projects / efi-boot-shim.git / blame
| Commit | Line | Data |
|---|---|---|
| 631265b7 PJ |
1 | The following PCRs are extended by shim: |
| 2 | ||
| 3 | PCR4: | |
| 4 | - the Authenticode hash of the binary being loaded will be extended into | |
| 5 | PCR4 before SB verification. | |
| 829d3c82 TL |
6 | - the hash of any binary for which Verify is called through the shim_lock |
| 7 | protocol | |
| 631265b7 PJ |
8 | |
| 9 | PCR7: | |
| 10 | - Any certificate in one of our certificate databases that matches a binary | |
| 11 | we try to load will be extended into PCR7. That includes: | |
| 25c83246 CC |
12 | - DBX - the system denylist, logged as "dbx" |
| 13 | - MokListX - the Mok denylist, logged as "MokListX" | |
| 14 | - vendor_dbx - shim's built-in vendor denylist, logged as "dbx" | |
| 15 | - DB - the system allowlist, logged as "db" | |
| 16 | - vendor_db - shim's built-in vendor allowlist, logged as "db" | |
| 17 | - MokList the Mok allowlist, logged as "MokList" | |
| 18 | - vendor_cert - shim's built-in vendor allowlist, logged as "Shim" | |
| 19 | - shim_cert - shim's build-time generated allowlist, logged as "Shim" | |
| 631265b7 PJ |
20 | - MokSBState will be extended into PCR7 if it is set, logged as |
| 21 | "MokSBState". | |
| 22 | ||
| bd97e72f PJ |
23 | PCR8: |
| 24 | - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command | |
| 25 | line and all grub commands (including all of grub.cfg that gets run) are | |
| 26 | measured into PCR8. | |
| a6c726fc | 27 | |
| bd97e72f | 28 | PCR9: |
| 633169fe | 29 | - If you're using the grub2 TPM patchset we carry in Fedora, the kernel, |
| bd97e72f PJ |
30 | initramfs, and any multiboot modules loaded are measured into PCR9. |
| 31 | ||
| 631265b7 PJ |
32 | PCR14: |
| 33 | - MokList, MokListX, and MokSBState will be extended into PCR14 if they are | |
| 34 | set. |