I am using Azure confidential VM with TDX.
The VM image is the Ubuntu 24.04 LTS from canonical.
I ssh to the VM. Install the Intel Trusted Authority client. Try to get a verified attestation token.
However, it fails with unmatched vTPM measurement value and uefi event log.
Reproduction steps:
- Create a TDX confidential VM with Ubuntu 24.04. The following template file includes my configuration during this step.
azure vm template.zip
- Install Intel Trusted Authority client. The following command from Intel guide is used:
curl https://raw.githubusercontent.com/intel/trustauthority-client-for-go/main/release/install-tdx-cli.sh | sudo bash -
- Create a config.json file (Intel Trusted Authority API key required, see this guide).
{
"cloud_provider": "azure",
"trustauthority_url": "https://portal.trustauthority.intel.com",
"trustauthority_api_url": "https://api.trustauthority.intel.com",
"trustauthority_api_key": "API_KEY",
"tpm": {
"ak_handle": "81000003"
}
}
- Get an attestation token.
sudo trustauthority-cli token --tdx --tpm --evl -c config.json
Expected outcome:
Successfully get a token.
Actual outcome:
Failure due to unmatching vTPM PCR value and UEFI event log
azureuser@tdx:~$ sudo trustauthority-cli token --tdx --tpm --evl -c config.json > token.txt
The ak_certificate was not defined in configuration and will not be included in TPM evidence.
2025/10/14 22:20:10 [DEBUG] GET https://api.trustauthority.intel.com/appraisal/v2/nonce
2025/10/14 22:20:11 [DEBUG] POST https://api.trustauthority.intel.com/appraisal/v2/attest/azure
Error: Request to "https://api.trustauthority.intel.com/appraisal/v2/attest/azure" failed: StatusCode = 400, Response = {"error":"the measurement 0x62393964386534376534343531396534653335613363306638636565316231633265663162636635636230333364623839626262643531353761323061373839 at Index[11]::Hash(SHA-256) did not match the cumulative digest of the event logs : failed to replay the TCG event log: 400 Bad Request: tpm quote verification failed"}
, Trace-Id = SdToZG7roAMEkmQ=, Request-Id = f5c67d76-c64e-497b-901d-eb193429925e
Additional information:
To gain more information, I installed the tpm2-tool via sudo apt-get update and sudo apt-get install tpm2-tools.
Then, instead of getting a token, I try to only collect the evidence without attestation, with the following command line.
sudo trustauthority-cli evidence --tdx --tpm --evl -c config.json > evidence-with-event-logs.json
The result (with a bit json formatting) is in the attached json file.
evidence-with-event-log.json
I extracted the base64 UEFI event log, put it in a file, and converted the file into binary format using base64 --decode uefi_event_log.txt > uefi_event_log.bin
Then, I run tpm2_eventlog uefi_event_log.bin > uefi_event_log_parsed.txt 2>&1
The result is in this attached file.
uefi_event_log_parsed.txt
There are several "WARN"s in this result.
All of them are related to the events extending PCR[11] of vTPM. The event type is EV_IPL, which seems to be legacy event type according to search result.
This vTPM PCR is the same one reported error by the Intel Trusted Authority client.
I orignally posted this issue to the Azure paravisor (OpenHCL/VMM) github. They identified the following fact:
This is the behavior specific to Ubuntu 24.04 [1] where the verifier is expected to replay PCR 11 based on event logs from /sys/kernel/security/tpm0/binary_b ios_measurements and /run/log/systemd/tpm2-measure.log. You might want to report this issue to Intel.
[1] https://support-portal.canonical.com/tickets/00409402
See this issue comment
I am using Azure confidential VM with TDX.
The VM image is the Ubuntu 24.04 LTS from canonical.
I ssh to the VM. Install the Intel Trusted Authority client. Try to get a verified attestation token.
However, it fails with unmatched vTPM measurement value and uefi event log.
Reproduction steps:
azure vm template.zip
curl https://raw.githubusercontent.com/intel/trustauthority-client-for-go/main/release/install-tdx-cli.sh | sudo bash -sudo trustauthority-cli token --tdx --tpm --evl -c config.jsonExpected outcome:
Successfully get a token.
Actual outcome:
Failure due to unmatching vTPM PCR value and UEFI event log
Additional information:
To gain more information, I installed the tpm2-tool via
sudo apt-get updateandsudo apt-get install tpm2-tools.Then, instead of getting a token, I try to only collect the evidence without attestation, with the following command line.
sudo trustauthority-cli evidence --tdx --tpm --evl -c config.json > evidence-with-event-logs.jsonThe result (with a bit json formatting) is in the attached json file.
evidence-with-event-log.json
I extracted the base64 UEFI event log, put it in a file, and converted the file into binary format using
base64 --decode uefi_event_log.txt > uefi_event_log.binThen, I run
tpm2_eventlog uefi_event_log.bin > uefi_event_log_parsed.txt 2>&1The result is in this attached file.
uefi_event_log_parsed.txt
There are several "WARN"s in this result.
All of them are related to the events extending PCR[11] of vTPM. The event type is EV_IPL, which seems to be legacy event type according to search result.
This vTPM PCR is the same one reported error by the Intel Trusted Authority client.
I orignally posted this issue to the Azure paravisor (OpenHCL/VMM) github. They identified the following fact:
See this issue comment