14

I have been experimenting with the TPM on a Dell R710 (BIOS version 6.3.0). My goal was to detect changes to BIOS settings through TPM PCRs. The research I have done leads me to believe that BIOS configuration changes should be reflected in PCR value 01. However making alterations to the BIOS config such as changing the System Password, disable NICs, or changing the boot order did not affect any PCR value.

Another observation I made was PCRs 01, 03, 06, and 07 are all identical. The only way I was able to change any PCR was by changing the TPM security “On with pre-boot measurements” to “On without pre-boot measurements”. After changing that setting PCR 01 didn't change but PCR 00, 02, and 04 were changed to be equal to PCR 01.

What I gather from this is that the value being hashed for PCR 01 is probably 0 and therefor my platform isn't really measuring any BIOS settings for PCR 01. Am I missing something or does it appear that the R710 doesn't measure the BIOS configuration settings? Also if I am correct can anyone suggest a server platform that does measure the BIOS configuration correctly?

PCR with Pre-Boot Measurements/without Pre-Boot Measurements

00 A1.../5B...
01 5B.../5B...     
02 42.../5B...
03 5B.../5B...
04 DE.../5A...
05 B7.../B7...
06 5B.../5B...
07 5B.../5B...

Update: Confirmed that the R710 does not do any measurements for PCR01. Too bad

guntbert
  • 1,825
  • 2
  • 18
  • 21
MattyG
  • 141
  • 1
  • 3
  • Could you elaborate on how you retrieve the measurements? e.g. in linux "cat /sys/devices/pnp0/00:09/pcrs" – northox Apr 03 '14 at 13:31
  • 1
    using #cat /sys/class/misc/tpm0/device/pcrs – MattyG Apr 03 '14 at 15:04
  • Weird. Is your BIOS up to date? Your assumptions seems correct so unless there's a BIOS fix for this, I would suggest contacting Dell. – northox Apr 03 '14 at 17:07
  • v6.3.0 is only 1 minor rev out of date – MattyG Apr 03 '14 at 19:19
  • 4
    Confirmed that the R710 does not do any measurements for PCR01 – MattyG Apr 14 '14 at 21:04
  • 1
    You should probably close the question by answering to yourself with the latest update: seems like even though a computer has a TPM, doesn't mean it actually works... or something similar. – northox Apr 15 '14 at 12:43

0 Answers0