TPM PCR0 recontruction fails on Pluton fTPM
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fwupd |
Unknown
|
Unknown
|
|||
fwupd (Ubuntu) |
Opinion
|
Undecided
|
Unassigned |
Bug Description
My Gigabyte UEFI BIOS has an option to select which TPM chip to use. By default it uses AMD fTPM. After manually enabling Pluton fTPM via Gigabyte UEFI, TPM PCR0 reconstruction status changed to Invalid.
Ubuntu Version: 23.10
Kernel: Xanmod 6.6.8, Generic 6.5.0-14
Version: org.freedesktop
Log
```
Host Security ID: HSI:1 (v1.9.5)
HSI-1
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ SPI write protection: Enabled
✘ TPM PCR0 reconstruction: Invalid
HSI-3
✔ Pre-boot DMA protection: Enabled
✘ SPI replay protection: Not supported
✘ Suspend-to-idle: Disabled
✘ Suspend-to-ram: Enabled
HSI-4
✘ Encrypted RAM: Not supported
✘ Processor rollback protection: Disabled
Runtime Suffix -!
✔ Linux kernel: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ fwupd plugins: Untainted
The TPM PCR0 differs from reconstruction.
» https:/
Host Security Events
2023-12-25 18:39:14: ✘ TPM PCR0 reconstruction changed: Valid → Invalid
```
description: | updated |
Thanks for the report, Masum.
I'm not sure if this is actually a bug against fwupd or just that fwupd is the tool that reported the change.
And it's entirely possible that this is the correct outcome. If the TPM device changes on a system, it's suddenly a very different system.
Hopefully someone more familiar with what's being done here will have some input; I suspect this is all "working as intended".
Thanks