On a Azure Confidential VM running Ubuntu 22.04, what code is measured into each PCR register on the vTPM?

FrancisLam-1752 0

I have launched and successfully received a valid guest attestation using the Microsoft Azure Attestation service (as documented here: https://learn.microsoft.com/en-us/azure/confidential-computing/guest-attestation-confidential-vms).

My question is what parts of the firmware, VM images, VM configuration are measured into which PCR registers on the vTPM. There does not seem to be any documentation on this even though it looks like on a VM using the Ubuntu 22.04 confidential image, PCRs 0-7, 10, 12 and 14 are used.

vipullag-MSFT 24,106 Reputation points Microsoft Employee

2023-05-16T01:40:23.95+00:00

Hello FrancisLam-1752
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
I am checking on this and will update you back here.
Rakesh Ginjupalli 0 Reputation points Microsoft Employee

2023-06-01T03:06:33.0633333+00:00

Ubuntu confidential image uses PCR4 & 7. PCR4 contains the hashes for SHIM and UKI binaries. PCR7 will have the information about the secure boot state, secure boot variables & its certificates.
vipullag-MSFT 24,106 Reputation points Microsoft Employee

2023-06-06T06:08:30.2333333+00:00

Hello FrancisLam-1752

Any update on the issue?
Just checking in to see if you got a chance to see the details shared by Rakesh.