1 The following PCRs are extended by shim:
4 - the Authenticode hash of the binary being loaded will be extended into
5 PCR4 before SB verification.
6 - the hash of any binary for which Verify is called through the shim_lock
10 - Any certificate in one of our certificate databases that matches a binary
11 we try to load will be extended into PCR7. That includes:
12 - DBX - the system blacklist, logged as "dbx"
13 - MokListX - the Mok blacklist, logged as "MokListX"
14 - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx"
15 - DB - the system whitelist, logged as "db"
16 - vendor_db - shim's built-in vendor whitelist, logged as "db"
17 - MokList the Mok whitelist, logged as "MokList"
18 - vendor_cert - shim's built-in vendor whitelist, logged as "Shim"
19 - shim_cert - shim's build-time generated whitelist, logged as "Shim"
20 - MokSBState will be extended into PCR7 if it is set, logged as
24 - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
25 line and all grub commands (including all of grub.cfg that gets run) are
29 - If you're using the grub2 TPM patchset we carry in Fedora, the kernel,
30 initramfs, and any multiboot modules loaded are measured into PCR9.
33 - MokList, MokListX, and MokSBState will be extended into PCR14 if they are