forked from rhboot/shim
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.tpm
35 lines (30 loc) · 1.39 KB
/
README.tpm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
The following PCRs are extended by shim:
PCR4:
- the Authenticode hash of the binary being loaded will be extended into
PCR4 before SB verification.
- the hash of any binary for which Verify is called through the shim_lock
protocol
PCR7:
- Any certificate in one of our certificate databases that matches a binary
we try to load will be extended into PCR7. That includes:
- DBX - the system denylist, logged as "dbx"
- MokListX - the Mok denylist, logged as "MokListX"
- vendor_dbx - shim's built-in vendor denylist, logged as "dbx"
- DB - the system allowlist, logged as "db"
- vendor_db - shim's built-in vendor allowlist, logged as "db"
- MokList the Mok allowlist, logged as "MokList"
- vendor_cert - shim's built-in vendor allowlist, logged as "Shim"
- shim_cert - shim's build-time generated allowlist, logged as "Shim"
- MokSBState will be extended into PCR7 if it is set, logged as
"MokSBState".
- SBAT will be extended into PCR7 if it is set, logged as "SBAT"
PCR8:
- If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
line and all grub commands (including all of grub.cfg that gets run) are
measured into PCR8.
PCR9:
- If you're using the grub2 TPM patchset we carry in Fedora, the kernel,
initramfs, and any multiboot modules loaded are measured into PCR9.
PCR14:
- MokList, MokListX, and MokSBState will be extended into PCR14 if they are
set.