projects / efi-boot-shim.git / blame
| Commit | Line | Data |
|---|---|---|
| ab881f03 MTL |
1 | The following PCRs are extended by shim: |
| 2 | ||
| 3 | PCR4: | |
| 4 | - the Authenticode hash of the binary being loaded will be extended into | |
| 5 | PCR4 before SB verification. | |
| f892ac66 MTL |
6 | - the hash of any binary for which Verify is called through the shim_lock |
| 7 | protocol | |
| ab881f03 MTL |
8 | |
| 9 | PCR7: | |
| 10 | - Any certificate in one of our certificate databases that matches a binary | |
| 11 | we try to load will be extended into PCR7. That includes: | |
| 031e5cce SM |
12 | - DBX - the system denylist, logged as "dbx" |
| 13 | - MokListX - the Mok denylist, logged as "MokListX" | |
| 14 | - vendor_dbx - shim's built-in vendor denylist, logged as "dbx" | |
| 15 | - DB - the system allowlist, logged as "db" | |
| 16 | - vendor_db - shim's built-in vendor allowlist, logged as "db" | |
| 17 | - MokList the Mok allowlist, logged as "MokList" | |
| 18 | - vendor_cert - shim's built-in vendor allowlist, logged as "Shim" | |
| 19 | - shim_cert - shim's build-time generated allowlist, logged as "Shim" | |
| ab881f03 MTL |
20 | - MokSBState will be extended into PCR7 if it is set, logged as |
| 21 | "MokSBState". | |
| 031e5cce | 22 | - SBAT will be extended into PCR7 if it is set, logged as "SBAT" |
| ab881f03 | 23 | |
| 7bf7a6d0 MTL |
24 | PCR8: |
| 25 | - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command | |
| 26 | line and all grub commands (including all of grub.cfg that gets run) are | |
| 27 | measured into PCR8. | |
| 031e5cce | 28 | |
| 7bf7a6d0 | 29 | PCR9: |
| 031e5cce | 30 | - If you're using the grub2 TPM patchset we carry in Fedora, the kernel, |
| 7bf7a6d0 MTL |
31 | initramfs, and any multiboot modules loaded are measured into PCR9. |
| 32 | ||
| ab881f03 MTL |
33 | PCR14: |
| 34 | - MokList, MokListX, and MokSBState will be extended into PCR14 if they are | |
| 35 | set. |