Other Trusted Boot chains
Besides EDK II, other firmware or firmware related boot loaders also include the trusted boot chain.
coreboot
coreboot includes the measured boot flow. It is a simplified version. Table 3 shows the usage in coreboot.
Table 3 Coreboot TPM PCR Usage
| PCR Index | PCR Usage |
|---|---|
| 0 | Google vboot GBB flags |
| 1 | Google vboot GBB HWID |
| 2 | Core Root of Trust for Measurement (CRTM) |
| 3 | Runtime data like hwinfo.hex or MRC cache. |
| 4 | N/A |
| 5 | N/A |
| 6 | N/A |
| 7 | N/A |
(Source: coreboot measured boot)
BOOT_MODE_PCR(0) -- It is to record the digest based on the current developer and recovery mode flags in the Google Binary Blob (GBB)
HWID_DIGEST_PCR(1) -- It is to record the digest of the hardware ID (HWID) from the GBB.
In verstage, vboot_logic.c verstage_main() calls extend_pcrs() to extend two PCRs. tpm_common.c vboot_extend_pcr() calls 2api.c vb2api_get_pcr_digest() to get the corresponding flags and HWID digest from the GBB and extends them to the TPM.
Later, coreboot crtm.h defines two PCRs:
TPM_CRTM_PCR(2) -- It is for Core Root of Trust for Measurement (CRTM) modules, including all stages, data and blobs. These include COREBOOT CBFS (bootblock, fallback/verstage), FW_MAIN CBFS (fallback/romstage, fspm, fallback/postcar, fallback/ramstage, cpu_microcode_blob, fsps, vbt, fallback/dsdt.aml, fallback/payload), RO_VPD, GBB, SI_DESC, SI_GBE.
TPM_RUNTIME_DATA_PCR(3) -- It is for runtime changeable data. Such as CMOS, SI_ME, RW_NVRAM.
crtm.c tspi_measure_cbfs_hook() is the hook function to measure different components in the coreboot file system (CBFS) data. The CBFS_TYPE definition can be found at cbfs_serialized.h. For example:
CBFS_TYPE_MRC -- PCR2
CBFS_TYPE_STAGE -- PCR2
CBFS_TYPE_SELF -- PCR2
CBFS_TYPE_FIT -- PCR2
CBFS_TYPE_MRC_CACHE -- PCR3
Other -- runtime data go to PCR3, non-runtime data go to PCR2.
After that, log.c tcpa_log_add_table_entry() appends the log to a tcpa table.
Grub2
Grub2 extends the trusted boot chain from platform firmware into the OS. Table 4 shows the PCR usage in Grub.
Table 4 GRUB TPM PCR Usage
| PCR Index | PCR Usage |
|---|---|
| 8 | Grub command line: All executed commands (including those from configuration files) will be logged and measured as entered with a prefix of "grub cmd: " |
| Kernel command line: Any command line passed to a kernel will be logged and measured as entered with a prefix of "kernel cmdline: " | |
| Module command line: Any command line passed to a kernel module will be logged and measured as entered with a prefix of "module cmdline: " | |
| 9 | Files: Any file read by GRUB will be logged and measured with a descriptive text corresponding to the filename. |
(Source: Grub2 Measured Boot)
Grub2 tpm.h defines two PCR index:
GRUB_STRING_PCR(8) -- It is for the command line string.
GRUB_BINARY_PCR(9) -- It is for a file binary.
tpm.c registers grub_tpm_verify_string() and grub_tpm_verify_write() to a grub_file_verifier structure. They will be called by grub_verify_string() and grub_verifiers_open() in verifiers.c.
when grub2 executes a command line such as GRUB_VERIFY_MODULE_CMDLINE, GRUB_VERIFY_KERNEL_CMDLINE, GRUB_VERIFY_COMMAND or grub_create_loader_cmdline() in cmdline.c, grub_verify_string() is used. Finally, grub_tpm_verify_string() measures the string to PCR8.
grub_verifiers_open() is registered as one of grub_file_filters in file.h. Whenever grub uses file.c grub_file_open() this filter is invoked. Finally, grub_tpm_verify_write() measures the file binary to PCR9.
Linux Secure Boot Shim
Shim is used to extend the UEFI secure boot concept to Linux. Table 5 shows the PCR usage in Shim.
Table 5 Shim TPM PCR Usage
| PCR Index | PCR Usage |
|---|---|
| 4 | UEFI application, such as second_stage, FALLBACK, MOK_MANAGER. |
| 7 | UEFI variable, such as "MokSBState". Verification policy authority, such as "Shim", "db", "MokList". |
| 14 | UEFI variable, such as "MokList", "MokListX", "MokSBState". |
shim.c start_image() supports to execute a UEFI application image, such as second_stage, FALLBACK, MOK_MANAGER. It calls tpm_log_pe() to measure it to PCR4.
Shim defines a set of UEFI variable to store the shim variable. mok.c import_mok_state() checks the mok_state_variables, such as "MokList", "MokListX", "MokSBState", "MokDBState". In which, the "MokSBState" variable is measured to PCR7 via tpm_measure_variable(). The "MokList", "MokListX", "MokSBState" variables are measured to PCR14 via tpm_log_event().
To follow the UEFI secure boot protocol, shim.c verify_one_signature() will record "Shim" as the authority via tpm_measure_variable(), if the AuthenticodeVerify() succeeds. Also check_db_cert()/check_db_hash() will record "db", "MokList" as authority if verification succeeds.
Windows BitLocker
Microsoft Windows BitLocker uses the below-listed PCRs. The legacy-boot version of Windows used PCR[8, 9, 10, 11], while UEFI-based Windows uses PCR[11, 12, 13, 14] for the BitLocker policies. Table 6 shows the PCR usage in Windows BitLocker.
Table 6 Windows BitLocker PCR Usage
| PCR Index | PCR Usage (Legacy) | PCR Usage (UEFI) |
|---|---|---|
| 8 | NTFS Boot Sector | Reserved |
| 9 | NTFS Boot Block | Reserved |
| 10 | Boot Manager | Reserved |
| 11 | BitLocker access control | BitLocker access control |
| 12 | Reserved | Data events and highly volatile events |
| 13 | Reserved | Boot Module Details |
| 14 | Reserved | Boot Authorities |
(Source: Windows BitLocker)