Public bug reported: The TPM event log (at /sys/kernel/security/tpm0/binary_bios_measurements) does not contain the kernel validation key. For each binary loaded during boot (grub, linux), the shim measures a placeholder for the binary itself (EV_EFI_Boot_Services_Application event) and the key that was used to validate it (EV_EFI_Variable_Authority event) into the TPM and corresponding event log. On my machine, grub placeholder and the key used to validate grub are both measured. The kernel placeholder is also present, but the key used to validate the kernel is not measured.
On other distributions (not based on Ubuntu, so only semi-relevant here), this kernel signer event is measured. System Information: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ uname -a Linux jorhand-ubuntu 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ apt-cache policy shim shim: Installed: 15+1533136590.3beb971-0ubuntu1 Candidate: 15+1533136590.3beb971-0ubuntu1 Version table: *** 15+1533136590.3beb971-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 13-0ubuntu2 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages I have attached the TPM event log from my machine. ** Affects: shim (Ubuntu) Importance: Undecided Status: New ** Attachment added: "TPM event log" https://bugs.launchpad.net/bugs/1838712/+attachment/5280432/+files/binary_bios_measurements -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838712 Title: TPM event log does not container kernel validation key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1838712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs