Deployment Guide:

Lenovo Trusted Supply Chain

Lenovo Desktop Verification Utility and Public API

©Lenovo 2022, All Rights Reserved

Note: Before using this information and the product it supports, read the general information in
Appendix C: Notices on page 27.

First Edition (2022)

© Copyright Lenovo 2009, 2021.

LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General
Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set
forth in Contract No. GS-35F-05925.

Copyright 2022 ©, Lenovo. All Rights Reserved. 2

Contents
1 Overview .................................................................. 4 Connection errors ................................................ 15
2 Lenovo Desktop Verification Utility ........................ 5 Incorrect Response.............................................. 15

2.1 System Requirements ......................................... 5 Verification Timeout ............................................. 16

2.2 Supported Languages ......................................... 5 File Generation Error ........................................... 16

Unavailable Folder ............................................... 16
2.3 Graphical User Interface of the application .......... 5
Signing Issue....................................................... 16
Verification process................................................ 5
3 Public API .............................................................. 17
2.4 Command-line Interface of the application ......... 12
Verification process.............................................. 12
3.1 Endpoint without authentication ......................... 17
3.2 Endpoint with authentication.............................. 17
2.5 Troubleshooting ................................................ 13
Incorrect Output Path ........................................... 13 4 Appendix A: XML file with comparison results .... 18

Incorrect Path to Certificate .................................. 14 5 Appendix B: Examples of Linux scripts ............... 22

Invalid Certificate ................................................. 14 Script example to get the Device_ID_Hash ........... 22

Incorrect Certificate Password .............................. 14 Script example to get device parameters values.... 22

Unsupported Algorithm......................................... 14 6 Appendix C: Notices ............................................. 27

Cannot Scan Parameters ..................................... 14
No Data on Server ............................................... 15

Copyright 2022 ©, Lenovo. All Rights Reserved. 3

1 OVERVIEW
Lenovo Trusted Supply Chain (LTSC) is the solution for Lenovo ThinkPad and ThinkStation
products. This solution provides Lenovo customers with a capability to ensure that components
of their products have not been modified since manufacturing. All the parameters collected
during manufacturing process are stored securely in Microsoft ® Azure SQL Database Ledger®,
so all the data is protected from any amendments.
The solution provides the following tools:
1. Lenovo Desktop Verification Utility
2. Public API
The LDVU application and API documentation are available on the following website:
https://tsc.lenovo.com
Note. In case you are opening the website from an iOS device, please use iOS 14 or later.

Copyright 2022 ©, Lenovo. All Rights Reserved. 4

2 LENOVO DESKTOP VERIFICATION UTILITY
Lenovo Desktop Verification Utility (LDVU) is a desktop application for Lenovo devices
working on Windows 10 or 11. Application scans the device parameters, compares the collected
values with the values stored in Microsoft© Azure SQL Database ledger, and provides the
results. The application can work in one of two modes:
1. Graphical User Interface
2. Command-line Interface

2.1 System Requirements

LDVU supports the following operating systems:

 Microsoft® Windows® 10 64 bit

 Microsoft® Windows® 11 64 bit

2.2 Supported Languages

LDVU supports the following languages:

 English-US

2.3 Graphical User Interface of the application

This chapter provides the description for the LDVU working in Graphical User Interface (GUI)
mode. The application does not require installation, so it can be launched as soon as you
download ldvu.exe file from https://tsc.lenovo.com .
When you launch the LDVU application in GUI mode and initiate the verification process, the
LDVU application will scan the parameters of your device. Then, the values of the parameters
that were recorded at the end of the manufacturing process will be requested from the LTSC
server. After that LDVU will compare the parameters' values and will display the results in the
“Results” window.

Verification process
Launch ldvu.exe by double clicking the file.
The “Start” window will be opened.
End User License Agreement (EULA), Open Source Licenses (OSL) and Privacy Statement
information are available via the corresponding links.

Copyright 2022 ©, Lenovo. All Rights Reserved. 5

 Figure 2.3-1. “Start” window.

Initiate the verification process by clicking “Start” button.

Wait for the verification to complete. It will take less than 1 minute.

Figure 2.3-2. “Progress” window.

Copyright 2022 ©, Lenovo. All Rights Reserved. 6

The “Results” window will be opened.

 If there are no changes (i.e. all the device parameters have the same values as they had
at the end of the manufacturing process) then the application will show the
corresponding message with the list of parameters.

Figure 2.3-3. “Results” window when there are no changes.

 If there is at least one change (i.e. at least one device parameter value is different from
the original value which was recorded at the end of the manufacturing process) then the
application will show the corresponding message and will highlight all the detected
changes. The list of detected changes will be at the top of the table, and then there will
be the list with all parameters with highlighted changes. It is possible to copy the original
or changed value to the clipboard by right-clicking on the desired option.

Note. PCR[4] values are excluded from the comparison result. You will see PCR[4]
values as information in the parameters list.

Copyright 2022 ©, Lenovo. All Rights Reserved. 7

 Figure 2.3-4. “Results” window when there are changes.

Figure 2.3-4.1. Example of “All data” with highlighted changes

Copyright 2022 ©, Lenovo. All Rights Reserved. 8

  Microsoft© Azure SQL Database ledger tracks all the updates to the original values
stored on LTSC server. If there is more than one version of original values, then LTSC
will return the latest values and version number will be shown in header of the ‘Original
Data’ column.

Figure 2.3-5. “Original Data” column example when there are several versions of original values

You can export the comparison results to an XML file. Click “Export to File” button and select
the destination folder in the opened modal window. Confirm the action.
Note. XML file is described here: XML file with comparison results.

Copyright 2022 ©, Lenovo. All Rights Reserved. 9

 Figure 2.3-6. “Browse for Folder” modal window to select the destination folder

The “Signature” modal window will be opened.

Figure 2.3-7. “Signature” modal window

 You shall select “Do Not Sign” option if there is no need to sign the exported XML file.
 You shall select “Sign The File” option and proceed to the steps below, if the exported
XML file needs to be signed.
If you select “Sign The File”, then “Open file” modal window will be opened where you
shall select a certificate file.

Copyright 2022 ©, Lenovo. All Rights Reserved. 10

 Note. LDVU supports .pfx certificates using RSA and ECDSA algorithms.

Figure 2.3-8. “Open file” modal window

When the certificate is selected then the “Password” modal window will be opened
where you shall provide the password for the certificate.
Note. LDVU will use the certificate and password only once during the signing
process and will not store them anywhere.

Figure 2.3-9. “Password” modal window

Copyright 2022 ©, Lenovo. All Rights Reserved. 11

LDVU application will generate the XML file (with or without a signature, depending on the made
choice) and saves the file to the selected output folder.
Close the application by clicking ‘X’ button in the top left corner of the “Results” window.

2.4 Command-line Interface of the application

This chapter provides the description for the LDVU working in Command-line (CMD) mode.

When you launch the LDVU application in CMD mode, then LDVU application will scan the
parameters of the device, then request from LTSC server the parameters values which were
recorded at the end of the manufacturing process. After that LDVU will compare the parameters
values and will create an XML file with the comparison results. LDVU application will save the
file in the folder which is specified in “output” parameter during the launch of the application.

Verification process
Open Command Line window.
Navigate to the folder with the ldvu.exe application or provide the full path to the folder with the
application.
Launch ldvu.exe.

 Launch LDVU without certificate for signing the XML.

In the command line you can use this command:
start /wait ldvu.exe --output="C:\Users"

or
start /wait ldvu.exe --output="Result"

If the application is launched via a .bat file, then the following commands can be
included into the file. In this case LDVU will also return the relevant exit code:
@echo off
start /wait Ldvu.exe --output=.\
echo %errorlevel%

Note. You can change the path of the “output” parameter to save the XML file in
a different folder. In the example above it has “.\” value then the XML file will be
saved in the same folder where the ldvu.exe file is located. You can also enter an
absolute path. If the specified folder does not exist, it will be created.

 Launch LDVU with certificate for signing the XML.

Copyright 2022 ©, Lenovo. All Rights Reserved. 12

 If you need to sign the result XML-file next parameters should be added:
--keyfile=foldername\file.pfx --passphrase="Pa$$Phr_ze"

where
keyfile is path to the certificate, passphrase is certificate password.

Examples:
In the command line you can use this command:
start /wait ldvu.exe --output=" C:\Users " --
keyfile="foldername\file.pfx" --passphrase="Pa$$Phr_ze"

If the application is launched via a .bat file, then the following commands can be
included into the file. In this case LDVU will also return the relevant exit code:
start /wait ldvu.exe --output=".\" --
keyfile="foldername\file.pfx" --passphrase="Pa$$Phr_ze"

echo %errorlevel%

Wait for the verification to complete. It will take less than 1 minute.

 If the ldvu.exe is launched with echo %errorlevel% command, then it will return the
relevant exit code – either an exit code for an error (see Troubleshooting) or result of
comparison:
o Exit Code: 0 – no changes detected. It means that all the scanned device
parameters have matching values with the device parameters stored on LTSC
server.
o Exit Code: 10 – changes detected. It means that at least one scanned device
parameter is different from the device parameters stored on LTSC server.
The comparison results will be saved as an XML file in the folder which was defined during
launching of LDVU.
Note. XML file is described here: XML file with comparison results.

2.5 Troubleshooting

Incorrect Output Path

Exit code: 120
Incorrect output path provided.
You shall provide correct path for --output= parameter.
This error is related to only CMD mode.

Copyright 2022 ©, Lenovo. All Rights Reserved. 13

 Incorrect Path to Certificate
Exit code: 121
Incorrect path to certificate provided.
You shall provide correct path for --keyfile parameter.
This error is related to only CMD mode.

Invalid Certificate
Exit code: 122
Provided certificate is not a .pfx file or it has incorrect structure.
You shall select a valid .pfx file.

Incorrect Certificate Password

Exit code: 123
Incorrect password for the certificate provided.
You shall provide correct value for --passphrase parameter.

Unsupported Algorithm
Exit code: 124

Provided certificate does not contain supported algorithms: RSA or ECDSA.

You shall select a suitable .pfx certificate.

Cannot Scan Parameters

Exit code: 140
The error may happen when the LDVU application cannot scan the required parameters due
to any reason. The most popular reasons:
 TPM module is not available;
 TPM is available, but it is incomplete;
 TPM is virtual.

Copyright 2022 ©, Lenovo. All Rights Reserved. 14

You can retry the scanning process. If the error still appears, it is recommended to contact
Lenovo Enterprise Client Management (https://forums.lenovo.com/t5/Enterprise-Client-
Management/bd-p/sa01_eg).

No Data on Server
Exit code: 150
This message is shown when there is no information about the device on LTSC server. Possible
reasons:
1. The device had been manufactured before the LTSC solution release.
In this case it is recommended to check the manufacturing data of the device so that it’s
later than LTSC release mentioned here https://tsc.lenovo.com .
2. The device was purchased without LTSC solution services.
If LTSC services were requested for the device in purchase order, then it is
recommended to contact Lenovo Sales Representative or Lenovo Enterprise Client
Management (https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-
p/sa01_eg).
3. LTSC services are not applicable to the device, because it is not an AMD-based Lenovo
ThinkPad or ThinkStation. No further actions required.

Connection errors
This is a group of errors which can happen when there are some issues with connection.
Possible reasons:
1. No Internet Connection - Exit code: 130 - There is no connection to the Internet.
You shall check the connection and retry the verification process.
2. No Connection to Server - Exit code: 131 - There is no connection to the LTSC
server.
You can try again later or contact Lenovo Enterprise Client Management
(https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg).

Incorrect Response
Exit code: 151
The error may happen if a response from LTSC server contains invalid signature or incorrect file
structure.
You can retry the verification process or contact Lenovo Enterprise Client Management
(https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg).

Copyright 2022 ©, Lenovo. All Rights Reserved. 15

 Verification Timeout
Exit code: 170
The error may happen if the verification process takes longer than 1 minute due to any reason.
You can retry the verification process or contact Lenovo Enterprise Client Management
(https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg).

File Generation Error

Exit code: 160
The error may happen when LDVU application cannot generate the XML file due to any reason.
You can retry the export process or contact Lenovo Enterprise Client Management
(https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg).

Unavailable Folder
Exit code: 161
The error can happen when the output folder does not allow to save the file.
You shall check if the folder allows saving files or select another folder, and then retry the export
process.

Signing Issue
Exit code: 162
LDVU application cannot sign the generated XML file due to any reason.
You can retry the signing process or contact Lenovo Enterprise Client Management
(https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg).

Copyright 2022 ©, Lenovo. All Rights Reserved. 16

3 PUBLIC API
Public API is a publicly available application programming interface of the LTSC solution (LTSC
Public API) together with documentation. LTSC Public API is applicable for the Lenovo
customers who use Linux or other operating systems, or when a 3rd party automation tool is
used for receiving the information about Lenovo devices.
Both endpoints return a signed XML file with the device parameters collected during the
manufacturing process.

 If there is no data about the device on LTSC server, then both endpoints will return a
relevant message.

3.1 Endpoint without authentication

This endpoint does not require additional authentication.

The endpoint accepts a SHA256 hash computed from the Machine Type Model Number
(MTMN), Serial Number (SN), and Public key of the Trusted Platform Module (TPM)
Endorsement Certificate of the Lenovo device.
Detailed description and code examples are available in GET /machine-data section on the
official LTSC page: https://tsc.lenovo.com

3.2 Endpoint with authentication

This endpoint requires additional authentication. In order to get the credentials for authentication
you need to contact Lenovo Sales Representative or Lenovo Enterprise Client Management
(https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg) to request the
credentials.
The endpoint accepts request with Machine Type Model Number (MTMN) and Serial Number
(SN).
Detailed description and code examples are available in GET /machine-data/query section the
official LTSC page: https://tsc.lenovo.com

Copyright 2022 ©, Lenovo. All Rights Reserved. 17

4 APPENDIX A: XML FILE WITH COMPARISON RESULTS
XML with the comparison results will have the following structure:
<TrustedSupplyChain>
<ComparisonResult></ComparisonResult>
<ScanPerformed></ScanPerformed>
<LocalMachineData>
<SmBios>
<Bios>
<Version>string</Version>
<ReleaseDate>string</ReleaseDate>
</Bios>
<System>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
<Uuid>string</Uuid>
</System>
<Baseboard>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
</Baseboard>
<Processor>
<Version>string</Version>
<SerialNumber>string</SerialNumber>
</Processor>
<Memory>
<DeviceType>0</DeviceType>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
</Memory>
<Battery>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
<DeviceName>string</DeviceName>
</Battery>
</SmBios>
<Tpm>
<Country>0</Country>
<Organization>string</Organization>
<SerialNumber>string</SerialNumber>
<PublicKey>string</PublicKey>
<Pcr>
<Index>0</Index>
<Value>string</Value>
</Pcr>
</Tpm>
<Disk>
<ModelName>string</ModelName>
<SerialNumber>string</SerialNumber>
<FirmwareVersion>string</FirmwareVersion>
</Disk>
</LocalMachineData>
<ServerMachineData>

Copyright 2022 ©, Lenovo. All Rights Reserved. 18

 <SQLLedgerDataVersion>0</SQLLedgerDataVersion>
<SmBios>
<Bios>
<Version>string</Version>
<ReleaseDate>string</ReleaseDate>
</Bios>
<System>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
<Uuid>string</Uuid>
</System>
<Baseboard>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
</Baseboard>
<Processor>
<Version>string</Version>
<SerialNumber>string</SerialNumber>
</Processor>
<Memory>
<DeviceType>0</DeviceType>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
</Memory>
<Battery>
<Manufacturer>string</Manufacturer>
<SerialNumber>string</SerialNumber>
<DeviceName>string</DeviceName>
</Battery>
</SmBios>
<Tpm>
<Country>0</Country>
<Organization>string</Organization>
<SerialNumber>string</SerialNumber>
<PublicKey>string</PublicKey>
<Pcr>
<Index>0</Index>
<Value>string</Value>
</Pcr>
</Tpm>
<Disk>
<ModelName>string</ModelName>
<SerialNumber>string</SerialNumber>
<FirmwareVersion>string</FirmwareVersion>
</Disk>
</ServerMachineData>
<Signature xmlns="link">
<SignedInfo>
<SignatureMethod Algorithm="link" />
<Reference URI="">
<Transforms>
<Transform Algorithm="link" />
</Transforms>
<DigestMethod Algorithm="link" />
<DigestValue>base64Binary</DigestValue>

Copyright 2022 ©, Lenovo. All Rights Reserved. 19

 </Reference>
</SignedInfo>
<SignatureValue>base64Binary</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>base64Binary</X509Certificate>
<X509Certificate>base64Binary</X509Certificate>
<X509Certificate>base64Binary</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</TrustedSupplyChain>

Element Description
ComparisonResult Shows the result after comparing scanned and server values.
Possible values:
1. No Changes Detected - if there are no changes and all the
scanned values are matching server values.
2. Changes Detected - if there is at least one mismatching
value.
ScanPerformed The date and time (in UTC), when the LDVU scanned the device
parameters.
LocalMachineData Contains the scanned parameters of the device.
SmBios Contains information about key BIOS parameters.
Bios BIOS build information.
Version BIOS version.
ReleaseDate Timestamp for the BIOS version.
System System information.
Manufacturer System manufacturer name - i.e. manufacturer of the device.
SerialNumber Serial number of the system unit (aka chassis).
Uuid Universally unique identifier tied to the motherboard.
Baseboard Baseboard information.
Manufacturer Motherboard manufacturer name.
SerialNumber Motherboard serial number.
Processor Processor information.
Note. There can be multiple processors.
Version Description of the processor.
SerialNumber Serial number of the processor.
Memory Memory information.
Note. There can be multiple memory devices.
DeviceType Type of the memory device.
Manufacturer Memory device manufacturer name.
SerialNumber Serial number of the memory device.
Battery Battery information.
Note. There can be multiple batteries.
Manufacturer Battery manufacturer name.

Copyright 2022 ©, Lenovo. All Rights Reserved. 20

Element Description
SerialNumber Serial number of the battery.
DeviceName Name of the battery device.
Tpm Contains TPM (Trusted Platform Module) information.
Country Usually TMP returns country code, not the full name.
Organization Organization name.
SerialNumber TPM serial number.
PublicKey Public Key value.
Pcr Contains list of PCRs (Platform Configuration Register).
Index Index of a PCR.
Value Value of a PCR.
Disk Disk information.
Note. There can be multiple disks.
ModelName Drive model name.
SerialNumber Drive serial number.
FirmwareVersion Drive firmware version.
ServerMachineData Contains the parameters values received from LTSC server for the
device.
SQLLedgerDataVersion The version of the machine data in Microsoft© Azure SQL
database ledger.
SmBios Contains the same list of elements as SmBios in
LocalMachineData.
Tpm Contains the same list of elements as Tpm in LocalMachineData.
Disk Contains the same list of elements as Disk in LocalMachineData.
Signature Contains the signature for the exported file.
SignedInfo Contains is the information that is actually signed.
SignatureMethod Contains the the algorithm that is used to convert the canonicalized
SignedInfo into the SignatureValue.
Reference Includes the digest method and resulting digest value calculated
over the identified data object.
Transforms Contains ordered list of processing steps that were applied to the
resource's content before it was digested.
Transform Includes the algorithm applied to the resource's content.
DigestMethod Contains the algorithm applied to the data after Transforms is
applied to yield the DigestValue.
DigestValue Contains the encoded value of the digest.
SignatureValue Contains RSA signature which is the base64 encoding of the octet
string computed as per RFC 2437 [PKCS1, section 8.1.1]
KeyInfo Indicates the key to be used to validate the signature.
X509Data Contains the identifiers of keys or X509 certificates.
X509Certificate Contains a base64-encoded [X509v3] certificate.
Table 4-1. The elements of exported XML file

Copyright 2022 ©, Lenovo. All Rights Reserved. 21

5 APPENDIX B: EXAMPLES OF LINUX SCRIPTS
Note. Before using the scripts examples below please check that tpm2-tools are installed on
the device.
To install tpm2-tools use the following command:
sudo apt install tpm2-tools

You can use the scripts examples by saving their code in separate .sh files. The scripts are
meant to be used on 64-bit Linux (checked on Ubuntu 20.04) to get Device_ID_Hash and
parameters values on your Lenovo ThinkPad or ThinkStation.

Script example to get the Device_ID_Hash

The script below will return a hash value which shall be used as device identifier in the Public
API endpoint without authentication.
mtmn=$(sudo dmidecode --string system-product-name)
sn=$(sudo dmidecode --string system-serial-number)
sudo tpm2_nvread 0x00c00002 > public.der
openssl x509 -in public.der -inform der --noout -pubkey -out public.pem
head -n -1 public.pem > temp.pem
mv temp.pem public.pem
tail -n +2 public.pem > temp.pem
mv temp.pem public.pem

openssl asn1parse -in public.pem -out publicASN.txt -inform PEM -strparse 24

-dump -noout

public=$(cat publicASN.txt| hexdump -v -e '/1 "%02x"')

beforehash=$(echo $mtmn$sn$public | tr [:lower:] [:upper:])

hash=$(echo -n $beforehash | shasum -a 256)

hash=${hash::-2}

rm public.der
rm public.pem
rm publicASN.txt

echo $hash

Script example to get device parameters values

The script below will return a list with the current parameters values. You can use the list to
compare current values with the original values received in the LTSC server response from
Public API.
echo BIOS
biosversion=$(sudo dmidecode --string bios-version)
echo BIOS version: $biosversion

Copyright 2022 ©, Lenovo. All Rights Reserved. 22

biosdate=$(sudo dmidecode --string bios-release-date)
echo BIOS release date: $biosdate

sysMan=$(sudo dmidecode --string system-manufacturer)

echo System Manufacturer: $sysMan

sysSn=$(sudo dmidecode --string system-serial-number)

echo System serial number: $sysSn

sysuuid=$(sudo dmidecode --string system-uuid)

echo System UUID: $sysuuid

mbMan=$(sudo dmidecode --string baseboard-manufacturer)

echo MB Manufacturer: $mbMan

mbSn=$(sudo dmidecode --string baseboard-serial-number)

echo MB Serial Number: $mbSn

pcVersion=$(sudo dmidecode --string processor-version)

echo Processor Version: $pcVersion

procs=$(sudo dmidecode --type 4 | grep Serial)

echo Processor $procs

memType=$(sudo dmidecode --type 17 | grep Type: | tr -d " \t\n\r")

memMan=$(sudo dmidecode --type 17 | grep Manufacturer: | tr -d " \t\n\r")
memSn=$(sudo dmidecode --type 17 | grep Serial | tr -d " \t\n\r")

declare -i counter=1

while [ -n "$memType" ]; do
type="${memType##*:}"
memType="${memType%T*}"
echo Memory device type $counter : $type
man="${memMan##*:}"
memMan="${memMan%M*}"
echo Memory Manufacturer $counter : $man
sn="${memSn##*:}"
memSn="${memSn%S*}"
echo Memory Serial Number $counter : $sn
counter=$counter+1
done

batMan=$(sudo dmidecode --type 22 | grep Manufacturer: )

echo Battery $batMan

batSn=$(sudo dmidecode --type 22 | grep Serial )

echo Battery $batSn

batName=$(sudo dmidecode --type 22 | grep Name: )

echo Battery Device $batName

Copyright 2022 ©, Lenovo. All Rights Reserved. 23

echo TPM

sudo tpm2_nvread 0x00c00002 > public.der

issue=$(openssl x509 -in public.der --noout -inform der -issuer)

tempcountry="${issue##*C =}"
tempcountry="${tempcountry%,*}"
country="${tempcountry%,*}"
echo Country: $country

temporg="${issue##*O = }"
organization="${temporg%,*}"
echo Organization Name: $organization

tpmserial=$(openssl x509 -in public.der --noout -inform der -serial)

tpmserial="${tpmserial##*=}"
echo Serial Number: $tpmserial

openssl x509 -in public.der -inform der --noout -pubkey -out public.pem
head -n -1 public.pem > temp.pem
mv temp.pem public.pem
tail -n +2 public.pem > temp.pem
mv temp.pem public.pem
openssl asn1parse -in public.pem -out publicASN.txt -inform PEM -strparse 24
-dump -noout
public=$(cat publicASN.txt| hexdump -v -e '/1 "%02x"')
echo Public Key: $public

rm public.der
rm public.pem
rm publicASN.txt

pcr0=$(sudo tpm2_pcrread sha256 | tail -n +2 | head -n 1)

echo PCR $pcr0

pcr1=$(sudo tpm2_pcrread sha256 | tail -n +3 | head -n 1)

echo PCR $pcr1

pcr2=$(sudo tpm2_pcrread sha256 | tail -n +4 | head -n 1)

echo PCR $pcr2

pcr3=$(sudo tpm2_pcrread sha256 | tail -n +5 | head -n 1)

echo PCR $pcr3

pcr4=$(sudo tpm2_pcrread sha256 | tail -n +6 | head -n 1)

echo PCR $pcr4

pcr5=$(sudo tpm2_pcrread sha256 | tail -n +7 | head -n 1)

echo PCR $pcr5

pcr6=$(sudo tpm2_pcrread sha256 | tail -n +8 | head -n 1)

echo PCR $pcr6

Copyright 2022 ©, Lenovo. All Rights Reserved. 24

pcr7=$(sudo tpm2_pcrread sha256 | tail -n +9 | head -n 1)
echo PCR $pcr7

pcr8=$(sudo tpm2_pcrread sha256 | tail -n +10 | head -n 1)

echo PCR $pcr8

echo DISK

driveName=$(sudo lshw -class storage | grep product: | tail -n +2)

echo Drive Model Name $driveName

driveSn=$(sudo lshw -class storage | grep serial:)

echo Drive $driveSn

driveVer=$(sudo lshw -class storage | grep version:| tail -n +2)

echo Drive firmware $driveVer

The table below describes the parameters returned by the script.

Element Description
BIOS Static header.
BIOS version BIOS version.
BIOS release date Timestamp for the BIOS version.
System Manufacturer System manufacturer name - i.e. manufacturer of the device.
System serial number Serial number of the system unit (aka chassis).
System UUID Universally unique identifier tied to the motherboard.
MB Manufacturer Motherboard manufacturer name.
MB Serial Number Motherboard serial number.
Processor Version Description of the processor.
Processor Serial Number Serial number of the processor.
Memory Device Type Type of the memory device.
Memory Manufacturer Memory device manufacturer name.
Memory Serial Number Serial number of the memory device.
Battery Manufacturer Battery manufacturer name.
Battery SBDS Serial Number Serial number of the battery.
Battery Device Name Name of the battery device.
TPM Static header.
Country Usually TMP returns country code, not the full name.
Organization Organization name.
Serial Number TPM serial number.
Public Key Public Key value.
PCR N List of PCRs (Platform Configuration Register), where ‘N’ is the
PCR number.
DISK Static header.
Drive Model Name product Drive model name.

Copyright 2022 ©, Lenovo. All Rights Reserved. 25

Element Description
Drive Serial Drive serial number.
Drive firmware version Drive firmware version.
Table 5-1. Parameters returned by the script

Figure 5.1-1. Example of the list with current parameters values

Copyright 2022 ©, Lenovo. All Rights Reserved. 26

6 APPENDIX C: NOTICES
Lenovo may not offer the products, services, or features discussed in this document in all
countries. Consult your local Lenovo representative for information on the products and services
currently available in your area. Any reference to a Lenovo product, program, or service is not
intended to state or imply that only that Lenovo product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any Lenovo
intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any other product, program, or service.
Lenovo may have patents or pending patent applications covering subject matter described in
this document. The furnishing of this document does not give you any license to these patents.
You can send license inquiries, in writing, to:
Lenovo (United States), Inc.
8001 Development Dr – Building 8
Morrisville, NC 27560 U.S.A.
Attention: Lenovo Director of Licensing

LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new editions
of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the
program(s) described in this publication at any time without notice.
The products described in this document are not intended for use in implantation or other life
support applications where malfunction may result in injury or death to persons. The information
contained in this document does not affect or change Lenovo product specifications or
warranties. Nothing in this document shall operate as an express or implied license or indemnity
under the intellectual property rights of Lenovo or third parties. All information contained in this
document was obtained in specific environments and is presented as an illustration. The result
obtained in other operating environments may vary.
Lenovo may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.
Any references in this publication to non-Lenovo Web sites are provided for convenience only
and do not in any manner serve as an endorsement of those Web sites. The materials at those
Web sites are not part of the materials for this Lenovo product, and use of those Web sites is at
your own risk Any performance data contained herein was determined in a controlled
environment. Therefore, the result in other operating environments may vary significantly. Some

Copyright 2022 ©, Lenovo. All Rights Reserved. 27

measurements may have been made on development-level systems and there is no guarantee
that these measurements will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific environment.

Trademarks
The following terms are trademarks of Lenovo in the United States, other countries, or both:

 Lenovo

 The Lenovo logo

 ThinkPad

 ThinkCentre

 ThinkStation

 ThinkVantage

Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United
States and other countries.
Microsoft, Active Directory, Internet Explorer, and Windows are trademarks of the Microsoft
group of companies.
Other company, product, or service names may be trademarks or service marks of others

Copyright 2022 ©, Lenovo. All Rights Reserved. 28