tpm: support PCR summary reference values

smo4201 · smo4201 · commit 95114869d89f · 2026-01-29T19:02:14.000+01:00
Signed-off-by: Simon Ott &lt;simon.ott@aisec.fraunhofer.de&gt;
diff --git a/bin/generate-os-manifest-tpm b/bin/generate-os-manifest-tpm
@@ -44,8 +44,14 @@ kernel=$(uname -r)
 os=$(lsb_release -sd 2>/dev/null)
 set -e
 
-# Parse the values of the OS PCRs from the kernel's binary bios measurements as reference values
-referenceValues=$("${mrtool[@]}" parse tpm --mrs 8,9,12,13,14,15)
+# Retrieve reference values from event logs if present, otherwise retrieve final PCR values from TPM
+if [[ -f "/sys/kernel/security/tpm0/binary_bios_measurements" ]]; then
+  echo "TPM event log present: parsing eventlog"
+  referenceValues=$("${mrtool[@]}" parse tpm --mrs 8,9,12,13,14,15)
+else
+  echo "TPM event log not present: reading final PCR values"
+  referenceValues=$("${mrtool[@]}" read tpm --mrs 8,9,12,13,14,15)
+fi
 
 # Load OS manifest
 json=$(cat "${input}/manifest.json")
diff --git a/bin/generate-rtm-manifest-tpm b/bin/generate-rtm-manifest-tpm
@@ -39,8 +39,14 @@ mkdir -p "${out}"
 
 echo "Using ${data} as directory for local data"
 
-# Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values
-referenceValues=$("${mrtool[@]}" parse tpm --mrs 0,1,2,3,4,5,6,7)
+# Retrieve reference values from event logs if present, otherwise retrieve final PCR values from TPM
+if [[ -f "/sys/kernel/security/tpm0/binary_bios_measurements" ]]; then
+  echo "TPM event log present: parsing eventlog"
+  referenceValues=$("${mrtool[@]}" parse tpm --mrs 0,1,2,3,4,5,6,7)
+else
+  echo "TPM event log not present: reading final PCR values"
+  referenceValues=$("${mrtool[@]}" read tpm --mrs 0,1,2,3,4,5,6,7)
+fi
 
 # Load manifest template
 json=$(cat "${input}/manifest.json")
diff --git a/drivers/tpmdriver/tpmdriver.go b/drivers/tpmdriver/tpmdriver.go
@@ -555,7 +555,7 @@ func GetEventLogs(serializer ar.Serializer,
 		}
 
 		// Collect detailed measurements from event logs if specified
-		if biosLog {
+		if biosLog && len(biosMeasurements) > 0 {
 			for _, digest := range biosMeasurements {
 				if num == digest.Index {
 					event := ar.MeasureEvent{
diff --git a/example-setup/configs/installed/est-server-conf.json b/example-setup/configs/installed/est-server-conf.json
@@ -17,7 +17,7 @@
     "tpmEkCertDb": "data/tpm-ek-certs.db",
     "logLevel": "trace",
     "authMethods": [
-        "attestation"
+        "none"
     ],
     "tokenPath": "data/token_store",
     "publishAddr": "http://localhost:8080/results",
diff --git a/verifier/tpm.go b/verifier/tpm.go
@@ -149,11 +149,12 @@ func verifyPcrs(s ar.Serializer, measurement ar.Measurement,
 		}
 
 		if measuredPcr.Type == ar.ARTIFACT_TYPE_PCR_EVENTLOG {
-			// measurement contains a detailed measurement list (e.g. retrieved from bios
+			// Measurement contains a detailed measurement list (e.g. retrieved from bios
 			// measurement logs or ima runtime measurement logs)
+			log.Tracef("PCR%v measurement contains event log", measuredPcr.Index)
 			measuredSummary := make([]byte, 32)
 			for _, event := range measuredPcr.Events {
-				//first event could be a TPM_PCR_INIT_VALUE ()
+				// First event could be a TPM_PCR_INIT_VALUE
 				if event.EventName == "TPM_PCR_INIT_VALUE" {
 					calculatedPcrs[pcr] = event.Sha256
 					measuredSummary = event.Sha256
@@ -194,6 +195,9 @@ func verifyPcrs(s ar.Serializer, measurement ar.Measurement,
 					nameInfo += ": " + event.EventName
 				}
 
+				log.Tracef("Found refval for PCR%v measurement %v: %v",
+					pcr, nameInfo, hex.EncodeToString(event.Sha256))
+
 				measResult := ar.DigestResult{
 					Type:        "Verified",
 					Index:       pcr,
@@ -205,18 +209,15 @@ func verifyPcrs(s ar.Serializer, measurement ar.Measurement,
 					CtrDetails:  event.CtrData,
 				}
 				detailedResults = append(detailedResults, measResult)
-
-				log.Tracef("Found refval for PCR%v measurement %v: %v",
-					pcr, nameInfo, hex.EncodeToString(event.Sha256))
 			}
 			pcrResult.Digest = hex.EncodeToString(calculatedPcrs[pcr])
 			if !bytes.Equal(measuredSummary, calculatedPcrs[pcr]) {
 				pcrResult.Measured = hex.EncodeToString(measuredSummary)
 			}
 
 		} else if measuredPcr.Type == ar.ARTIFACT_TYPE_PCR_SUMMARY {
-			// measurement contains just the summary PCR value
-			// We therefore unconditionally extend every reference value for this PCR
+			// Measurement contains just the summary PCR value
+			log.Tracef("PCR%v measurement contains PCR summary", measuredPcr.Index)
 			if len(measuredPcr.Events) != 1 {
 				log.Debugf("Expected exactly one event for artifact type %q, got %v",
 					ar.ARTIFACT_TYPE_PCR_SUMMARY, len(measuredPcr.Events))
@@ -229,17 +230,38 @@ func verifyPcrs(s ar.Serializer, measurement ar.Measurement,
 						calculatedPcrs[pcr] = ref.Sha256 //the Sha256 should contain the init value
 						continue                         //break the loop iteration and continue with the next event
 					}
-					calculatedPcrs[pcr] = internal.ExtendSha256(calculatedPcrs[pcr], ref.Sha256)
+
+					if ref.SubType == ar.ARTIFACT_TYPE_PCR_SUMMARY {
+						log.Tracef("PCR%v refval is PCR summary", measuredPcr.Index)
+
+						// Check if calculatedPcrs is uninitialized, as only one reference
+						// value summary is allowed
+						if !bytes.Equal(calculatedPcrs[pcr], make([]byte, len(calculatedPcrs[pcr]))) {
+							log.Debugf("Fail: PCR%v multiple reference values type %q",
+								pcr, ar.ARTIFACT_TYPE_PCR_SUMMARY)
+							success = false
+						}
+
+						// Also the reference value is a PCR summary, set the calculated value
+						calculatedPcrs[pcr] = ref.Sha256
+					} else {
+						// As we only have the measured final value, but reference values for
+						// each artifact, unconditionally extend the reference value
+						calculatedPcrs[pcr] = internal.ExtendSha256(calculatedPcrs[pcr], ref.Sha256)
+
+						log.Tracef("Extended refval for PCR%v %v: %v",
+							pcr, ref.SubType, hex.EncodeToString(ref.Sha256))
+					}
 
 					// As we only have the PCR summary, we will later set all reference values
 					// to true/false depending on whether the calculation matches the PCR summary
-					measResult := ar.DigestResult{
+					r := ar.DigestResult{
 						Index:       pcr,
 						Digest:      hex.EncodeToString(ref.Sha256),
 						SubType:     ref.SubType,
 						Description: ref.Description,
 					}
-					detailedResults = append(detailedResults, measResult)
+					detailedResults = append(detailedResults, r)
 				}
 
 			}
@@ -248,6 +270,7 @@ func verifyPcrs(s ar.Serializer, measurement ar.Measurement,
 			if equal {
 				pcrResult.Digest = hex.EncodeToString(calculatedPcrs[pcr])
 				pcrResult.Success = true
+				log.Tracef("PCR%v match: %x", pcr, calculatedPcrs[pcr])
 			} else {
 				log.Debugf("PCR%v mismatch: measured: %v, calculated: %v", pcr,
 					hex.EncodeToString(measuredPcr.Events[0].Sha256),
diff --git a/verifier/tpm_test.go b/verifier/tpm_test.go

Original file line number	Diff line number	Diff line change
`@@ -555,7 +555,7 @@ func GetEventLogs(serializer ar.Serializer,`
`555`	`555`	`}`
`556`	`556`
`557`	`557`	`// Collect detailed measurements from event logs if specified`
`558`		`- if biosLog {`
	`558`	`+ if biosLog && len(biosMeasurements) > 0 {`
`559`	`559`	`for _, digest := range biosMeasurements {`
`560`	`560`	`if num == digest.Index {`
`561`	`561`	`event := ar.MeasureEvent{`