🔏 Linux TPM PCR Registry 🗒️ #
TPM PCRs are a scarce resource, there are only 24 of them in typical standards compliant TPMs. According to the TCG PC Client Specific Platform Firmware Profile Specification | Trusted Computing Group PCRs 8…15 are for the OS to make use of. In this document we intend to document for Linux platforms which component is using which PCR in order to minimize conflicts.
Out of scope for this is how other OSes, in particular Windows’ use the PCRs. Also out of scope are PCRs owned by the firmware, i.e. 0…7.
This document is informational in nature: it just describes what is, it is not intended to formally declare “ownership” of a specific PCR, but simply is supposed to reflect which PCR assignments are common in the Linux ecosystems. That said, co-opting PCR usage will likely create problems down the line, in particular if measurement logs are maintained separately. (To be more explicit: on
systemd systems the warranty is voided if you write to the PCRs it also uses, as per the list below.)
PCR measurements most commonly serve two distinct purposes:
- To implement access policy on TPM sealed objects: policy can dictate that unsealing of such objects shall only be allowed if some PCRs are in a specific literal state, or in any state for which a signature by a specific key pair can be provided. For this it is essential that PCRs only contain measurements for a clearly defined set of objects, that typically is known in advance so that the PCR value can be pre-calculated (hence this is in a way a forward-looking use)
- To permit reasoning about the boot process and runtime so far, for example for the purpose of remote attestation. In this case it is not that important what objects are measured as long as a record is kept in a measurement log about what it was. The PCRs are in this case used to validate that log (hence this is in a way a backward-looking use)
In both cases it is important that data measured into the PCRs is carefully chosen. PCRs that shall be useful for policy binding should only cover data objects known in advance, and thus not contain runtime data that cannot be pre-calculated in advance. PCRs that shall be useful for backward-looking validation should only cover objects that are also written to the appropriate log for the PCR.
|Used by||From Location||Measured Objects||Log||Use Reported By|
|UEFI Boot Component||Commands and kernel command line||UEFI TPM event log||n/a|
|UEFI Boot Component||All files read (including kernel image)||UEFI TPM event log||n/a|
|Linux kernel 🌰||Kernel||All passed initrds (when the new ||UEFI TPM event log||n/a|
|IMA 📐||Kernel||Protection of the IMA measurement log||IMA event log||n/a|
|UEFI Stub||All components of unified kernel images (UKIs)||UEFI TPM event log||in EFI variable |
|Userspace||Boot phase strings, indicating various milestones of the boot process||Journal (for now)||n/a|
|UEFI Stub||Kernel command line, system credentials and system configuration images||UEFI TPM event log||in EFI variable |
|UEFI Stub||All system extension images for the initrd||UEFI TPM event log||in EFI variable |
|UEFI Boot Component||“MOK” certificates and hashes||UEFI TPM event log||n/a|
|Userspace||Root file system volume encryption key||Journal (for now)||n/a|
|Userspace||Machine ID (||Journal (for now)||n/a|
|Userspace||File system mount point, UUID, label, partition UUID label of root file system and ||Journal (for now)||n/a|
Note that PCR 11 and 15 as shown in the list above are used by multiple components of systemd. These are not conflicting uses, but the involved components are properly ordered to guarantee cooperative, strictly predictable behaviour.