Manage a PCR Policy Using ZCLI

Updated

Introduction

This procedure explains how to view, update, and reset the PCR (Platform Configuration Register) policy for an edge node using the ZCLI command-line interface. Operators use this procedure to customize which PCR indexes EVE-OS (Edge Virtualization Engine) uses when sealing the vault encryption key into the TPM, or to restore the default policy after making changes.

Prerequisites

View the Current PCR Policy

Run the following command to retrieve the active PCR policy for a specific edge node. Replace <name> with the edge node name or --uuid=<uuid> with the node's UUID.

zcli edge-node pcr-policy show  (<name> | --uuid=<uuid>)

The output displays the active PCR indexes, the current policy ID, and the policy status. For example:

Current PCR Policy:
PCR Indices: 0, 1, 2, 3, 4, 6, 7, 8, 9, 13, 14
Policy ID: 5
Status: Active (Default Policy)

Update the PCR Policy

Use this section to apply a custom PCR policy to an edge node. ZCLI enforces a multi-stage safety workflow before applying any change, including a security impact warning if the proposed policy removes PCR indexes from the default set.

zcli edge-node pcr-policy set (<name> | --uuid=<uuid>) --pcrs=<pcr-list>

Choose an input method

ZCLI supports the following input methods for specifying PCR indexes.

Comma-separated list. Specify indexes directly as a comma-separated list:

zcli edge-node pcr-policy set <name> --pcrs 0,2,3,4,6,7,8,9,13,14

Range notation. Use a hyphen to specify a range of consecutive indexes:

zcli edge-node pcr-policy set <name> --pcrs 0-4,7

Interactive mode. Launch a visual selection interface to toggle individual PCR indexes:

zcli edge-node pcr-policy set <name> --interactive

When --interactive is specified, ZCLI presents a visual selection interface:

Select PCR indices to include in attestation policy:
Platform Configuration Registers:
  [x] PCR 0  - Core Root of Trust Measurement (CRTM)
  [x] PCR 1  - Platform Configuration
  [x] PCR 2  - Option ROM Code
  [x] PCR 3  - Option ROM Configuration
  [x] PCR 4  - Boot Manager Code
  [ ] PCR 6  - State Transitions
  [x] PCR 7  - Secure Boot State
  [ ] PCR 8  - Boot Component Configuration
  [ ] PCR 9  - Reserved
  ...
Use arrow keys to navigate, SPACE to toggle, ENTER to confirm
Press 'd' to restore default policy (0-4, 6-9, 13, 14)
Press '?' for PCR descriptions

ZCLI Security Safeguards

Policy Change Workflow

When a user attempts to modify the PCR policy, ZCLI implements a multi-stage safety workflow:

Stage 1: Policy Comparison

ZCLI automatically compares the requested policy against the current default policy and identifies differences:

Policy Change Analysis:
  Current Policy: 0, 1, 2, 3, 4, 6, 7, 8, 9, 13, 14
  Proposed Policy: 0, 2, 6, 7, 8, 9, 13, 14
Changes:
  [-] PCR 1 - Platform Configuration (REMOVED)
  [-] PCR 3 - Option ROM Configuration (REMOVED)
  [-] PCR 4 - Boot Manager Code (REMOVED)

Stage 2: Security Impact Warning

If the proposed policy removes PCRs from the default set or deviates significantly, ZCLI displays a security warning based on TPM-PCR-Index-Security-Implications:

WARNING: Security Implications Detected
The proposed PCR policy differs from the recommended default configuration.
Removing PCR indices from the attestation policy may weaken platform integrity verification and allow the system to boot in compromised states.
Specifically:
  • PCR 1 (Platform Configuration): Without this, platform firmware configuration changes may go undetected.
  • PCR 3 (Option ROM Configuration): Configuration tampering may go undetected.
  • PCR 4 (Boot Manager Code): Boot manager modifications, including bootkit malware, may not be detected.
For detailed security implications, see: <HELP-LINK>
Do you understand these security implications? (yes/no):

Stage 3: Validation and Application

Before applying the policy, ZCLI validates:

  • Root of Trust PCR index is removed (PCR 0)
  • Boot Manager Configuration is always excluded (PCR 5)
  • All PCR indices are valid (0-15 for TPM 2.0)
  • The node is accessible and can accept policy updates
  • No duplicate indices exist in the list.

Non-Intrusive Default Policy Changes

If the proposed policy is a superset of the default (only adding PCRs), the warning is simplified:

INFO: Policy Enhancement Detected
The proposed policy includes additional PCR indices beyond the default.
Additional PCRs: 11, 12
This change increases attestation strictness and may prevent booting if these PCRs are not in expected states.
Proceed with policy update? (y/n):

Bypass for Advanced Users

For automation or advanced scenarios, the command supports a bypass flag with added friction:

zcli edge-node pcr-policy set "test-node" --pcrs 0,1,7 --force --confirm-risks

Both --force and --confirm-risks must be specified together, preventing accidental bypass.

Reset the PCR Policy to Default

Run the following command to restore the default PCR policy (indexes 0–4, 6–9, 13, 14) for an edge node:

zcli edge-node pcr-policy reset <name>
ZCLI confirms the reset and assigns a new policy ID:
✓ PCR policy restored to default (0-4, 6-9, 13, 14)
Policy ID: 7

Verify the Configuration

After viewing, updating, or resetting the PCR policy, run the show command to confirm the active policy reflects your intended configuration:

zcli edge-node pcr-policy show <name>

Confirm that the PCR Indices field lists the expected indexes and that the Policy ID has incremented from the previous value.

If the edge node vault becomes locked after a policy change, the edge node will initiate remote attestation automatically to retrieve the updated vault key and PCR index list from Edge Infrastructure Services. This is expected behavior when the new PCR indexes do not match the values used in the previous sealing operation.

Next Steps

This is a series of articles, you will likely follow them in this order: 

Was this article helpful?
0 out of 0 found this helpful