mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-06-13 23:16:51 +00:00
829d3c8265
Currently the only measurement the shim logs in the TPM is that of the EFI application it directly loads. However, there are no measurements being taken of application that are being verified through the shim_lock protocol. In this patch we extend PCR4 for any binary for which Verify is being called through the shim_lock protocol. Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
25 lines
960 B
Plaintext
25 lines
960 B
Plaintext
The following PCRs are extended by shim:
|
|
|
|
PCR4:
|
|
- the Authenticode hash of the binary being loaded will be extended into
|
|
PCR4 before SB verification.
|
|
- the hash of any binary for which Verify is called through the shim_lock
|
|
protocol
|
|
|
|
PCR7:
|
|
- Any certificate in one of our certificate databases that matches a binary
|
|
we try to load will be extended into PCR7. That includes:
|
|
- DBX - the system blacklist, logged as "dbx"
|
|
- MokListX - the Mok blacklist, logged as "MokListX"
|
|
- vendor_dbx - shim's built-in vendor blacklist, logged as "dbx"
|
|
- DB - the system whitelist, logged as "db"
|
|
- MokList the Mok whitelist, logged as "MokList"
|
|
- vendor_cert - shim's built-in vendor whitelist, logged as "Shim"
|
|
- shim_cert - shim's build-time generated whitelist, logged as "Shim"
|
|
- MokSBState will be extended into PCR7 if it is set, logged as
|
|
"MokSBState".
|
|
|
|
PCR14:
|
|
- MokList, MokListX, and MokSBState will be extended into PCR14 if they are
|
|
set.
|