7632ecf0a47f0ea24f9a330200f5e573126819a3107b250d4ce670908650a5aa54baed5ed102ee7a599b59f682f988b5802ac20b429c471bd281ca5fd3c9b64
- EventNum: 33
  PCRIndex: 11
  EventType: EV_COMPACT_HASH
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 08efea1c0957a5a1fe019e6edb21fdc9fbe5de2213487eab7a05e06eca1c9784
  EventSize: 4
  Event: ffff0000
- EventNum: 34
  PCRIndex: 12
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 4613c07447240b20cf1baa3fd4441a3f1b62bea1e9aaaa0678532b83ce9de254
  EventSize: 4
  Event: 5742434c
- EventNum: 35
  PCRIndex: 13
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 4613c07447240b20cf1baa3fd4441a3f1b62bea1e9aaaa0678532b83ce9de254
  EventSize: 4
  Event: 5742434c
- EventNum: 36
  PCRIndex: 14
  EventType: EV_SEPARATOR
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: 4613c07447240b20cf1baa3fd4441a3f1b62bea1e9aaaa0678532b83ce9de254
  EventSize: 4
  Event: 5742434c
- EventNum: 37
  PCRIndex: 5
  EventType: EV_EFI_ACTION
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: d8043d6b7b85ad358eb3b6ae6a873ab7ef23a26352c5dc4faa5aeedacf5eb41b
  EventSize: 29
  Event: Exit Boot Services Invocation
- EventNum: 38
  PCRIndex: 5
  EventType: EV_EFI_ACTION
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: b54f7542cbd872a81a9d9dea839b2b8d747c7ebd5ea6615c40f42f44a6dbeba0
  EventSize: 40
  Event: Exit Boot Services Returned with Success