file path of each hash in measurements with TPM

Question

I enable the TPM in a ubuntu which is installed in vmware workstation. and then i install tpm2-tools with the following command:

sudo apt-get install tpm2-tools

then i parse the TPM event log which is in /sys/kernel/security/tpm0/binary_bios_measurement with the following commadn:

tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurement

you can download the output in the following link: https://s16.picofile.com/file/8427251934/output.txt.html and also you can download the TPM eventlog in the following link: https://s16.picofile.com/file/8427252018/binary_bios_measurements.html

i want to know each of the events that TPM computes hash for it belongs to which file or program and also see the path of that file or program. what should i do? is there this information in TPM event log but tpm2-tools which i installed don't parse it? or this information doesn't exist in the TPM event log at all? how can obtain this information?

Answer 1

The Event: field holds the encoding of each event. The details of the encoding depend on the specific event type, so no general answer can be given.

Your initial example showed two events:

  - EventNum: 35
    PCRIndex: 9
    EventType: EV_IPL
    DigestCount: 4
    Digests:
      - AlgorithmId: sha1
        Digest: "66b726c6d64bc109d3948a9528f502ea94938ef4"
      - AlgorithmId: sha256
        Digest: "46f888c52f36baf9b62d60bc8d06426a314aad5a0ff86a4362a91c2512a1df9c"
      - AlgorithmId: sha384
        Digest: "800824fd124df10eeafd6bba36c596c33afbb527e3006b58c19fadced47b03c8ae92f89ef3caef2346b3bd545cfdd8de"
      - AlgorithmId: sha512
        Digest: "4fdd3b4cb38c5c69865033bca010d6b914ddfb74dcc5886b258fe4fa8759a1160ec4b924a1c7a7128b0f6899e6f3b0e33373a1ee7532e533e9b6b1629e52533f"
    EventSize: 45
    Event: "286864302c67707432292f626f6f742f677275622f7838365f36342d6566692f7465726d696e616c2e6c737400"
  - EventNum: 36
    PCRIndex: 8
    EventType: EV_IPL
    DigestCount: 4
    Digests:
      - AlgorithmId: sha1
        Digest: "93e6364afcf0ebde4538949f95b6ab6cc1401f5a"
      - AlgorithmId: sha256
        Digest: "0f693a3995fdec16ad5a0d5f0b1301d3c889d81a8fa071f2fc55dd671c96b977"
      - AlgorithmId: sha384
        Digest: "d982b730da7904c32a897ec4b6b65eccc26cb600408b08ea11fbaa61f39a9ebdcca03b704779f8778f335808636e82fc"
      - AlgorithmId: sha512
        Digest: "cfb1bc50ad58448d462f2f3f84751c07ca973ee57e78acef38a5ea3eaccba51108e589936b9f04174a01ddf7a3a5e1b10b5c584cdac75130aa64d3e81818584f"
    EventSize: 51
    Event: "677275625f636d643a20636f6e66696766696c6520286864302c67707432292f626f6f742f677275622f677275622e63666700"

The events of type EV_IPL are generated by the GRUB boot loader (reference).

You can hex-decode the event string using e.g. xxd (reference):

$ echo 286864302c67707432292f626f6f742f677275622f7838365f36342d6566692f7465726d696e616c2e6c737400 | xxd -revert -plain
(hd0,gpt2)/boot/grub/x86_64-efi/terminal.lst
$ echo 677275625f636d643a20636f6e66696766696c6520286864302c67707432292f626f6f742f677275622f677275622e63666700 | xxd -revert -plain
grub_cmd: configfile (hd0,gpt2)/boot/grub/grub.cfg