Next: , Previous: , Up: Security   [Contents][Index]


19.5 Measuring boot components

If the tpm module is loaded and the platform has a Trusted Platform Module installed, GRUB will log each command executed and each file loaded into the TPM event log and extend the PCR values in the TPM correspondingly. All events will be logged into the PCR described below with a type of EV_IPL and an event description as described below.

Event typePCRDescription
Command8All executed commands (including those from configuration files) will be logged and measured as entered with a prefix of “grub_cmd: “
Kernel command line8Any command line passed to a kernel will be logged and measured as entered with a prefix of “kernel_cmdline: ”
Module command line8Any command line passed to a kernel module will be logged and measured as entered with a prefix of “module_cmdline: “
Files9Any file read by GRUB will be logged and measured with a descriptive text corresponding to the filename.

GRUB will not measure its own core.img - it is expected that firmware will carry this out. GRUB will also not perform any measurements until the tpm module is loaded. As such it is recommended that the tpm module be built into core.img in order to avoid a potential gap in measurement between core.img being loaded and the tpm module being loaded.

Measured boot is currently only supported on EFI and IBM IEEE1275 PowerPC platforms.