The TPM event log contains a history of all measurements made with the TPM.
Complete with some context information for each measurement it is intended to
help with recreating the current PCR contents. What was meant as a debugging
tool turns out to be of vital importance when trying to remotely attest real
life systems. This is mostly because of the overuse of certain PCR and the
general mess that is x86
Sadly, there are many event logs. UEFI keeps one for its measurements and those
done by EFI applications like GRUB and shim. If a system is booted in an MLE
using tboot the ACM firmware code also maintains an event log that can be
accessed via a pointer in an ACPI table. Now, systemd also has an event log
that is mixed into the general journal log. Finally Linux IMA maintains it's
own event log -- an append-only, in-kernel data structure.
On top of that every bootloader or userspace application that wants to measure
something into the TPM will also need to maintain an event log.
How about we fix that? The talk will sketch out a solution that maintains a
unified, global event log of the whole system on disk and exposes an interface for
other applications that wish to measure things into the TPM. We'll also fix a
race conditions in IMA as well as correctly handle S3 resume w.r.t measured boot
while we're at it.