πŸ” UAPI.7 Linux TPM PCR Registry πŸ—’οΈ#

VersionChanges
1.0Initial Release

TPM PCRs are a scarce resource, there are only 24 of them in typical standards compliant TPMs. According to the TCG PC Client Specific Platform Firmware Profile Specification | Trusted Computing Group the OS can make use of PCRs 8…15. This document lists which component is using which PCR on a Linux platform in order to minimize conflicts.

PCRs owned by the firmware, i.e. PCRs 0–7 are described here just for convenience. The authoriative description is in the TCG document.

How other operating systems β€” in particular Windows β€” use PCRs, is out of scope of this document.

This document is informational in nature: it just describes what is, it is not intended to formally declare β€œownership” of a specific PCR, but simply is supposed to reflect which PCR assignments are common in the Linux ecosystems. That said, co-opting PCR usage will likely create problems down the line, in particular if measurement logs are maintained separately. (To be more explicit: on systemd systems the warranty is voided if you write to the PCRs it also uses, as per the list below.)

PCR measurements most commonly serve two distinct purposes:

  • To implement access policy on TPM sealed objects: policy can dictate that unsealing of such objects shall only be allowed if some PCRs are in a specific literal state, or in any state for which a signature by a specific key pair can be provided. For this it is essential that PCRs only contain measurements for a clearly defined set of objects, that typically is known in advance so that the PCR value can be pre-calculated (hence this is in a way a forward-looking use)
  • To permit reasoning about the boot process and runtime so far, for example for the purpose of remote attestation. In this case it is not that important what objects are measured as long as a record is kept in a measurement log about what it was. The PCRs are in this case used to validate that log (hence this is in a way a backward-looking use)

In both cases it is important that data measured into the PCRs is carefully chosen. PCRs that shall be useful for policy binding should only cover data objects known in advance, and thus not contain runtime data that cannot be pre-calculated in advance. PCRs that shall be useful for backward-looking validation should only cover objects that are also written to the appropriate log for the PCR.

PCR#

Used byFrom LocationMeasured ObjectsLogUse Reported By

0

Firmware πŸ’»UEFI Boot ComponentCore system firmware executable codeUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

1

Firmware πŸ’»UEFI Boot ComponentCore system firmware data/host platform configuration; typically contains serial and model numbersUEFI TPM event logn/a
systemd-stub πŸš€UEFI StubMeasurement of SMBIOS Type 1, 2, 11 as set when the UEFI stub takes overUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

2

Firmware πŸ’»UEFI Boot ComponentExtended or pluggable executable code; includes option ROMs on pluggable hardwareUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

3

Firmware πŸ’»UEFI Boot ComponentExtended or pluggable firmware data; includes information about pluggable hardwareUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

4

Firmware πŸ’»UEFI Boot ComponentBoot loader and additional drivers; binaries and extensions loaded by the boot loaderUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

5

Firmware πŸ’»UEFI Boot ComponentGPT/Partition tableUEFI TPM event logn/a
systemd-boot πŸš€UEFI Boot ComponentUsed loader.confUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

6

systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

7

Firmware πŸ’»UEFI Boot ComponentSecureBoot stateUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

8

grub 🍲UEFI Boot ComponentCommands and kernel command lineUEFI TPM event logn/a

9

grub 🍲UEFI Boot ComponentAll files read (including kernel image)UEFI TPM event logn/a
Linux kernel 🌰KernelAll passed initrds (when the new LOAD_FILE2 initrd protocol is used)UEFI TPM event logn/a
systemd-tpm2-setup.service πŸš€UserspaceState of each NvPCR after anchor measurement/run/log/systemd/tpm2-measure.logn/a
systemd-pcrnvdone.service πŸš€UserspaceNvPCR anchor measurement separator/run/log/systemd/tpm2-measure.logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

10

IMA πŸ“KernelProtection of the IMA measurement logIMA event logn/a

11

systemd-stub πŸš€UEFI StubAll components of unified kernel images (UKIs)UEFI TPM event login EFI variable StubPcrKernelImage
systemd-pcrphase πŸš€UserspaceBoot phase strings, indicating various milestones of the boot process/run/log/systemd/tpm2-measure.logn/a

12

systemd-stub πŸš€UEFI StubKernel command line, system credentials, system configuration images, initrd addons, Β΅code addons, devicetree addonsUEFI TPM event login EFI variable StubPcrKernelParameters
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

13

systemd-stub πŸš€UEFI StubAll system extension images for the initrdUEFI TPM event login EFI variable StubPcrInitRDSysExts
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

14

shim πŸ”‘UEFI Boot Componentβ€œMOK” certificates and hashesUEFI TPM event logn/a
systemd-pcrosseparator.service πŸš€Userspaceos-separator barrier when the TPM device becomes available to userspace/run/log/systemd/tpm2-measure.logn/a

15

systemd-cryptsetup@.service πŸš€UserspaceRoot file system volume encryption key/run/log/systemd/tpm2-measure.logn/a
systemd-pcrmachine.service πŸš€UserspaceMachine ID (/etc/machine-id)/run/log/systemd/tpm2-measure.logn/a
systemd-pcrfs@.service πŸš€UserspaceFile system mount point, UUID, label, partition UUID label of root file system and /var//run/log/systemd/tpm2-measure.logn/a

PCR 0 changes on firmware updates; PCR 1 changes on basic hardware/CPU/RAM replacements.

systemd-stub measures SMBIOS Type 1, 2, 11 objects when it is executed. These objects are used to parameterize the OS, and hence important to measure. Some firmwares do not measure SMBIOS structures on their own, hence this is supposed to fill the gap on such systems. Note that the Type 1 field for the wakeup source is masked to zero before the measurement is made, in order to provide stable measurements independently of system wakeup sources.

PCR 4 changes on boot loader updates. The shim project will measure the PE binary it chain loads into this PCR. If the Linux kernel is invoked as UEFI PE binary, it is measured here, too. systemd-stub measures system extension images read from the ESP here too (see systemd-sysext and Extension Images).

PCR 5 changes when partitions are added, modified, or removed.

PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. The shim project will measure most of its (non-MOK) certificates and SBAT data into this PCR.

systemd-pcrosseparator.service extends PCRs 0–7, 9, 12–14 with the literal word os-separator as a barrier measurement when userspace first sees the TPM device, so that firmware and OS measurements are clearly isolated from each other and distinguishable. This provides protection for systems where the firmware does not generate the UEFI-mandated measurement on its own, or doesn’t natively support TPMs at all (for example because the TPM is emulated in software).

PCR 11 and 15 as shown in the list above are used by multiple components of systemd. These are not conflicting uses; the involved components are properly ordered to cooperatively guarantee predictable behaviour.

systemd-stub measures the ELF kernel image, embedded initrd and other payload of the PE image into PCR 11. Unlike PCR 4 (where the same data should be measured too), those values should be easy to pre-calculate, as they only reflect the static parts of the PE binary. systemd-pcrphase.service measures boot phase strings into this PCR at various milestones of the boot process. Use PCR 11 to bind TPM policies to a specific kernel image, possibly with an embedded initrd, and to a specific boot phase.

systemd-boot measures the kernel command line into PCR 12. systemd-stub measures any manually specified kernel command line (i.e. a kernel command line that overrides the one embedded in the UKI) and loaded credentials into this PCR. This means that if systemd-boot and systemd-stub are used together, the command line might be measured twice.

systemd-stub measures any Extension Images it passes to the booted kernel into PCR 13.

systemd-cryptsetup optionally measures the volume key of activated LUKS volumes into this PCR. systemd-pcrmachine.service measures the machine-id into this PCR. systemd-pcrfs@.service measures mount points, file system UUIDs, labels, partion UUIDs of the root and /var/ filesystems into this PCR.

Sources#