Hi Rajiv,

One thing just occurred to me:

My machine was PXEbooted and diskless.  Is this supported in trusted boot measurement list?

Regards,

David



On Mon, Aug 8, 2011 at 7:45 PM, Rajiv Andrade <srajiv@linux.vnet.ibm.com> wrote:
Maybe I can help with the first section:

On 08-08-2011 13:01, Mimi Zohar wrote:
> On Fri, 2011-08-05 at 12:13 -0700, David Li wrote:
>> Hi Mimi,
>>
>> A few more questions. Maybe this is because I am not familiar with the
>> TPM specs.
>>
>>  1. For boot measurements, I don't quite understand the contents in
>> tpm0/ascii_bios_measurements:
>> ------------------------
>> -bash-4.1# cat ascii_bios_measurements
>>  0 298df125b260ef64201bdf0815c003873eedd50e 08 [S-CRTM Version]
>>  0 601c176e940570ac499814b48464e40e3ace1e24 80000008 []
>>  0 530983fd9caddb20e6f0da59e05f1c66b4d170c8 80000008 []
>>  2 753287ecae33ed00090081a45280a2b81777b7a5 80000004 []
>>  2 94c047a4256e04cccc99e43fdc6bb4c1cdef1ec3 80000004 []
>>  2 b3b175a24d63c62c2c64bfd66a4a0de41bef105b 80000004 []
>>  2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
>>  2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
>>  2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
>>  2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
>> <snip>
>>
>> The 1st col is the PCR#.
> yes
>
>> Is the 2nd col the hash value corresponding to some BIOS executable or
>> file?  Why do some of them have the same hash value for the same PCR?
> Yes, this is the hash.  I'll defer to others on the mailing list about
> the BIOS measurement specifics.
It doesn't happen here, maybe the bios is registering such events duplicated by mistake? Can you send us the binary blob of such event log (binary_bios_measurements)?
>> What's the 3rd col?
The event type, according to tpm_bios.c:

enum tcpa_event_types {
   PREBOOT = 0,
   POST_CODE,
   UNUSED,
   NO_ACTION,
   SEPARATOR,
   ACTION,
   EVENT_TAG,
   SCRTM_CONTENTS,
   SCRTM_VERSION,
   CPU_MICROCODE,
   PLATFORM_CONFIG_FLAGS,
   TABLE_OF_DEVICES,
   COMPACT_HASH,
   IPL,
   IPL_PARTITION_DATA,
   NONHOST_CODE,
   NONHOST_CONFIG,
   NONHOST_INFO,
};

It's odd though that there's a high bit being set for some of them, the same doesn't happen here. After looking at the binary log we can say who's the culprit, tpm_bios or the bios itself setting the event log incorrectly, and then come up with a workaround.

Rajiv