TPM2.0 PCR 8 changing with CoreOS grub

[Shiv B]

Hi,

  I tried using grub from coreos (https://github.com/coreos/grub) since it has the changes to update the TPM2.0 pcrs. However, I see that after a couple of reboots the PCR 8 (ASCII PCR) is differing, which results in the failure to decrypt the LUKS partition.

  Any reason why the PCR8 is changing ? It is used to measure the kernel command line, but I am not making any changes to the command line. Is the PCR 8 varying because of the grubenv ?

Regards,

Shiv

[Benjamin Gilbert]

On Wed, Jan 23, 2019 at 12:58 PM Shiv B <shiv...@gmail.com> wrote:

  I tried using grub from coreos (https://github.com/coreos/grub) since it has the changes to update the TPM2.0 pcrs. However, I see that after a couple of reboots the PCR 8 (ASCII PCR) is differing, which results in the failure to decrypt the LUKS partition.

  Any reason why the PCR8 is changing ? It is used to measure the kernel command line, but I am not making any changes to the command line. Is the PCR 8 varying because of the grubenv ?

Hi Shiv,

Are you seeing this on CoreOS Container Linux, or on a different distro?  On Container Linux, the kernel command line will change after the first boot, and also after every OS update.

--Benjamin Gilbert