[Bug 2047374] Re: TPM PCR0 recontruction fails on Pluton fTPM

Mario Limonciello 2047374 at bugs.launchpad.net
Thu Dec 28 02:57:26 UTC 2023 

The way this works is that the tpm event log is used to attempt to
reconstruct pcr0. If it doesn't match the value in the tpm pcr0 then
there is a bug or malware.

The same report was brought into fwupd upstream.
Various artifacts were captured and the conclusion is this is a BIOS bug.

It should be reported to the board vendor to be fixed.

https://github.com/fwupd/fwupd/issues/6574

** Bug watch added: github.com/fwupd/fwupd/issues #6574
   https://github.com/fwupd/fwupd/issues/6574

** Changed in: fwupd (Ubuntu)
       Status: New => Opinion

** Also affects: fwupd via
   https://github.com/fwupd/fwupd/issues/6574
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2047374

Title:
  TPM PCR0 recontruction fails on Pluton fTPM

Status in Fwupd:
  Unknown
Status in fwupd package in Ubuntu:
  Opinion

Bug description:
  My Gigabyte UEFI BIOS has an option to select which TPM chip to use.
  By default it uses AMD fTPM. After manually enabling Pluton fTPM via
  Gigabyte UEFI, TPM PCR0 reconstruction status changed to Invalid.

  Ubuntu Version: 23.10
  Kernel: Xanmod 6.6.8, Generic 6.5.0-14
  Version: org.freedesktop.fwupd 1.9.5

  Log

  ```
  Host Security ID: HSI:1 (v1.9.5)

  HSI-1
  ✔ Fused platform:                Locked
  ✔ Supported CPU:                 Valid
  ✔ TPM empty PCRs:                Valid
  ✔ TPM v2.0:                      Found
  ✔ UEFI bootservice variables:    Locked
  ✔ UEFI platform key:             Valid
  ✔ UEFI secure boot:              Enabled

  HSI-2
  ✔ IOMMU:                         Enabled
  ✔ Platform debugging:            Locked
  ✔ SPI write protection:          Enabled
  ✘ TPM PCR0 reconstruction:       Invalid

  HSI-3
  ✔ Pre-boot DMA protection:       Enabled
  ✘ SPI replay protection:         Not supported
  ✘ Suspend-to-idle:               Disabled
  ✘ Suspend-to-ram:                Enabled

  HSI-4
  ✘ Encrypted RAM:                 Not supported
  ✘ Processor rollback protection: Disabled

  Runtime Suffix -!
  ✔ Linux kernel:                  Untainted
  ✔ Linux kernel lockdown:         Enabled
  ✔ Linux swap:                    Encrypted
  ✔ fwupd plugins:                 Untainted

  The TPM PCR0 differs from reconstruction.
   » https://fwupd.github.io/hsi.html#pcr0-tpm-event-log-reconstruction

  Host Security Events
    2023-12-25 18:39:14:  ✘ TPM PCR0 reconstruction changed: Valid → Invalid
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/fwupd/+bug/2047374/+subscriptions

More information about the foundations-bugs mailing list