Skip to content

Security tools

TPM 2.0

The /sys/class/tpm/tpm0/device/pcrs file no longer exists. It is necessary to install the tpm2-tools package and use the "Resource Manager" to read the PCRs:

sudo apt update
sudo apt install tpm2-tools
sudo resourcemgr &
sudo tpm2_listpcrs

BootGuard MSR

The coreboot tree has intelmetool, which knows how to read the various MSR to decode some of the BootGuard state:

sudo apt install git libpci-dev zlib1g-dev
git clone --depth=1 https://github.com/coreboot/coreboot
cd coreboot/util/intelmetool
make
sudo ./intelmetool -b

If it complains about iopl() failing you have to grant CAP_SYS_RAWIO. How do you do that? This runs, but iopl still complains:

sudo capset cap_sys_rawio+ep ./intelmetool

Easier solution read the BootGuard MSR directly:

sudo apt install msr-tools
sudo modprobe msr
sudo rdmsr 0x13a

  • 0x0 == no bootguard

  • 0x10000000 == verified

  • 0x20000000 == measured
  • 0x30000000 == verified + measured

Building kernel

sudo apt install ncurses-dev libssl-dev
make bindeb-pkg -j8

2018 Security Heads

Last update: November 8, 2020