What gets measured by the UEFI into the TPM's PCRs?

Framework Laptop 16
,
1

According to this list of TPM PCR registries, the firmware appears to be responsible for measuring and loading the first eight PCRs. Specifically for PCR 3, which is

Extended or pluggable firmware data; includes information about pluggable hardware

what exactly gets measured by the Framework UEFI? For “pluggable hardware,” I believe there is a UEFI setting for toggling measurement of connected USB4 devices, but are prior generations measured?

I’m curious for two reasons:

  1. I have a monitor with a USB-C connection, which provides power over USB-PD and video over, presumably, DP Alt Mode, with a USB hub. When I rebooted recently, for some reason, my TPM didn’t work to automatically decrypt my drive while connected to an external monitor, so I tried reenrolling the TPM, which worked. If the PCR values were not different, it wouldn’t have proceeded (and just told me there’s nothing to do)
  2. If a theoretical keylogger were attached between my keyboard and the USB port, would that then get measured by the UEFI and change the PCR values?

If changing monitors prevents automatic decryption, and if it can’t detect a keylogger, there doesn’t seem to be much reason for me to keep using this PCR register, so I was hoping to learn more about it

2

Until you can get an answer for this I wanted to mention you could look at the TPM event log to see all events. Compare the two event logs for the different results and you’ll see what changes.

There is a tool in the fwupd source tree for doing interpretation of it. I recall it’s noinst though so you’ll need to clone and build the tree in the venv.

3

I’ll take a look at that, thanks! Systemd also has a utility for inspecting PCR events, which I kind of forgot about when posting, but I don’t really see anything in the event log related to PCR 3, other than a separator event, so it’s possible it’s not actually measuring anything in my current setup. Worth seeing if it can detect changes, though, before I try to see if fwupd is needed to do this.

Thanks!

1 Like
4

Well, systemd didn’t show any changes based on whether the monitor was or wasn’t connected, and it booted without needing the passphrase in both cases, so clearly it’s not measuring that