I have been experimenting with the TPM on a Dell R710 (BIOS version 6.3.0). My goal was to detect changes to BIOS settings through TPM PCRs. The research I have done leads me to believe that BIOS configuration changes should be reflected in PCR value 01. However making alterations to the BIOS config such as changing the System Password, disable NICs, or changing the boot order did not affect any PCR value.
Another observation I made was PCRs 01, 03, 06, and 07 are all identical. The only way I was able to change any PCR was by changing the TPM security “On with pre-boot measurements” to “On without pre-boot measurements”. After changing that setting PCR 01 didn't change but PCR 00, 02, and 04 were changed to be equal to PCR 01.
What I gather from this is that the value being hashed for PCR 01 is probably 0 and therefor my platform isn't really measuring any BIOS settings for PCR 01. Am I missing something or does it appear that the R710 doesn't measure the BIOS configuration settings? Also if I am correct can anyone suggest a server platform that does measure the BIOS configuration correctly?
PCR with Pre-Boot Measurements/without Pre-Boot Measurements
00 A1.../5B...
01 5B.../5B...
02 42.../5B...
03 5B.../5B...
04 DE.../5A...
05 B7.../B7...
06 5B.../5B...
07 5B.../5B...
Update: Confirmed that the R710 does not do any measurements for PCR01. Too bad