intel

Bug #1938678
Comment #47

Comment 47 for bug 1938678

Revision history for this message

Chris Coulson (chrisccoulson) wrote on 2021-10-19: Re: [intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on TGL-H

#47

From the TCG log supplied in comment #43:

$ ./tcglog-dump --alg sha256 --verbose --pcrs 7 ~/Downloads/binary_bios_measurements
7 a62bd67b2cc295976651b354468c0047f8d1547d25056ded5952aaf5991762a3 EV_EFI_ACTION [ UEFI Debug Mode ]
7 ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61-93ca-11d2-aa0d-00e098032b8c, UnicodeName: "SecureBoot" } ]
7 bdac662ac2f50e28cc04a493f47e24f46d18d9dfc6aed0ac41f267380b533194 EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61-93ca-11d2-aa0d-00e098032b8c, UnicodeName: "PK" } ]
7 08bef4adae58358b14c751cdddd8123da1f64f5ea85407622f6be90d4621d958 EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61-93ca-11d2-aa0d-00e098032b8c, UnicodeName: "KEK" } ]
7 9538dfd2bfb2105587901e9b5f867fc6652fb3972d3c6ce05f4b7dad11f7912b EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f, UnicodeName: "db" } ]
7 5c959286c9a5906201fc201930034b6438a5282bfd6542f38dde3384e0b448e0 EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f, UnicodeName: "dbx" } ]
7 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 EV_SEPARATOR
7 4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 EV_EFI_VARIABLE_AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f, UnicodeName: "db" } ]
7 922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d EV_EFI_VARIABLE_AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23, UnicodeName: "SbatLevel" } ]
7 5e19450c7a75acd95f6af49d0e32b74142972d9dd4c1b8068450653683a13016 EV_EFI_VARIABLE_AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23, UnicodeName: "Shim" } ]

The first event there is a EV_EFI_ACTION event with the string "UEFI Debug Mode". Our PCR policy calculations depend on this event not being there for it to work for full disk-encryption. From section 2.3.4.8 of the TCG PC Client Platform Firmware Profile Specification:

"If the platform provides a firmware debugger mode which may be used prior to the
UEFI environment or if the platform provides a debugger for the UEFI environment,
then the platform SHALL extend an EV_EFI_ACTION event into PCR[7] before
allowing use of the debugger. The event string SHALL be “UEFI Debug Mode”. The
Platform Firmware MUST log this measurement in the event log using the string
“UEFI Debug Mode” for the Event Data."

So presence of the event indicates that the platform firmware provides a firmware debugger.

From the TCG log supplied in comment #43:

$ ./tcglog-dump --alg sha256 --verbose --pcrs 7 ~/Downloads/binary_bios_measurements
 7 a62bd67b2cc295976651b354468c0047f8d1547d25056ded5952aaf5991762a3 EV_EFI_ACTION [ UEFI Debug Mode ]
 7 ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61-93ca-11d2-aa0d-00e098032b8c, UnicodeName: "SecureBoot" } ]
 7 bdac662ac2f50e28cc04a493f47e24f46d18d9dfc6aed0ac41f267380b533194 EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61-93ca-11d2-aa0d-00e098032b8c, UnicodeName: "PK" } ]
 7 08bef4adae58358b14c751cdddd8123da1f64f5ea85407622f6be90d4621d958 EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: 8be4df61-93ca-11d2-aa0d-00e098032b8c, UnicodeName: "KEK" } ]
 7 9538dfd2bfb2105587901e9b5f867fc6652fb3972d3c6ce05f4b7dad11f7912b EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f, UnicodeName: "db" } ]
 7 5c959286c9a5906201fc201930034b6438a5282bfd6542f38dde3384e0b448e0 EV_EFI_VARIABLE_DRIVER_CONFIG [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f, UnicodeName: "dbx" } ]
 7 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 EV_SEPARATOR
 7 4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 EV_EFI_VARIABLE_AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f, UnicodeName: "db" } ]
 7 922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d EV_EFI_VARIABLE_AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23, UnicodeName: "SbatLevel" } ]
 7 5e19450c7a75acd95f6af49d0e32b74142972d9dd4c1b8068450653683a13016 EV_EFI_VARIABLE_AUTHORITY [ UEFI_VARIABLE_DATA{ VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23, UnicodeName: "Shim" } ]

So presence of the event indicates that the platform firmware provides a firmware debugger.