Re: Disparity in tpm pcr5 value

From: Mimi Zohar <zohar@linux.ibm.com>
To: Jerry Snitselaar <jsnitsel@redhat.com>
Cc: Ken Goldman <kgold@linux.ibm.com>,
	linux-integrity@vger.kernel.org,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Matthew Garrett <mjg59@google.com>,
	Ken Goldman <kgoldman@us.ibm.com>
Subject: Re: Disparity in tpm pcr5 value
Date: Thu, 07 May 2020 16:57:14 -0400	[thread overview]
Message-ID: <1588885034.5685.121.camel@linux.ibm.com> (raw)
In-Reply-To: <20200507162624.4eqi6tvfmfabn6vj@cantor>

On Thu, 2020-05-07 at 09:26 -0700, Jerry Snitselaar wrote:
> On Thu May 07 20, Mimi Zohar wrote:
> >On Thu, 2020-05-07 at 00:35 -0700, Jerry Snitselaar wrote:
> >> On Wed May 06 20, Ken Goldman wrote:
> >> >On 5/5/2020 6:27 PM, Jerry Snitselaar wrote:
> >> >>On some systems we've had reports of the value of pcr5 doesn't match
> >> >>the digests in the tpm event log.
> >> >>It looks like I'm able to reproduce here with 5.7-rc4 on a dell
> >> >>system using this parser:
> >> >>
> >> >>https://github.com/ValdikSS/binary_bios_measurements_parser
> >> >>
> >> >>Any thoughts on where to start digging? Is there another tool I
> >> >>should use to parse this?
> >> >
> >> >If you email me the event log in binary, I can run it through the IBM
> >> >calculator and see if I get the same error.
> >> >
> >> >
> >>
> >> A couple other data points:
> >>
> >> - On the Dell system where I did this if I change it in the bios to use sha256
> >>    instead of sha1, then using tsseventextend to parse matches the value in the tpm.
> >>    In the sha256 case there is a final events log.
> >>
> >> - I have a nuc5 here, which also extends into sha1, and the parse matches there.
> >>
> >> - Javier has also reproduced it when passing through swtpm to a vm.
> >>
> >> - I added some debugging code, and there is nothing extending pcr5 with tpm_pcr_extend.
> >>
> >> - Ken's parse of the log also shows the disparity, which I've now done as well with
> >>    the tpm1.2 version of the tsseventextend tool.
> >
> >Thanks, Jerry.  You've eliminated the kernel extending into the PCR.
> > For SHA256, the event log has to be TPM 2.0 format.  I've seen TPM
> >2.0's for SHA1 use the TPM 1.2 event log format.  When using SHA1, is
> >it a TPM 1.2 or 2.0 event log format?
> 
> It is the 1.2 event log format.

From everything you've said, it sounds like buggy firmware.  Either an
additional event is added to the list, but does not extend the TPM.
 Or an event extends the TPM, but is not added to the event log.  This
isn't a kernel problem and can't be addressed by the kernel.
 Hopefully the vendor will be willing to address it.

Mimi