Still waiting to hear back from the supplier for the initial hardware. However, Intel send me a NUC (NUC8CCHKR) for evaluation, and the FDE appears to be broken on that device too.


$ sudo ./tcglog-check
Computed TPM_ALG_SHA1 for PE image /boot/vmlinuz-5.13.0-27-generic - file:53872abdfb202b87a11413519f5eb5e2900d3378, authenticode:c862a2d1716f186468e54fed425316f8250a7f16
Computed TPM_ALG_SHA256 for PE image /boot/vmlinuz-5.13.0-27-generic - file:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, authenticode:a7d5f761243ea773732e0239fdfae4729c9c5f17b76dc2c330469b84f3f7e909
Computed TPM_ALG_SHA1 for PE image /boot/vmlinuz-5.13.0-28-generic - file:225fed1aac9a89688173bb21b3393c6fdc1dc430, authenticode:801484ec3dfdb30a1295c257ed4af6a6691d52f0
Computed TPM_ALG_SHA256 for PE image /boot/vmlinuz-5.13.0-28-generic - file:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, authenticode:070690ae2dca73a79a778ef4add00ecf153a6a66ddd20f634dc7e64dea793fe7
Computed TPM_ALG_SHA1 for PE image /boot/grub/x86_64-efi/grub.efi - file:6278ce0b9cf820dc10e96a87c6b25152050d55fc, authenticode:7361fcefef711b0815b4d9028d98c085945a636f
Computed TPM_ALG_SHA256 for PE image /boot/grub/x86_64-efi/grub.efi - file:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, authenticode:2a198128d5454aaabf55ac163af6a317657d7d973c2ee93e83e006629004647d
Computed TPM_ALG_SHA1 for PE image /boot/grub/x86_64-efi/core.efi - file:902ba3dd6a2488aac4ed02d477b22c442f6efd5d, authenticode:8fb3e780e85228a09bdcecc3606ed32c1caa2a6b
Computed TPM_ALG_SHA256 for PE image /boot/grub/x86_64-efi/core.efi - file:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, authenticode:f83e067df62a714c42c85068a4f1ee8478dec7eaa0fbb4f9d64d97e315d843d9

*** FAIL ***: The following events contain event data that was not in the expected format and could not be decoded correctly:
        - Event 3 in PCR 4 (type: EV_EFI_BOOT_SERVICES_APPLICATION): unexpected EOF
This might be a bug in the firmware or bootloader code responsible for performing these measurements.

*** FAIL ***: The following events have digests that aren't consistent with the data recorded with them in the log:
        - Event 1 in PCR 1 (type: EV_EFI_VARIABLE_BOOT, alg: TPM_ALG_SHA1) - expected (from data): d9ccf90ea9113dcf35370ce080ecd0f66a540f06, got: 6679efba8336b19e98fc6195a8fd18bc505a22d7
        - Event 1 in PCR 1 (type: EV_EFI_VARIABLE_BOOT, alg: TPM_ALG_SHA256) - expected (from data): 91313f69d0d9647d5da8f7b3fed1d0e5a56f3ca868973de094aca1e171e7d323, got: 3693def930a10e0944ac211fb38db82ad88589e24068a9bccf1c466ca134de9f
        - Event 2 in PCR 1 (type: EV_EFI_VARIABLE_BOOT, alg: TPM_ALG_SHA1) - expected (from data): 790e2271e196cdd81005611aad9276d5e3d9bb61, got: c4c34451e886471d98f8acddf0677e145fbc457c
        - Event 2 in PCR 1 (type: EV_EFI_VARIABLE_BOOT, alg: TPM_ALG_SHA256) - expected (from data): 6874a299ea1196d5f92c167f9f326a285c6de79f28e0383e5909946e1e35dcb7, got: 2e35174c23e89968791e7e2b05606fd13feeb2b1d9ce2fed678cacbb7e9a9b86
        - Event 3 in PCR 1 (type: EV_EFI_VARIABLE_BOOT, alg: TPM_ALG_SHA256) - expected (from data): 62c82d5d136e0405177e45ddcce5cb62fc3b17b92f926a77524fa45da9dad9d0, got: 0c26c602c355be37e256eeb7b350454c7eb78df20c9745bc5a1ca9a16b708f39
        - Event 3 in PCR 1 (type: EV_EFI_VARIABLE_BOOT, alg: TPM_ALG_SHA1) - expected (from data): e6316d6e4ef1829fda1d0d05097fa924d64672ca, got: 151806dba3a07cc66e44e6e25acc39a9541afda1
This is unexpected for these event types, and might indicate a bug in the firmware of bootloader code responsible for performing these measurements. Knowledge of the format of the data being measured is required in order to pre-compute digests for these events or by a remote verifier for attestation purposes.
Note that some firmware implementations measure a tagged hash of the event data for EV_EFI_VARIABLE_BOOT events, but earlier versions of the TCG PC Client Platform Firmware Profile Specification are a bit ambiguous about whether this is correct or whether only a tagged hash of the variable data should be measured. EDK2 only measures a tagged hash of the variable data, and the 1.05 revision of the TCG PC Client Platform Firmware Profile Specification is more explicit - it says that only a tagged hash of the variable data must be measured. It also deprecates EV_EFI_VARIABLE_BOOT in favour of EV_EFI_VARIABLE_BOOT2 which specifies that a tagged hash of the event data must be measured.

*** FAIL ***: The following EV_EFI_BOOT_SERVICES_APPLICATION events contain digests that might be invalid:
        - Event 1 in PCR 4 has a digest for alg TPM_ALG_SHA1 that doesn't correspond to any PE image (got: 79428d81e4486935c908fa0865ee81ec70b2a51f)
        - Event 1 in PCR 4 has a digest for alg TPM_ALG_SHA256 that doesn't correspond to any PE image (got: dbffd70a2c43fd2c1931f18b8f8c08c5181db15f996f747dfed34def52fad036)
        - Event 2 in PCR 4 has a digest for alg TPM_ALG_SHA1 that doesn't correspond to any PE image (got: 2c47f7026f4b7579d372165b65bf943fd710abbd)
        - Event 2 in PCR 4 has a digest for alg TPM_ALG_SHA256 that doesn't correspond to any PE image (got: 5d977a57daa3d2adcccd838fc8fe6594dcd6ae59e60a75757e6833c799189841)
        - Event 3 in PCR 4 (/boot/vmlinuz-5.13.0-28-generic) has a digest for alg TPM_ALG_SHA1 that matches the file digest rather than the PE image digest (got: 225fed1aac9a89688173bb21b3393c6fdc1dc430, expected: 801484ec3dfdb30a1295c257ed4af6a6691d52f0)       - Event 3 in PCR 4 (/boot/vmlinuz-5.13.0-28-generic) has a digest for alg TPM_ALG_SHA256 that matches the file digest rather than the PE image digest (got: 9350ccccfd2ff43b8e271baf0d9a10ce9feea6f9bddd433503e19239a3663823, expected: 070690ae2dca73a79a778ef4add00ecf153a6a66ddd20f634dc7e64dea793fe7)Event digests that don't correspond to any PE image might be caused by a bug in the firmware or bootloader code responsible for performing the measurements, or might be because the image was loaded from a location that is not currently mounted at an expected path (/boot,/cdrom/EFI,/cdrom/casper), in which case it is not possible to determine if the digests are correct. The presence of file digests rather than PE image digests might be because the measuring bootloader is using the 1.2 version of the TCG EFI Protocol Specification rather than the 2.0 version (which could be because it is not provided by the firmware). It could also be because the measuring bootloader does not pass the appropriate flag to the firmware to indicate that a PE image is being measured.

One or more failures were detected!
----------