mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-11-04 05:59:19 +00:00
36 lines
1.4 KiB
Plaintext
36 lines
1.4 KiB
Plaintext
The following PCRs are extended by shim:
|
|
|
|
PCR4:
|
|
- the Authenticode hash of the binary being loaded will be extended into
|
|
PCR4 before SB verification.
|
|
- the hash of any binary for which Verify is called through the shim_lock
|
|
protocol
|
|
|
|
PCR7:
|
|
- Any certificate in one of our certificate databases that matches a binary
|
|
we try to load will be extended into PCR7. That includes:
|
|
- DBX - the system denylist, logged as "dbx"
|
|
- MokListX - the Mok denylist, logged as "MokListX"
|
|
- vendor_dbx - shim's built-in vendor denylist, logged as "dbx"
|
|
- DB - the system allowlist, logged as "db"
|
|
- vendor_db - shim's built-in vendor allowlist, logged as "db"
|
|
- MokList the Mok allowlist, logged as "MokList"
|
|
- vendor_cert - shim's built-in vendor allowlist, logged as "Shim"
|
|
- shim_cert - shim's build-time generated allowlist, logged as "Shim"
|
|
- MokSBState will be extended into PCR7 if it is set, logged as
|
|
"MokSBState".
|
|
- SBAT will be extended into PCR7 if it is set, logged as "SBAT"
|
|
|
|
PCR8:
|
|
- If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
|
|
line and all grub commands (including all of grub.cfg that gets run) are
|
|
measured into PCR8.
|
|
|
|
PCR9:
|
|
- If you're using the grub2 TPM patchset we carry in Fedora, the kernel,
|
|
initramfs, and any multiboot modules loaded are measured into PCR9.
|
|
|
|
PCR14:
|
|
- MokList, MokListX, and MokSBState will be extended into PCR14 if they are
|
|
set.
|