Measured boot not working

I’m using the AMD 7840U version of the Framework 13 with bios 3.05, and I’m having problems reading the TPM Event Log (/sys/firmware/acpi/tables/TPM2 or /sys/kernel/security/tpm0/binary_bios_measurements). This has been reported before, but I could not find any resolution of the issue. I’ve tried with Qubes 4.2 (kernel 6.6.54-1) and with arch Linux live USB. Both give an ACPI table where the addresses are null pointers.

Can anyone with an AMD laptop running Linux see (and read) the binary_bios_measurements file? I’ve spent way too long on this issue, and I need a sanity check from someone.

Yes, it seems I can read the file, on my Framework 13 with Ryzen 7840U. I just updated to firmware 3.06 and I’m running Arch linux.

$ sudo hexdump -C /sys/kernel/security/tpm0/binary_bios_measurements | head
00000000  00 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 21 00 00 00  |............!...|
00000020  53 70 65 63 20 49 44 20  45 76 65 6e 74 30 33 00  |Spec ID Event03.|
00000030  00 00 00 00 00 02 00 02  01 00 00 00 0b 00 20 00  |.............. .|
00000040  00 00 00 00 00 02 82 00  00 01 00 00 00 0b 00 44  |...............D|
00000050  3a d7 88 1c eb f2 62 b2  90 d1 5e 4d ef 89 f7 c6  |:.....b...^M....|
00000060  97 28 c1 04 f2 c2 9b c1  03 37 c2 3c ee 00 11 10  |.(.......7.<....|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  00 00 00 00 00 00 00 01  82 00 00 01 00 00 00 0b  |................|
00000090  00 e2 b1 41 ce 2f 7c 42  5e fb b6 1c d4 5d 18 6e  |...A./|B^....].n|

$ sudo dmesg | grep -i tpm
[    0.000000] efi: ACPI=0x5affe000 ACPI 2.0=0x5affe014 TPMFinalLog=0x5af3f000 SMBIOS=0x58e77000 SMBIOS 3.0=0x58e74000 MEMATTR=0x52f66018 ESRT=0x54978e18 INITRD=0x4bd78b18 RNG=0x5af95018 TPMEventLog=0x5af8c018 
[    0.003405] ACPI: TPM2 0x000000005AFE9000 000050 (v05 INSYDE EDK2     20505348 ACPI 00040000)
[    0.003442] ACPI: Reserving TPM2 table memory at [mem 0x5afe9000-0x5afe904f]
...

Thank you very much for responding, I’ll try the new firmware and see if that helps

I’m running Arch Kernel 6.12.1, firmware 3.05 and it looks like this:

$ sudo hexdump -C /sys/kernel/security/tpm0/binary_bios_measurements | head
00000000  00 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 21 00 00 00  |............!...|
00000020  53 70 65 63 20 49 44 20  45 76 65 6e 74 30 33 00  |Spec ID Event03.|
00000030  00 00 00 00 00 02 00 02  01 00 00 00 0b 00 20 00  |.............. .|
00000040  00 00 00 00 00 02 82 00  00 01 00 00 00 0b 00 c6  |................|
00000050  b4 0f 2f 90 23 96 3e b2  72 d6 25 78 3e e9 33 d4  |../.#.>.r.%x>.3.|
00000060  b4 a6 7a 4a 9a 88 c0 2a  11 ff 23 fb b1 58 42 10  |..zJ...*..#..XB.|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  00 00 00 00 00 00 00 01  82 00 00 01 00 00 00 0b  |................|
00000090  00 e2 b1 41 ce 2f 7c 42  5e fb b6 1c d4 5d 18 6e  |...A./|B^....].n|

$ sudo dmesg | grep -i tpm
[    0.000000] efi: ACPI=0x5affe000 ACPI 2.0=0x5affe014 TPMFinalLog=0x5af3f000 SMBIOS=0x58e77000 SMBIOS 3.0=0x58e74000 MEMATTR=0x52e51018 ESRT=0x5491cc18 RNG=0x5af96f18 INITRD=0x4bd7eb18 TPMEventLog=0x5af91018 
[    0.004595] ACPI: TPM2 0x000000005AFE9000 000050 (v05 INSYDE EDK2     20505348 ACPI 00040000)
[    0.004634] ACPI: Reserving TPM2 table memory at [mem 0x5afe9000-0x5afe904f]
...

Yeah, I just updated to 3.06 and still not working. Thank you very much for taking the time.

I just tested with a Ubuntu live instance, and I got it working, but I got a very thin output, and it looks very similar to both of yours:

Someone says:ubuntu@ubuntu:~/Desktop$ sudo xxd /sys/kernel/security/tpm0/binary_bios_measurements
00000000: 0000 0000 0300 0000 0000 0000 0000 0000  ................
00000010: 0000 0000 0000 0000 0000 0000 2900 0000  ............)...
00000020: 5370 6563 2049 4420 4576 656e 7430 3300  Spec ID Event03.
00000030: 0000 0000 0002 0002 0300 0000 0400 1400  ................
00000040: 0b00 2000 0c00 3000 00                   .. ...0.. 

When actually parsing this data, I get a single log entry (which I would assume that you do as well) as such:

Someone says:ubuntu@ubuntu:~/Desktop$ sudo tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
---
version: 1
events:
- EventNum: 0
  PCRIndex: 0
  EventType: EV_NO_ACTION
  Digest: "0000000000000000000000000000000000000000"
  EventSize: 41
  SpecID:
  - Signature: Spec ID Event03
    platformClass: 0
    specVersionMinor: 0
    specVersionMajor: 2
    specErrata: 0
    uintnSize: 2
    numberOfAlgorithms: 3
    Algorithms:
    - Algorithm[0]:
      algorithmId: sha1
      digestSize: 20
    - Algorithm[1]:
      algorithmId: sha256
      digestSize: 32
    - Algorithm[2]:
      algorithmId: sha384
      digestSize: 48
    vendorInfoSize: 0
pcrs: 

This is starting to look like a firmware issue. Am I correct in assuming that you see a similar (very short) output from sudo tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements?

Just for comparison.
Framework 16 AMD BIOS BETA 3.0.5 is filled in, on my FW16.
I don’t have secure boot enabled, but it is still filled in.

sudo xxd /sys/kernel/security/tpm0/binary_bios_measurements

Kernel 6.12.0 gives output that has lots of lines from:
00000000:
to
0000d750:

With regards to the contents, it looks a lot like content grub might have put in there. So not necessarily populated by the BIOS.
I have Ubuntu 24.04. Mainline kernel 6.12.0 (compiled my me)

with ubuntu kernel: 6.8.0-49-generic
gives output that has lots of lines from:
00000000:
to
0000fd70:

That’s very interesting, thank you. Do you have the file /sys/firmware/acpi/tables/TPM2? If so, are the last 16 bytes of that file all zeroes?

On my FW16 AMD:

/sys/firmware/acpi/tables$ sudo xxd TPM2 
00000000: 5450 4d32 5000 0000 0565 494e 5359 4445  TPM2P....eINSYDE
00000010: 4544 4b32 2020 2020 4853 5020 4143 5049  EDK2    HSP ACPI
00000020: 0000 0400 0000 0000 4000 50c0 0000 0000  ........@.P.....
00000030: 0d00 0000 0080 50c0 0000 0000 2880 50c0  ......P.....(.P.
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................

Wow… you completely broke my theory of what’s going on… thank you.

My understanding was that if the ACPI table TPM2 exists, then it loads the table based on the two pointers at the end of that file, even if they are null pointers. If the table does not exist, it instead reads the event log from EFI instead. I though my issue was that my last two pointers were all zeroes, but my ACPI/TPM2 table is identical to yours… Could you please let me know which distro and kernel version you are running? Never mind, I just noticed that you included that information above.

Just a guess, but I get different output in kernel 6.12.0 from dmesg | grep -i tpm.
Maybe the systemd bits is doing some magic to make it work?

sudo dmesg | grep -i tpm
[    0.000000] efi: ACPI=0x5affe000 ACPI 2.0=0x5affe014 TPMFinalLog=0x5af3f000 SMBIOS=0x58e77000 SMBIOS 3.0=0x58e74000 MEMATTR=0x530e1018 ESRT=0x54912898 MOKvar=0x5907c000 INITRD=0x4bd7e598 RNG=0x5af96018 TPMEventLog=0x47c94018 
[    0.003771] ACPI: TPM2 0x000000005AFE9000 000050 (v05 INSYDE EDK2     20505348 ACPI 00040000)
[    0.003811] ACPI: Reserving TPM2 table memory at [mem 0x5afe9000-0x5afe904f]
[   13.615510] systemd[1]: systemd 255.4-1ubuntu8.4 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[   14.806609] systemd[1]: systemd-pcrextend.socket - TPM2 PCR Extension (Varlink) was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
[   14.819206] systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
[   14.819882] systemd[1]: systemd-tpm2-setup-early.service - TPM2 SRK Setup (Early) was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
[   14.829503] systemd[1]: systemd-tpm2-setup.service - TPM2 SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).

There is one huge difference…

Nov 23 16:39:35 dom0 kernel: efi: ACPI=0x5affe000 ACPI 2.0=0x5affe014 TPMFinalLog=0x5af3f000 SMBIOS=0x58e77000 SMBIOS 3.0=0x58e74000 (MEMATTR=0x52f4d018 unusable) ESRT=0x5af95018 
Nov 23 16:39:35 dom0 kernel: ACPI: TPM2 0x000000005AFE9000 000050 (v05 INSYDE EDK2     20505348 ACPI 00040000)
Nov 23 16:39:35 dom0 kernel: ACPI: Reserving TPM2 table memory at [mem 0x5afe9000-0x5afe904f]
Nov 23 16:39:35 dom0 systemd[1]: systemd 251.19-1.fc37 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Nov 23 16:39:35 dom0 systemd-sysusers[282]: Creating user 'tss' (Account used for TPM access) with UID 59 and GID 59.
Nov 23 16:40:00 dom0 systemd[1]: systemd 251.19-1.fc37 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)

On my efi: line I list the address for TPMFinalLog, but I miss a lot of addresses you have, probably most importantly TPMEventLog. Now I have to figure out where this data comes from. I got TPMEventLog when I ran Ubuntu Live, but by table was a single post there.

Just to verify that your event log isn’t only grub, could you check if your sudo tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements includes events on PCR4? It is set before grub is even loaded.

It seems that at least part of the data is read from (the same place as) /sys/firmware/efi/systab, but TPMFinalLog is not included there.

tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements

There is no mention of PCR4, but PCR is mentioned a lot.
e.g.

---
version: 1
events:
- EventNum: 0
  PCRIndex: 0
  EventType: EV_NO_ACTION
  Digest: "0000000000000000000000000000000000000000"
  EventSize: 33
  SpecID:
  - Signature: Spec ID Event03
    platformClass: 0
    specVersionMinor: 0
    specVersionMajor: 2
    specErrata: 0
    uintnSize: 2
    numberOfAlgorithms: 1
    Algorithms:
    - Algorithm[0]:
      algorithmId: sha256
      digestSize: 32
    vendorInfoSize: 0
- EventNum: 1
  PCRIndex: 0
  EventType: Unknown event type
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "443ad7881cebf262b290d15e4def89f7c69728c104f2c29bc10337c23cee0011"
  EventSize: 16
  Event: "00000000000000000000000000000000"
- EventNum: 2
  PCRIndex: 0
  EventType: Unknown event type
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "e2b141ce2f7c425efbb61cd45d186e05d261b044703a7e66213c635f087e602f"
  EventSize: 16
  Event: "6dd652f2566d65f17b5816a1e851d0bb"
- EventNum: 3
  PCRIndex: 0
  EventType: Unknown event type
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "fd16e949deb7ebfa7bea4834e7faf1e2ae7ce76446e8e9c878a740aedaf957b5"
  EventSize: 16
  Event: "51d0e888ff080cc0db2dde719fc6e443"
- EventNum: 4
  PCRIndex: 0
  EventType: Unknown event type
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "10dbe557dc79ccada62dfe983b34853bbd8e01736ded704fd77101639666ca18"
  EventSize: 16
  Event: "18182b08ae58999b7b5a80a1f6ea43d7"
... [SNIP]

That appears before the grub stuff.

/sys/firmware/efi# cat systab
ACPI20=0x5affe014
ACPI=0x5affe000
SMBIOS3=0x58e74000
SMBIOS=0x58e77000

I think you are on to something with the difference in “efi:” line.
The “(MEMATTR=0x52f4d018 unusable)” seems to be the problem with your laptop.
The “unusable” bit is the difference between yours and mine.

Well, that’s on PCRIndex: 0, which should also be written by the firmware, so pretty sure you have the real deal.

Right, thanks for pointing that out. I noticed that earlier, but not in regards to the TPM stuff, so I think I got blind to it. I’ll take a look at that.

edit: Absolutely, help is very appreciated, I feel like I’m in deep water. Apparently I’m too new user to post more… hopefully you see this, I’m on 13 hour timeout.
xen dmesg
dom0 dmesg

edit 2: Thank you very much for all the effort! What you’re seeing doesn’t require Secure Boot, it’s part of a (in my opinion) more secure alternative to Secure Boot called Measured Boot. It can be used to tell the TPM to only provide a secret in the case where a precondition is met. For example, register 4 is a hash of the firmware and all loaded efi files, so you can tell the TPM to provide a secret only if the hash matches a preset hash, meaning that you know that no other software (such as rootkits) are running. That way, you can even dual boot without risking infection from the other partition OS (provided you can trust your firmware and TPM), since the rootkit would have to infect the encrypted disk. This does require that you include everything in the hash, though, including grub and initramfs, but if you can get it running on a unified kernel image then you’re all set.

Can you attach, or pastebin.com the full output from “dmesg”, from cold power on onwards?

Looking at your dmesg output and comparing it to mine.
I cannot find anything obviously wrong.
I don’t know if this helps you, but this is the section of kernel code that marks it as unusable:

drivers/firmware/efi/efi.c:637
static __init int match_config_table(const efi_guid_t *guid,
                                     unsigned long table,
                                     const efi_config_table_type_t *table_types)
{
        int i;

        for (i = 0; efi_guidcmp(table_types[i].guid, NULL_GUID); i++) {
                if (efi_guidcmp(*guid, table_types[i].guid))
                        continue;

                if (!efi_config_table_is_usable(guid, table)) {
                        if (table_types[i].name[0])
                                pr_cont("(%s=0x%lx unusable) ",
                                        table_types[i].name, table);
                        return 1;
                }

                *(table_types[i].ptr) = table;
                if (table_types[i].name[0])
                        pr_cont("%s=0x%lx ", table_types[i].name, table);
                return 1;
        }

        return 0;
}

An interesting part of that is this:

static inline
bool efi_config_table_is_usable(const efi_guid_t *guid, unsigned long table)
{
        if (!IS_ENABLED(CONFIG_XEN_EFI))
                return true;
        return xen_efi_config_table_is_usable(guid, table);
}

The different path through the code is used if you are using a CONFIG_XEN_EFI kernel.

Summary:
Non XEN kernels are OK.
XEN kernels have the problem.

In my tpm event log I have the initial “EV_NO_ACTION” “Spec ID Event03”, then 47 events of “Unknown event type” with EventSize 16, and then some interesting ones:

- EventNum: 48
  PCRIndex: 0
  EventType: EV_S_CRTM_VERSION
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "4b7c7f14ebc106a84bf5695b9c1eadb0929a4efb206f037b3c53fb81cd581f6a"
  EventSize: 24
  Event: "4a0046005000330030002e00300033002e00300036000000"
- EventNum: 49
  PCRIndex: 0
  EventType: EV_EFI_PLATFORM_FIRMWARE_BLOB
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "2a5b2d8ad2f60b6aa52fa4713dae7fb3834d59327bbaada47c46addbafb29610"
  EventSize: 16
  Event:
    BlobBase: 0x9b00000
    BlobLength: 0x300000

and then about 25 more interesting events, with “Exit Boot Services” at the end. And btw I don’t have secure-boot enabled

My shot-in-the-dark guess would be, some combination of options in the bios/firmware, has tickled some bugs in there. Maybe try resetting bios/UEFI settings to defaults, and check in the secure-boot options too …