Linux TPM PCR Registry

πŸ” Linux TPM PCR Registry πŸ—’οΈ #

TPM PCRs are a scarce resource, there are only 24 of them in typical standards compliant TPMs. According to the TCG PC Client Specific Platform Firmware Profile Specification | Trusted Computing Group PCRs 8…15 are for the OS to make use of. In this document we intend to document for Linux platforms which component is using which PCR in order to minimize conflicts.

Out of scope for this is how other OSes, in particular Windows’ use the PCRs. Also out of scope are PCRs owned by the firmware, i.e. 0…7.

This document is informational in nature: it just describes what is, it is not intended to formally declare β€œownership” of a specific PCR, but simply is supposed to reflect which PCR assignments are common in the Linux ecosystems. That said, co-opting PCR usage will likely create problems down the line, in particular if measurement logs are maintained separately. (To be more explicit: on systemd systems the warranty is voided if you write to the PCRs it also uses, as per the list below.)

PCR measurements most commonly serve two distinct purposes:

  • To implement access policy on TPM sealed objects: policy can dictate that unsealing of such objects shall only be allowed if some PCRs are in a specific literal state, or in any state for which a signature by a specific key pair can be provided. For this it is essential that PCRs only contain measurements for a clearly defined set of objects, that typically is known in advance so that the PCR value can be pre-calculated (hence this is in a way a forward-looking use)
  • To permit reasoning about the boot process and runtime so far, for example for the purpose of remote attestation. In this case it is not that important what objects are measured as long as a record is kept in a measurement log about what it was. The PCRs are in this case used to validate that log (hence this is in a way a backward-looking use)

In both cases it is important that data measured into the PCRs is carefully chosen. PCRs that shall be useful for policy binding should only cover data objects known in advance, and thus not contain runtime data that cannot be pre-calculated in advance. PCRs that shall be useful for backward-looking validation should only cover objects that are also written to the appropriate log for the PCR.

PCR#

Used byFrom LocationMeasured ObjectsLogUse Reported By

8

grub 🍲UEFI Boot ComponentCommands and kernel command lineUEFI TPM event logn/a

9

grub 🍲UEFI Boot ComponentAll files read (including kernel image)UEFI TPM event logn/a

(cont.)

Linux kernel 🌰KernelAll passed initrds (when the new LOAD_FILE2 initrd protocol is used)UEFI TPM event logn/a

10

IMA πŸ“KernelProtection of the IMA measurement logIMA event logn/a

11

systemd-stub πŸš€UEFI StubAll components of unified kernel images (UKIs)UEFI TPM event login EFI variable StubPcrKernelImage

(cont.)

systemd-pcrphase πŸš€UserspaceBoot phase strings, indicating various milestones of the boot processJournal (for now)n/a

12

systemd-stub πŸš€UEFI StubKernel command line, system credentials and system configuration imagesUEFI TPM event login EFI variable StubPcrKernelParameters

13

systemd-stub πŸš€UEFI StubAll system extension images for the initrdUEFI TPM event login EFI variable StubPcrInitRDSysExts

14

shim πŸ”‘UEFI Boot Componentβ€œMOK” certificates and hashesUEFI TPM event logn/a

15

systemd-cryptsetup@.service πŸš€UserspaceRoot file system volume encryption keyJournal (for now)n/a

(cont.)

systemd-pcrmachine.service πŸš€UserspaceMachine ID (/etc/machine-id)Journal (for now)n/a

(cont.)

systemd-pcrfs@.service πŸš€UserspaceFile system mount point, UUID, label, partition UUID label of root file system and /var/Journal (for now)n/a

Note that PCR 11 and 15 as shown in the list above are used by multiple components of systemd. These are not conflicting uses, but the involved components are properly ordered to guarantee cooperative, strictly predictable behaviour.

Sources #