proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-14 14:23:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
19a7e1bcd5
efi-boot-shim/README.tpm
Peter Jones 631265b7e9 Add README.tpm to explain which PCRs we extend things to. 
Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-03 11:24:56 -04:00

23 lines
875 B
Plaintext
Raw Blame History

The following PCRs are extended by shim:
PCR4:
- the Authenticode hash of the binary being loaded will be extended into
PCR4 before SB verification.
PCR7:
- Any certificate in one of our certificate databases that matches a binary
we try to load will be extended into PCR7. That includes:
- DBX - the system blacklist, logged as "dbx"
- MokListX - the Mok blacklist, logged as "MokListX"
- vendor_dbx - shim's built-in vendor blacklist, logged as "dbx"
- DB - the system whitelist, logged as "db"
- MokList the Mok whitelist, logged as "MokList"
- vendor_cert - shim's built-in vendor whitelist, logged as "Shim"
- shim_cert - shim's build-time generated whitelist, logged as "Shim"
- MokSBState will be extended into PCR7 if it is set, logged as
"MokSBState".
PCR14:
- MokList, MokListX, and MokSBState will be extended into PCR14 if they are
set.
Reference in New Issue View Git Blame Copy Permalink