]>
Commit | Line | Data |
---|---|---|
631265b7 PJ |
1 | The following PCRs are extended by shim: |
2 | ||
3 | PCR4: | |
4 | - the Authenticode hash of the binary being loaded will be extended into | |
5 | PCR4 before SB verification. | |
829d3c82 TL |
6 | - the hash of any binary for which Verify is called through the shim_lock |
7 | protocol | |
631265b7 PJ |
8 | |
9 | PCR7: | |
10 | - Any certificate in one of our certificate databases that matches a binary | |
11 | we try to load will be extended into PCR7. That includes: | |
25c83246 CC |
12 | - DBX - the system denylist, logged as "dbx" |
13 | - MokListX - the Mok denylist, logged as "MokListX" | |
14 | - vendor_dbx - shim's built-in vendor denylist, logged as "dbx" | |
15 | - DB - the system allowlist, logged as "db" | |
16 | - vendor_db - shim's built-in vendor allowlist, logged as "db" | |
17 | - MokList the Mok allowlist, logged as "MokList" | |
18 | - vendor_cert - shim's built-in vendor allowlist, logged as "Shim" | |
19 | - shim_cert - shim's build-time generated allowlist, logged as "Shim" | |
631265b7 PJ |
20 | - MokSBState will be extended into PCR7 if it is set, logged as |
21 | "MokSBState". | |
22 | ||
bd97e72f PJ |
23 | PCR8: |
24 | - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command | |
25 | line and all grub commands (including all of grub.cfg that gets run) are | |
26 | measured into PCR8. | |
a6c726fc | 27 | |
bd97e72f | 28 | PCR9: |
633169fe | 29 | - If you're using the grub2 TPM patchset we carry in Fedora, the kernel, |
bd97e72f PJ |
30 | initramfs, and any multiboot modules loaded are measured into PCR9. |
31 | ||
631265b7 PJ |
32 | PCR14: |
33 | - MokList, MokListX, and MokSBState will be extended into PCR14 if they are | |
34 | set. |