The first event there is a EV_EFI_ACTION event with the string "UEFI Debug Mode". Our PCR policy calculations depend on this event not being there for it to work for full disk-encryption. From section 2.3.4.8 of the TCG PC Client Platform Firmware Profile Specification:
"If the platform provides a firmware debugger mode which may be used prior to the
UEFI environment or if the platform provides a debugger for the UEFI environment,
then the platform SHALL extend an EV_EFI_ACTION event into PCR[7] before
allowing use of the debugger. The event string SHALL be “UEFI Debug Mode”. The
Platform Firmware MUST log this measurement in the event log using the string
“UEFI Debug Mode” for the Event Data."
So presence of the event indicates that the platform firmware provides a firmware debugger.
From the TCG log supplied in comment #43:
$ ./tcglog-dump --alg sha256 --verbose --pcrs 7 ~/Downloads/ binary_ bios_measuremen ts 76651b354468c00 47f8d1547d25056 ded5952aaf59917 62a3 EV_EFI_ACTION [ UEFI Debug Mode ] 5bc8aeadaba552b 627d99348c76768 1ab3141f5b01e40 a40e EV_EFI_ VARIABLE_ DRIVER_ CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61- 93ca-11d2- aa0d-00e098032b 8c, UnicodeName: "SecureBoot" } ] 8cc04a493f47e24 f46d18d9dfc6aed 0ac41f267380b53 3194 EV_EFI_ VARIABLE_ DRIVER_ CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61- 93ca-11d2- aa0d-00e098032b 8c, UnicodeName: "PK" } ] b14c751cdddd812 3da1f64f5ea8540 7622f6be90d4621 d958 EV_EFI_ VARIABLE_ DRIVER_ CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61- 93ca-11d2- aa0d-00e098032b 8c, UnicodeName: "KEK" } ] 587901e9b5f867f c6652fb3972d3c6 ce05f4b7dad11f7 912b EV_EFI_ VARIABLE_ DRIVER_ CONFIG [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb- 3d3a-4596- a3bc-dad00e6765 6f, UnicodeName: "db" } ] 201fc201930034b 6438a5282bfd654 2f38dde3384e0b4 48e0 EV_EFI_ VARIABLE_ DRIVER_ CONFIG [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb- 3d3a-4596- a3bc-dad00e6765 6f, UnicodeName: "dbx" } ] b4057192dc43dd7 48ea778adc52bc4 98ce80524c014b8 1119 EV_SEPARATOR dc01a16eaf2dbb5 d575afeb36f5d8d fcf609ae043909e 2ee9 EV_EFI_ VARIABLE_ AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb- 3d3a-4596- a3bc-dad00e6765 6f, UnicodeName: "db" } ] a5ef12fe09d8b49 bf951a8e7f89a0c ca7a51636693d41 a34d EV_EFI_ VARIABLE_ AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: 605dab50- e046-4300- abb6-3dd810dd8b 23, UnicodeName: "SbatLevel" } ] 95f6af49d0e32b7 4142972d9dd4c1b 8068450653683a1 3016 EV_EFI_ VARIABLE_ AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: 605dab50- e046-4300- abb6-3dd810dd8b 23, UnicodeName: "Shim" } ]
7 a62bd67b2cc2959
7 ccfc4bb32888a34
7 bdac662ac2f50e2
7 08bef4adae58358
7 9538dfd2bfb2105
7 5c959286c9a5906
7 df3f619804a92fd
7 4d4a8e2c74133bb
7 922e939a5565798
7 5e19450c7a75acd
The first event there is a EV_EFI_ACTION event with the string "UEFI Debug Mode". Our PCR policy calculations depend on this event not being there for it to work for full disk-encryption. From section 2.3.4.8 of the TCG PC Client Platform Firmware Profile Specification:
"If the platform provides a firmware debugger mode which may be used prior to the
UEFI environment or if the platform provides a debugger for the UEFI environment,
then the platform SHALL extend an EV_EFI_ACTION event into PCR[7] before
allowing use of the debugger. The event string SHALL be “UEFI Debug Mode”. The
Platform Firmware MUST log this measurement in the event log using the string
“UEFI Debug Mode” for the Event Data."
So presence of the event indicates that the platform firmware provides a firmware debugger.