# PE/PCR4 verification fails: firmware emits a SHA-1-only TCG event log while the SHA-256 PCR bank is active ## Summary On this machine, IncusOS fails very early under Secure Boot + TPM with a PCR4 mismatch. The root cause looks like the platform firmware records a **SHA-1-only** TCG event log, even though the TPM's **SHA-256 PCR bank is active and populated**. IncusOS's PE binary / PCR4 verification operates on SHA-256, so it has no SHA-256 event data to reconstruct the expected PCR4 from, and `computed != actual`. ## Environment - **IncusOS build:** `IncusOS_202607060039` (image generated with the web customizer, written to a USB stick, installed on physical hardware) - **Hardware:** `HP ProDesk 600 G2 SFF` - **BIOS:** `Var.02.36`(latest) - **TPM:** `Infineon SLB9670 TPM 2.0 ver. 7.63.3353.0` - **Secure Boot:** enrolled via the HP BIOS "Clear Secure Boot keys" option (Setup Mode). IncusOS enrolled its own keys; the binary passes the firmware Secure Boot gate and then fails at IncusOS's *own* PE/PCR4 verification. ## Error shown on screen ``` IncusOS failed to verify PE binaries: ERROR: computed PCR4 (12771355e46cd47c71ed1721fd5319b383cca3a1f9fce3aa1c8cd3bd37af20d7) doesn't match actual value (de62c5b65745b270487978ceae097095d915ba971c36202036d9ad4097859046) ``` Both digests are 32 bytes (SHA-256), consistent with verification running against the SHA-256 bank. ## Diagnosis (Ubuntu live session on the same hardware) **1. The firmware event log contains SHA-1 digests only.** Every event carries a single digest with `AlgorithmId: sha1`: ``` EventType: ... DigestCount: 1 Digests: - AlgorithmId: sha1 Digest: "..." ``` There is not a single SHA-256 digest anywhere in the log. (The Spec ID / header at the top of `eventlog.txt` shows the log's declared digest set — see attachment.) **2. The SHA-1 log is internally faithful** — replaying it reproduces the live SHA-1 PCRs exactly: | PCR | tpm2_eventlog replay (sha1) | tpm2_pcrread sha1 | |-----|---------------------------------------------|--------------------------------------------| | 4 | `06f109f35a2ef2494fd69c33e3a9a3749e7dca9e` | `06F109F35A2EF2494FD69C33E3A9A3749E7DCA9E` | | 7 | `afdf621a76da76a5915818bb1c3de5aa15fc7e01` | `AFDF621A76DA76A5915818BB1C3DE5AA15FC7E01` | Exact match — the log is not corrupt, it simply only covers the SHA-1 bank. **3. The TPM's SHA-256 bank is active and populated** (values from the Ubuntu boot, so they naturally differ from the IncusOS-boot PCR4 above — included only to show the bank is in use): ``` tpm2_pcrread sha256:4,7 4 : 0x6DC1146060584796A14D18B10DF39038E6125FCE324D01C47D9A0384C38C1304 7 : 0x7D72C56F5D3F02DA45414DAD72D35CFFDD8E4410C91FC5D1D63CC04ADDE72C12 ``` So: SHA-256 PCRs are being extended, but the firmware never writes SHA-256 digests into its event log. IncusOS therefore cannot rebuild the SHA-256 PCR4 from the log. ## Attachments - `eventlog.txt` — `tpm2_eventlog` output (note the header declaring SHA-1) ## Notes - Happy to capture the IncusOS-side log via `incus query /os/1.0/debug/secureboot/event-log` if useful, but the box can't boot IncusOS far enough with Secure Boot on. I can install the same build with Secure Boot off (TPM-only) to reach that endpoint if you want it, with the caveat that PCR7 / the measured chain differ with SB off. - Possibly related to #813 / #824 / #909 (per-firmware PE/PCR verification handling), but the specific symptom here is a **SHA-1-only event log combined with an active SHA-256 PCR bank**.