[Bug 1838712] [NEW] TPM event log does not container kernel validation key

Jordan Hand 1838712 at bugs.launchpad.net
Thu Aug 1 23:55:55 UTC 2019 

Public bug reported:

The TPM event log (at
/sys/kernel/security/tpm0/binary_bios_measurements) does not contain the
kernel validation key. For each binary loaded during boot (grub, linux),
the shim measures a placeholder for the binary itself
(EV_EFI_Boot_Services_Application event) and the key that was used to
validate it (EV_EFI_Variable_Authority event) into the TPM and
corresponding event log. On my machine, grub placeholder and the key
used to validate grub are both measured. The kernel placeholder is also
present, but the key used to validate the kernel is not measured.

On other distributions (not based on Ubuntu, so only semi-relevant
here), this kernel signer event is measured.

System Information:

$ lsb_release -rd
Description:    Ubuntu 18.04.2 LTS
Release:        18.04

$ uname -a
Linux jorhand-ubuntu 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ apt-cache policy shim
shim:
  Installed: 15+1533136590.3beb971-0ubuntu1
  Candidate: 15+1533136590.3beb971-0ubuntu1
  Version table:
 *** 15+1533136590.3beb971-0ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     13-0ubuntu2 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

I have attached the TPM event log from my machine.

** Affects: shim (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "TPM event log"
   https://bugs.launchpad.net/bugs/1838712/+attachment/5280432/+files/binary_bios_measurements

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1838712

Title:
  TPM event log does not container kernel validation key

Status in shim package in Ubuntu:
  New

Bug description:
  The TPM event log (at
  /sys/kernel/security/tpm0/binary_bios_measurements) does not contain
  the kernel validation key. For each binary loaded during boot (grub,
  linux), the shim measures a placeholder for the binary itself
  (EV_EFI_Boot_Services_Application event) and the key that was used to
  validate it (EV_EFI_Variable_Authority event) into the TPM and
  corresponding event log. On my machine, grub placeholder and the key
  used to validate grub are both measured. The kernel placeholder is
  also present, but the key used to validate the kernel is not measured.

  On other distributions (not based on Ubuntu, so only semi-relevant
  here), this kernel signer event is measured.

  System Information:

  $ lsb_release -rd
  Description:    Ubuntu 18.04.2 LTS
  Release:        18.04

  $ uname -a
  Linux jorhand-ubuntu 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

  $ apt-cache policy shim
  shim:
    Installed: 15+1533136590.3beb971-0ubuntu1
    Candidate: 15+1533136590.3beb971-0ubuntu1
    Version table:
   *** 15+1533136590.3beb971-0ubuntu1 500
          500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       13-0ubuntu2 500
          500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  I have attached the TPM event log from my machine.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1838712/+subscriptions

More information about the foundations-bugs mailing list