grub: Measured Boot
19.5 Measuring boot components
==============================
If the tpm module is loaded and the platform has a Trusted Platform
Module installed, GRUB will log each command executed and each file
loaded into the TPM event log and extend the PCR values in the TPM
correspondingly. All events will be logged into the PCR described below
with a type of EV_IPL and an event description as described below.
Event type PCR Description
---------------------------------------------------------------------------
Command 8 All executed commands (including those
from configuration files) will be logged
and measured as entered with a prefix of
"grub_cmd: "
Kernel command line 8 Any command line passed to a kernel will
be logged and measured as entered with a
prefix of "kernel_cmdline: "
Module command line 8 Any command line passed to a kernel
module will be logged and measured as
entered with a prefix of "module_cmdline:
"
Files 9 Any file read by GRUB will be logged and
measured with a descriptive text
corresponding to the filename.
GRUB will not measure its own ‘core.img’ - it is expected that
firmware will carry this out. GRUB will also not perform any
measurements until the tpm module is loaded. As such it is recommended
that the tpm module be built into ‘core.img’ in order to avoid a
potential gap in measurement between ‘core.img’ being loaded and the tpm
module being loaded.
Measured boot is currently only supported on EFI and IBM IEEE1275
PowerPC platforms.