> I don't confirm this. I have Linux version 5.12.0-rc5+ installed and I > see the attached in my binary_bios_measurements (I've run it through > tpm2-eventlog so you can see the actual events). Ok that is interesting. Here are the steps to reproduce my findings. Necessary tools: Build chain for edk2, swtpm 0.5.2 and qemu 5.2.0 1. Build OVMF from edk2-stable202102 with -a X64 -a IA32 \ -b RELEASE \ -D NETWORK_IP6_ENABLE \ -D TPM_ENABLE \ -D FD_SIZE_4MB \ -D TLS_ENABLE \ -D HTTP_BOOT_ENABLE \ -D SECURE_BOOT_ENABLE \ -D SMM_REQUIRE \ -D EXCLUDE_SHELL_FROM_FD 2. Copy OVMF_CODE.fd and OVMF_VARS.fd into an empty directory 3. Download Ubuntu 21.04 desktop iso (which has a 5.11 Linux kernel) and copy it into that directory (I can provide a custom Debian build with a patched and unpatched vanilla kernel if needed) 4. Create dir for swtpm: mkdir mytpm1 5. Start swtpm with swtpm socket \ --tpm2 \ --tpmstate dir=mytpm1 \ --ctrl type=unixio,path=mytpm1/swtpm-sock \ --log level=4 & 6. Start qemu with qemu-system-x86_64 \ -enable-kvm \ -machine q35,smm=on \ -global driver=cfi.pflash01,property=secure,value=on \ -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \ -drive if=pflash,format=raw,unit=1,readonly=off,file=OVMF_VARS.fd \ -chardev socket,id=chrtpm,path=mytpm1/swtpm-sock \ -tpmdev emulator,id=tpm0,chardev=chrtpm \ -device tpm-crb,tpmdev=tpm0 \ -boot d \ -cdrom "ubuntu-21.04-desktop-amd64.iso" \ -m 3G \ -vga virtio 7. Start Ubuntu normally and choose "Try Ubuntu" 8. Open a Terminal and check that "/sys/kernel/security/tpm0/binary_bios_measurements" is empty > On my OVMF boot I'm using the direct > kernel command line and I have secure boot enabled but not activated, > which is why you only see PCRs 0-7 in the log. The Kernel here is loaded by Grub which itself is loaded by Shim. But that should not make a difference regarding the event log via ACPI right? I've attached the event log from a Ubuntu 20.04 machine with a 5.12 patched kernel and my kernel build config. Best regards Thore Sommer