[Bug 1838712] Re: TPM event log does not contain kernel validation key

Chris Coulson chris.coulson at canonical.com
Thu Dec 5 12:54:28 UTC 2019 

Shim measuring duplicate EV_EFI_VARIABLE_AUTHORITY events (one for GRUB
and one for the kernel) when both executables are verified with the same
certificate is actually a bug - although there should be an
EV_EFI_BOOT_SERVICES_APPLICATION event for each executable, there should
only be a single EV_EFI_VARIABLE_AUTHORITY event for executables that
are verified with the same chain of trust. See
https://github.com/rhboot/shim/pull/187 for more context.

That's not the issue here though because the current version of shim in
the archive isn't completely correct (it doesn't include
https://github.com/rhboot/shim/pull/187) and does measure duplicate
EV_EFI_VARIABLE_AUTHORITY even though GRUB and the kernel are signed by
the same authority. It's more likely that your log is truncated. What
are the current PCR values for this machine?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1838712

Title:
  TPM event log does not contain kernel validation key

Status in shim package in Ubuntu:
  New

Bug description:
  The TPM event log (at
  /sys/kernel/security/tpm0/binary_bios_measurements) does not contain
  the kernel validation key. For each binary loaded during boot (grub,
  linux), the shim measures a placeholder for the binary itself
  (EV_EFI_Boot_Services_Application event) and the key that was used to
  validate it (EV_EFI_Variable_Authority event) into the TPM and
  corresponding event log. On my machine, grub placeholder and the key
  used to validate grub are both measured. The kernel placeholder is
  also present, but the key used to validate the kernel is not measured.

  On other distributions (not based on Ubuntu, so only semi-relevant
  here), this kernel signer event is measured.

  System Information:

  $ lsb_release -rd
  Description:    Ubuntu 18.04.2 LTS
  Release:        18.04

  $ uname -a
  Linux jorhand-ubuntu 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

  $ apt-cache policy shim
  shim:
    Installed: 15+1533136590.3beb971-0ubuntu1
    Candidate: 15+1533136590.3beb971-0ubuntu1
    Version table:
   *** 15+1533136590.3beb971-0ubuntu1 500
          500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       13-0ubuntu2 500
          500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  I have attached the TPM event log from my machine.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1838712/+subscriptions

More information about the foundations-bugs mailing list