Comment 4 for bug 2068627

Hi Hector,

LF Edge Measured Boot and Remote Attestation document is a good picture of what we are trying to do:
https://wiki.lfedge.org/spaces/flyingpdf/pdfpageexport.action?pageId=27722830

While our specific setup uses some non standard stuff like iso boot, please find a simple setup to reproduce this.

1. Enable Secure Boot in Bios if using a PC with TPM or use a Virtual machine with vtpm and Secure boot:
<tpm model="tpm-crb">
  <backend type="emulator" version="2.0"/>
  <alias name="tpm0"/>
</tpm>
  <os firmware="efi">
    <type arch="x86_64" machine="pc-q35-8.2">hvm</type>
    <firmware>
      <feature enabled="yes" name="enrolled-keys"/>
      <feature enabled="yes" name="secure-boot"/>
    </firmware>
    <loader readonly="yes" secure="yes" type="pflash">/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
    <nvram template="/usr/share/OVMF/OVMF_VARS_4M.ms.fd">/var/lib/libvirt/qemu/nvram/ubuntu24.04_VARS.fd</nvram>
    <boot dev="hd"/>
  </os>

2. Install ubuntu 22.04. The default 5.15 kernel does not perform kernel module integrity measurements as seen from /sys/kernel/security/ima/ascii_runtime_measurements. Install hwe kernel package ( linux-image-generic-hwe-22.04 ) to upgrade to 6.15 where the kernel module integrity is checked as well. I see some minor build flags changed between the two for CONFIG_IMA and CONFIG_INTEGRITY. But, at this step, PCR10 changes on every reboot.