Various systemd components issue TPM2 PCR measurements during the boot process,
both in UEFI mode and from userspace. The following lists all measurements
done, and describes (in case done before ExitBootServices()) how they appear
in the TPM2 Event Log, maintained by the PC firmware. Note that the userspace
measurements listed below are (by default) only done if a system is booted with
systemd-stub — or in other words: systemd’s userspace measurements are linked
to systemd’s UEFI-mode measurements, and if the latter are not done the former
aren’t made either.
systemd will measure to PCRs 5 (boot-loader-config), 11 (kernel-boot),
12 (kernel-config), 13 (sysexts), 15 (system-identity).
Currently, four components will issue TPM2 PCR measurements:
systemd-boot boot menu (UEFI)systemd-stub boot stub (UEFI)systemd-pcrextend measurement tool (userspace)systemd-cryptsetup disk encryption tool (userspace)A userspace measurement event log in a format close to TCG CEL-JSON is
maintained in /run/log/systemd/tpm2-measure.log.
We expect that we’ll add further PCR extensions in future (both in firmware and
user mode), which also will be documented here. When executed from firmware
mode future additions are expected to be recorded as EV_EVENT_TAG
measurements in the event log, in order to make them robustly
recognizable. Measurements currently recorded as EV_IPL will continue to be
recorded as EV_IPL, for compatibility reasons. However, EV_IPL will not be
used for new, additional measurements.
systemd-boot (UEFI)EV_EVENT_TAG, “loader.conf”The content of systemd-boot’s configuration file, loader/loader.conf, is
measured as a tagged event.
→ Event Tag 0xf5bc582a
→ Description in the event log record is the file name, loader.conf.
→ Measured hash covers the content of loader.conf as it is read from the ESP.
EV_IPL, “Kernel Command Line”If the kernel command line was specified explicitly (by the user or in a Boot
Loader Specification Type #1 file), the kernel command line passed to the
invoked kernel is measured before it is executed. (In case an UKI/Boot Loader
Specification Type #2 entry is booted, the built-in kernel command line is
implicitly measured as part of the PE sections, because it is embedded in the
.cmdline PE section, hence doesn’t need to be measured by systemd-boot; see
below for details on PE section measurements done by systemd-stub.)
→ Description in the event log record is the literal kernel command line in UTF-16.
→ Measured hash covers the literal kernel command line in UTF-16 (without any trailing NUL bytes).
systemd-stub (UEFI)EV_IPL, “PE Section Name”A measurement is made for each PE section of the UKI that is defined by the UKI specification, in the canonical order described in the specification.
Happens once for each UKI-defined PE section of the UKI, in the canonical UKI PE section order, as per the UKI specification. For each record a pair of records is written, first one that covers the PE section name (described here), and the second one that covers the PE section data (described below), so that both types of records appear interleaved in the event log.
→ Description in the event log record is the PE section name in UTF-16.
→ Measured hash covers the PE section name in ASCII (including a trailing NUL byte!).
EV_IPL, “PE Section Data”Happens once for each UKI-defined PE section of the UKI, in the canonical UKI PE section order, as per the UKI specification, see above.
→ Description in the event log record is the PE section name in UTF-16.
→ Measured hash covers the (binary) PE section contents.
EV_IPL, “Kernel Command Line”Might happen up to three times, for kernel command lines from:
→ Description in the event log record is the literal kernel command line in UTF-16.
→ Measured hash covers the literal kernel command line in UTF-16 (without any trailing NUL bytes).
EV_EVENT_TAG, “Devicetrees”Devicetree addons are measured individually as a tagged event.
→ Event Tag 0x6c46f751
→ Description the addon filename.
→ Measured hash covers the content of the Devicetree.
EV_IPL, “Per-UKI Credentials initrd”→ Description in the event log record is the constant string “Credentials initrd” in UTF-16.
→ Measured hash covers the per-UKI credentials cpio archive (which is generated
on-the-fly by systemd-stub).
EV_IPL, “Global Credentials initrd”→ Description in the event log record is the constant string “Global credentials initrd” in UTF-16.
→ Measured hash covers the global credentials cpio archive (which is generated
on-the-fly by systemd-stub).
EV_IPL, “sysext initrd”→ Description in the event log record is the constant string “System extension initrd” in UTF-16.
→ Measured hash covers the per-UKI sysext cpio archive (which is generated
on-the-fly by systemd-stub).
systemd-pcrextend (Userspace)The systemd-pcrphase.service, systemd-pcrphase-initrd.service,
systemd-pcrphase-sysinit.service services will measure the boot phase reached
during various times of the boot process. Specifically, the strings
“enter-initrd”, “leave-initrd”, “sysinit”, “ready”, “shutdown”, “final” are
measured, in this order. (These are regular units, and administrators may
choose to define additional/different phases.)
→ Measured hash covers the phase string (in UTF-8, without trailing NUL bytes).
The systemd-pcrmachine.service service will measure the machine ID (as read
from /etc/machine-id) during boot.
→ Measured hash covers the string “machine-id:” suffixed by the machine ID formatted in hexadecimal lowercase characters (in UTF-8, without trailing NUL bytes).
The systemd-pcrfs-root.service and systemd-pcrfs@.service services will
measure a string identifying a specific file system, typically covering the
root file system and /var/ (if it is its own file system).
→ Measured hash covers the string “file-system:” suffixed by a series of six colon-separated strings, identifying the file system type, UUID, label as well as the GPT partition entry UUID, entry type UUID and entry label (in UTF-8, without trailing NUL bytes).
systemd-cryptsetup (Userspace)The systemd-cryptsetup@.service service will measure a key derived from the
LUKS volume key of a specific encrypted volume, typically covering the backing
encryption device of the root file system and /var/ (if it is its own file
system).
→ Measured hash covers the (binary) result of the HMAC(V,S) calculation where V is the LUKS volume key, and S is the string “cryptsetup:” followed by the LUKS volume name and the UUID of the LUKS superblock.