Skip to content

Update TPM PCR registry to match systemd state of the art #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 21, 2025
Merged

Update TPM PCR registry to match systemd state of the art #188

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
10f471c
tpm-pcr-registry: systemd has a proper event log these days, say so
poettering Nov 21, 2025
2c94bfc
tpm-pcr-registry: catch up with systemd's recent NvPCR masurements
poettering Nov 21, 2025
c7f834c
tpm-pcr-registry: mention systemd-boot measures loader.conf to PCR 5
poettering Nov 21, 2025
d015ebc
tpm-pcr-registry: mentioned various types of addons are measured into…
poettering Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 34 additions & 6 deletions specs/linux_tpm_pcr_registry.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,15 @@ In both cases it is important that data measured into the PCRs is carefully chos
<td>n/a</td>
</tr>

<tr>
<td style="background-color:#fff3bf;"></td>
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">systemd-boot 🚀</code></td>
<td>UEFI Boot Component</td>
<td>Used <code>loader.conf</code></td>
<td>UEFI TPM event log</td>
<td>n/a</td>
</tr>

<tr>
<td style="background-color:#fff3bf;"><p style="text-align: right"><strong>7</strong></p></td>
<td style="background-color:#838284;"><code style="background-color:#838284;">Firmware 💻</code></td>
Expand Down Expand Up @@ -131,6 +140,24 @@ In both cases it is important that data measured into the PCRs is carefully chos
<td>n/a</td>
</tr>

<tr>
<td style="background-color:#fff3bf;"></td>
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">systemd-tpm2-setup.service 🚀</code></td>
<td>Userspace</td>
<td>State of each NvPCR after anchor measurement</td>
<td><code>/run/log/systemd/tpm2-measure.log</code></td>
<td>n/a</td>
</tr>

<tr>
<td style="background-color:#fff3bf;"></td>
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">systemd-pcrnvdone.service 🚀</code></td>
<td>Userspace</td>
<td>NvPCR anchor measurement separator</td>
<td><code>/run/log/systemd/tpm2-measure.log</code></td>
<td>n/a</td>
</tr>

<tr>
<td style="background-color:#fff3bf;"><p style="text-align: right"><strong>10</strong></p></td>
<td style="background-color:#a3c2d4;">IMA 📐</td>
Expand All @@ -154,15 +181,15 @@ In both cases it is important that data measured into the PCRs is carefully chos
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">systemd-pcrphase 🚀</code></td>
<td>Userspace</td>
<td>Boot phase strings, indicating various milestones of the boot process</td>
<td>Journal (for now)</td>
<td><code>/run/log/systemd/tpm2-measure.log</code></td>
<td>n/a</td>
</tr>

<tr>
<td style="background-color:#fff3bf;"><p style="text-align: right"><strong>12</strong></p></td>
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">systemd-stub 🚀</code></td>
<td>UEFI Stub</td>
<td>Kernel command line, system credentials and system configuration images</td>
<td>Kernel command line, system credentials, system configuration images, initrd addons, µcode addons, devicetree addons</td>
<td>UEFI TPM event log</td>
<td>in EFI variable <code>StubPcrKernelParameters</code></td>
</tr>
Expand All @@ -171,7 +198,8 @@ In both cases it is important that data measured into the PCRs is carefully chos
<td style="background-color:#fff3bf;"><p style="text-align: right"><strong>13</strong></p></td>
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">systemd-stub 🚀</code></td>
<td>UEFI Stub</td>
<td>All system extension images for the initrd</td><td>UEFI TPM event log</td>
<td>All system extension images for the initrd</td>
<td>UEFI TPM event log</td>
<td>in EFI variable <code>StubPcrInitRDSysExts</code></td>
</tr>

Expand All @@ -189,7 +217,7 @@ In both cases it is important that data measured into the PCRs is carefully chos
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">[email protected] 🚀</code></td>
<td>Userspace</td>
<td>Root file system volume encryption key</td>
<td>Journal (for now)</td>
<td><code>/run/log/systemd/tpm2-measure.log</code></td>
<td>n/a</td>
</tr>

Expand All @@ -198,7 +226,7 @@ In both cases it is important that data measured into the PCRs is carefully chos
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">systemd-pcrmachine.service 🚀</code></td>
<td>Userspace</td>
<td>Machine ID (<code>/etc/machine-id</code>)</td>
<td>Journal (for now)</td>
<td><code>/run/log/systemd/tpm2-measure.log</code></td>
<td>n/a</td>
</tr>

Expand All @@ -207,7 +235,7 @@ In both cases it is important that data measured into the PCRs is carefully chos
<td style="background-color:#e5c8e6;"><code style="background-color:#e5c8e6;">[email protected] 🚀</code></td>
<td>Userspace</td>
<td>File system mount point, UUID, label, partition UUID label of root file system and <code>/var/</code></td>
<td>Journal (for now)</td>
<td><code>/run/log/systemd/tpm2-measure.log</code></td>
<td>n/a</td>
</tr>
</table>
Expand Down