Introduction
Platform Configuration Register 1 (PCR[1]) is a crucial component of the Trusted Platform Module (TPM) that records information about the system's boot configuration. For better understanding of the role of TPM in EVE, see Overview of the Trusted Platform Module in EVE-OS. PCR[1] refers to a specific index of the general PCR concept. PCR[1] is commonly used to measure settings like the configured boot order, certain SMBIOS tables, or other OEM configuration data. It can also be involved in recording changes to firmware settings that are not executable code.
General PCR Values
If the edge device has a Trusted Platform Module installed, GRUB will log each command executed and each file loaded into the TPM event log and extend the PCR values in the TPM accordingly. All events will be logged into the PCR described with a type of EV_IPL and an event description. For example, The following table provides detailed usage, classification, and security implications of various Trusted Platform Module (TPM) Platform Configuration Registers (PCRs) defined across different Trusted Computing Group (TCG specifications): TPM PCR Index Security Implications
A measured boot involves a "chain of trust," where each stage of the boot process measures the next before executing it. This chain starts with the system firmware and continues through the bootloader, the kernel, and even into the operating system itself.
The example PCRs 8, 9, 13, and 14 provide more detail about the ZEDEDA-specific software process than what is captured in the PCRs that precede them.
Example TPM Event
To illustrate the complexity of factors influencing PCR, consider the following example TPM event:
Boot Option: Boot0001: Embedded NVMe M.2 Drive 3: NVM Express Controller - S435NA0N415484-SAMSUNG MZ1LB960HAJQ-00007-0
This is an example of the descriptive information that is hashed and recorded in the TPM event log. This boot option, including the NVMe drive's serial number, showcases how specific boot configurations, as determined by the BIOS manufacturer, can impact PCR measurement. Other manufacturers or even different BIOS versions for the same device might use a different format, for example without a serial number.
This specific event describes the bootable device selected by the firmware. The firmware measures this information and extends a PCR (often PCR 0 or PCR 4) with the hash of this string. This is one of the first steps in the chain of trust. This specific event describes the bootable device selected by the firmware. The firmware measures this information and extends a PCR (often PCR 0 or PCR 4) with the hash of this string. This is one of the first steps in the chain of trust.
The TPM event log provides a narrative of the boot process. The "Boot Option" event tells you what device was booted from, while the subsequent events in PCRs 8 and 9 tell you what that device did to load the operating system. This complete picture is what allows ZEDEDA to have a high degree of confidence in the integrity of its edge devices.
Factors Influencing PCR[1]
Several factors can influence the PCR[1] index.
Boot Configuration Options
Note: The names and specific configurations of "Enable USB Boot" and "Fast Boot" options can vary depending on the BIOS manufacturer. You should consult your system's documentation or UEFI specification for precise details regarding the names and configurations of these options.
Enable USB Boot Option
- Dynamic Boot Configuration: Enabling USB boot introduces dynamic changes to PCR[1] as the TPM records information related to the boot process. The addition or removal of USB boot options directly influences the PCR[1] value.
- Extended Measurements: The TPM extends measurements during the boot process to incorporate USB boot-related details when this option is enabled. PCR[1] reflects these extended measurements, providing a comprehensive view of the boot configuration.
Fast Boot Option
- Streamlined Boot Process: "Fast Boot" is designed to expedite system boot times by bypassing certain non-essential initialization steps. PCR[1] may be altered as a result of the streamlined boot process, with potential differences in recorded values compared to a standard boot.
- Reduced Measurements: The streamlined nature of "Fast Boot" may lead to reduced measurements being extended into PCR[1], affecting the overall contents of PCR[1]. This alteration is a consequence of skipping certain checks during the boot process.
BIOS Configuration Variability
- Manufacturer-Specific Influence: Various BIOS settings beyond "Enable USB Boot" and "Fast Boot" can influence PCR[1]. For instance, settings related to boot order, secure boot, and other configurations may depend on the BIOS manufacturer's implementation, affecting the measurements stored in PCR[1].
UEFI Specification
The behavior of PCR[1] and the handling of Boot Configuration Options are guided by the Unified Extensible Firmware Interface (UEFI) specification. System administrators and users are encouraged to refer to the Unified Extensible Firmware Interface (UEFI) Specification Release 2.10 documentation for a comprehensive understanding of the standards and practices related to UEFI firmware. A separate specification describes in detail the usage of each PCR[1] register and is described in the TCG EFI Platform Specification For TPM Family 1.1 or 1.2
Conclusion
In conclusion, PCR[1] TPM register is influenced by a combination of factors, including Boot Configuration Options (such as "Enable USB Boot" and "Fast Boot") and the variability in BIOS Configuration Settings introduced by the BIOS manufacturer. These factors must be detected during HW evaluation and recommendation must be given to customers on how to configure BIOS properly to avoid PCR[1] mismatch in the field.
Next Steps
- Remote Attestation Overview
- TPM PCR Index Security Implications
- Factors Affecting PCR[1] TPM Register - You are here!
- Host Platform Configuration (PCR 1) Interpretation Guide
- Manage PCR Templates
- Configure an attestation policy in your project.
- Use EVE-OS Local UI to analyze attestation issues.