Background

The TPM Event log is defined in the TCG PC Client Platform Firmware Profile which is referred to as the "PFP". The Event log contains all the hashes that get extended into the TPM PCRs values during the boot cycle, so one can recreate the resultant PCRs by extending the values within this file, therefore TPM PCR List may not be needed. This file will be needed to show what each PCR covers and to provide details should TPM Quote verification fail.

For Linux the Event log file has the following path: /sys/kernel/security/tpm0/binary_bios_measurements. It is a binary with a "C" style structure for each event which has the following format:

typedef struct tdTCG_PCR_EVENT2{
    UINT32                  pcrIndex;
    UINT32                  eventType;
    TPML_DIGEST_VALUES      digests;
    UINT32                  eventSize;
    BYTE                    event[eventSize];
  } TCG_PCR_EVENT2;

Where:

• pcrIndex: is the PCR Register number, typically shown in documentation as PCR[0], where 0 whould be the pcrIndex
• eventType: is a enumerated type found in table 9 of the PFP. The PFP uses upper case labels to reference the events (e.g. event type 0x00000007 is labelled EV_S_CRTM_CONTENTS);
• digests: This is a hash value (SHA1 or SHA256 depending upon the log type). This may be a hash of firmware, a file, or the event itself. The coverage of the digest is dictated by Table 9 of the PFP.
• eventSize: size (in bytes) of the event data.
• event: event data as described by table 9 of PFP.

What's the purpose of the TPM Event log and what role does it play in device attestation and provisioning

1. For provisioning, the TCG Event Log is one of the Support RIM file options for PC Client systems. This means that the Base RIM (SWID tag) file will have a hash of it in its payload for verification purposes.
   1. The digest values found within the logs can be used to calculate the expected values in the TPM Quote.
   2. The events in the RIM can be used to compare against the log provided by the client to detail which event caused the miscompare.

Why don't I see the Event Log on my device?

The Event Log get written to ACPI memory by the Firmware as specified by the TCG ACPI Specification section 7.3 . The Operating system may copy and or alter the event log if it decides to write it to the file system. The Event logs, in theory, have the same information in the same format. Preliminary tests seem to support the idea that the log format doesn't alter between windows and linux.

The Log contents depends upon:

• The TPM type: TPM 1.2 has a small log with limited (not very useful) information. TPM 2.0 Logs may contain more information.
• The presence of a EfiSpecIdEvent event. This event will specify if the log has a SHA1 format or Crypto agile format (as defined by the PFP).
• The Firmware version: Newer version of firmware usually have more events.
• The OS and OS version: Newer versions of OS will contain PCR values above 7. Some older versions may not even capture the Event Log.

Linux

Linux has support for reading the log and writing it to the securityfs partition for TPM 1.2. You will need a Linux kernel of 4.18 or higher to see the log for TPM2.0. The higher the Kernel the better. Centos 7 , with its kernel 3.10 support will never see the log without a kernel upgrade. If it does exist the file path for the event log is:

/sys/kernel/security/tpm0/binary_bios_measurements

This is a binary log so you will need a tool to see the contents (see the tcg_eventlog_tool below).

Microsoft

Windows 10 MAY(depending upon specific version and group policy) store of the binary form of the event log in C:\Windows\Logs\MeasuredBoot\ with a numeric name and a .log extension. Microsoft also provides the Tbsi_Get_TCG_Log function to retrieve the log from the ACPI table. The log files can be found in the following paths depending upon how Windows Policy is configured.

TCGLogTools

Microsoft maintains TCGTools on Github. It is a powershell script which can be used to used to produce json or xml formatted logs from the binary log held in the ACPI memory.

tcg_eventlog_tool

To inspect the contents of a binary event log, a Linux command line tool named "elt" (event log tool) has been created to parse and print human readable output. For details refer to the tcg_eventlog_tool README.md