README.tpm

   1 The following PCRs are extended by shim:
   2
   3 PCR4:
   4 - the Authenticode hash of the binary being loaded will be extended into
   5   PCR4 before SB verification.
   6 - the hash of any binary for which Verify is called through the shim_lock
   7   protocol
   8
   9 PCR7:
  10 - Any certificate in one of our certificate databases that matches a binary
  11   we try to load will be extended into PCR7.  That includes:
  12   - DBX - the system blacklist, logged as "dbx"
  13   - MokListX - the Mok blacklist, logged as "MokListX"
  14   - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx"
  15   - DB - the system whitelist, logged as "db"
  16   - vendor_db - shim's built-in vendor whitelist, logged as "db"
  17   - MokList the Mok whitelist, logged as "MokList"
  18   - vendor_cert - shim's built-in vendor whitelist, logged as "Shim"
  19   - shim_cert - shim's build-time generated whitelist, logged as "Shim"
  20 - MokSBState will be extended into PCR7 if it is set, logged as
  21   "MokSBState".
  22
  23 PCR8:
  24 - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
  25   line and all grub commands (including all of grub.cfg that gets run) are
  26   measured into PCR8.
  27
  28 PCR9:
  29 - If you're using the grub2 TPM patchset we carry in Fedora, the kernel,
  30   initramfs, and any multiboot modules loaded are measured into PCR9.
  31
  32 PCR14:
  33 - MokList, MokListX, and MokSBState will be extended into PCR14 if they are
  34   set.