| 2023-12-26 03:48:26 |
Masum Reza |
description |
My Gigabyte UEFI BIOS has an option to select which TPM chip to use. By default it uses AMD fTPM. After manually enabling Pluton fTPM via Gigabyte UEFI, TPM PCR0 reconstruction status changed to Invalid.
Ubuntu Version: 23.10
Kernel: Xanmod 6.6.8, Generic 6.5.0-14
Version: org.freedesktop.fwupd 1.9.5
Log
```
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- This file was created with the aha Ansi HTML Adapter. <a href="https://github.com/theZiz/aha">https://github.com/theZiz/aha</a> -->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="application/xml+xhtml; charset=UTF-8"/>
<title>stdin</title>
</head>
<body>
<pre>
Host Security ID: <span style="font-weight:bold;">HSI:1 (v1.9.5)</span>
<span style="font-weight:bold;">HSI-1</span>
✔ Fused platform: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Locked</span>
✔ Supported CPU: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Valid</span>
✔ TPM empty PCRs: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Valid</span>
✔ TPM v2.0: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Found</span>
✔ UEFI bootservice variables: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Locked</span>
✔ UEFI platform key: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Valid</span>
✔ UEFI secure boot: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Enabled</span>
<span style="font-weight:bold;">HSI-2</span>
✔ IOMMU: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Enabled</span>
✔ Platform debugging: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Locked</span>
✔ SPI write protection: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Enabled</span>
✘ TPM PCR0 reconstruction: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Invalid</span>
<span style="font-weight:bold;">HSI-3</span>
✔ Pre-boot DMA protection: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Enabled</span>
✘ SPI replay protection: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Not supported</span>
✘ Suspend-to-idle: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Disabled</span>
✘ Suspend-to-ram: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Enabled</span>
<span style="font-weight:bold;">HSI-4</span>
✘ Encrypted RAM: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Not supported</span>
✘ Processor rollback protection: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Disabled</span>
<span style="font-weight:bold;">Runtime Suffix -!</span>
✔ Linux kernel: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Untainted</span>
✔ Linux kernel lockdown: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Enabled</span>
✔ Linux swap: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Encrypted</span>
✔ fwupd plugins: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Untainted</span>
The TPM PCR0 differs from reconstruction.
» <a href="https://fwupd.github.io/hsi.html#pcr0-tpm-event-log-reconstruction">https://fwupd.github.io/hsi.html#pcr0-tpm-event-log-reconstruction</a>
Host Security Events
2023-12-25 18:39:14: <span style="color:red;"></span><span style="font-weight:bold;color:red;">✘</span> TPM PCR0 reconstruction changed: Valid → Invalid
2023-12-25 18:23:08: <span style="color:green;"></span><span style="font-weight:bold;color:green;">✔</span> TPM PCR0 reconstruction is now valid
2023-12-25 18:18:44: <span style="color:red;"></span><span style="font-weight:bold;color:red;">✘</span> TPM PCR0 reconstruction changed: Valid → Invalid
2023-12-25 06:32:06: <span style="color:green;"></span><span style="font-weight:bold;color:green;">✔</span> TPM PCR0 reconstruction is now valid
2023-12-25 00:13:51: <span style="color:green;"></span><span style="font-weight:bold;color:green;">✔</span> SPI write protection changed: Disabled → Enabled
2023-12-25 00:13:51: <span style="color:red;"></span><span style="font-weight:bold;color:red;">✘</span> TPM PCR0 reconstruction changed: Valid → Invalid
2023-12-04 16:38:40: <span style="color:red;"></span><span style="font-weight:bold;color:red;">✘</span> SPI write protection changed: Enabled → Disabled
2023-11-17 16:35:32: <span style="color:green;"></span><span style="font-weight:bold;color:green;">✔</span> Kernel is no longer tainted
2023-11-16 18:54:27: <span style="color:green;"></span><span style="font-weight:bold;color:green;">✔</span> IOMMU device protection enabled
2023-11-16 18:54:27: <span style="color:green;"></span><span style="font-weight:bold;color:green;">✔</span> Pre-boot DMA protection changed: Invalid → Enabled
2023-11-11 14:07:25: <span style="color:red;"></span><span style="font-weight:bold;color:red;">✘</span> IOMMU device protection disabled
2023-11-11 14:07:25: <span style="color:red;"></span><span style="font-weight:bold;color:red;">✘</span> Pre-boot DMA protection changed: Enabled → Invalid
</pre>
</body>
</html>
``` |
My Gigabyte UEFI BIOS has an option to select which TPM chip to use. By default it uses AMD fTPM. After manually enabling Pluton fTPM via Gigabyte UEFI, TPM PCR0 reconstruction status changed to Invalid.
Ubuntu Version: 23.10
Kernel: Xanmod 6.6.8, Generic 6.5.0-14
Version: org.freedesktop.fwupd 1.9.5
Log
```
Host Security ID: HSI:1 (v1.9.5)
HSI-1
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ SPI write protection: Enabled
✘ TPM PCR0 reconstruction: Invalid
HSI-3
✔ Pre-boot DMA protection: Enabled
✘ SPI replay protection: Not supported
✘ Suspend-to-idle: Disabled
✘ Suspend-to-ram: Enabled
HSI-4
✘ Encrypted RAM: Not supported
✘ Processor rollback protection: Disabled
Runtime Suffix -!
✔ Linux kernel: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ fwupd plugins: Untainted
The TPM PCR0 differs from reconstruction.
» https://fwupd.github.io/hsi.html#pcr0-tpm-event-log-reconstruction
Host Security Events
2023-12-25 18:39:14: ✘ TPM PCR0 reconstruction changed: Valid → Invalid
``` |
|
