<feed xmlns='http://www.w3.org/2005/Atom'>
<title>efi-boot-shim.git/README.tpm, branch rolling</title>
<subtitle> (mirror of https://github.com/vyos/efi-boot-shim.git)
</subtitle>
<id>https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/'/>
<updated>2025-03-18T13:56:58+00:00</updated>
<entry>
<title>README.tpm: Update MokList entry to MokListRT</title>
<updated>2025-03-18T13:56:58+00:00</updated>
<author>
<name>Thien Trung Vuong</name>
<email>tvuong@microsoft.com</email>
</author>
<published>2025-03-08T00:49:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=28d8871bdd17f3c52be9b370ec45238ef6816130'/>
<id>urn:sha1:28d8871bdd17f3c52be9b370ec45238ef6816130</id>
<content type='text'>
Commit 092c2b2bbed950727e41cf450b61c794881c33e7 switched to using
MokListRT instead of MokList during PCR7 measurement. Updating the
README to reflect the correct behaviour.

Signed-off-by: Thien Trung Vuong &lt;tvuong@microsoft.com&gt;
</content>
</entry>
<entry>
<title>README.tpm: reflect that vendor_db is in fact logged as "vendor_db"</title>
<updated>2025-02-26T00:43:12+00:00</updated>
<author>
<name>Jan Setje-Eilers</name>
<email>jan.setjeeilers@oracle.com</email>
</author>
<published>2025-02-25T17:57:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=489af5efca492140ea40bd83ea2f3b021f0725e9'/>
<id>urn:sha1:489af5efca492140ea40bd83ea2f3b021f0725e9</id>
<content type='text'>
README.tpm incorrectly stated that  vendor_db is logged as "db"
when in fact it logs as "vendor_db". This caused confusion like

https://github.com/keylime/keylime/issues/1725

Fixing the code risks breaking existing logs, so we're updating
the doc instead. vendor_dbx is in fact logged as "dbx", so that
remains unchanged.

Thanks to Morten Linderud &lt;morten@linderud.pw&gt; for raising this.

Signed-off-by: Jan Setje-Eilers &lt;Jan.SetjeEilers@oracle.com&gt;
</content>
</entry>
<entry>
<title>SBAT: mirror SBAT to SbatRT and extend to PCR7 + log</title>
<updated>2021-02-22T16:22:36+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2021-02-18T21:52:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=de9165756c5dc0ef90508e44a151619f7a3cb27f'/>
<id>urn:sha1:de9165756c5dc0ef90508e44a151619f7a3cb27f</id>
<content type='text'>
This adds SBAT to our table of variables to mirror with our MoK state.
Currently it mirrors "SBAT" to a variable named "SbatRT", both using the
SHIM GUID.

Currently we enforce the current policy WRT these variables:

- we always delete SbatRT if it's present, for a couple of reasons:
 - If we got here either something created it before us during boot,
   which isn't a thing we believe anything should be doing, or it's an
   NV variable, which it shouldn't be.
 - we want to raise the error if it's NV+Authenticated
- we always delete SBAT (and do not mirror it) if it either
  - doesn't have BS|NV set or
  - does have RT set
    - we're requiring !RT because we can't actually tell if it's an
      authenticated variable or not, and we want to get the error if RT
      is set and it is authenticated, because that means we've lost the
      race between us and an attacker to create it.
- we always measure SBAT into PCR7 and add a log extension with the
  measured hash

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
<entry>
<title>Rename check_{white,black}list to check_{allow,deny}list</title>
<updated>2021-02-16T08:12:48+00:00</updated>
<author>
<name>Chris Coulson</name>
<email>chris.coulson@canonical.com</email>
</author>
<published>2020-07-03T00:47:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=25c83246373b95dffdd152c784934e47b8323edd'/>
<id>urn:sha1:25c83246373b95dffdd152c784934e47b8323edd</id>
<content type='text'>
v2 - updated for conflicts and to include documentation (pjones)
</content>
</entry>
<entry>
<title>Fix a bunch of trivial trailing whitespace issues.</title>
<updated>2021-02-16T08:12:48+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2021-02-14T16:21:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=a6c726fc81e53fff07942d0d50a7d274bedb4cb6'/>
<id>urn:sha1:a6c726fc81e53fff07942d0d50a7d274bedb4cb6</id>
<content type='text'>
Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
<entry>
<title>Add support for vendor_db built-in shim authorized list.</title>
<updated>2020-07-24T02:22:04+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2020-07-23T16:36:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=dd3a5d71252a1f94e37f1a4c8841d253630b305a'/>
<id>urn:sha1:dd3a5d71252a1f94e37f1a4c8841d253630b305a</id>
<content type='text'>
Potential new signing strategies ( for example signing grub, fwupdate
and vmlinuz with separate certificates ) require shim to support a
vendor provided bundle of trusted certificates and hashes, which allows
shim to trust EFI binaries matching either certificate by signature or
hash in the vendor_db.  Functionality is similar to vendor_dbx.

This also improves the mirroring quite a bit.
Upstream: pr#206
</content>
</entry>
<entry>
<title>Update README.tpm</title>
<updated>2020-07-24T00:53:24+00:00</updated>
<author>
<name>noahbliss</name>
<email>noah@superuser.sh</email>
</author>
<published>2020-03-05T00:46:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=633169fe3291c832236ca1074fc679852f9caee1'/>
<id>urn:sha1:633169fe3291c832236ca1074fc679852f9caee1</id>
<content type='text'>
typo
Upstream-commit-id: bc24c9eb1d4
</content>
</entry>
<entry>
<title>Add GRUB's PCR Usage to README.tpm</title>
<updated>2020-07-24T00:51:49+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2018-08-01T14:58:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=bd97e72f0490b2be766949f448bf6ea3ec2bba1a'/>
<id>urn:sha1:bd97e72f0490b2be766949f448bf6ea3ec2bba1a</id>
<content type='text'>
This didn't seem to get documented anywhere, and this is as good a place as any.
Upstream-commit-id: 4fab7281a8c
</content>
</entry>
<entry>
<title>Log measurements in PCR4 for applications being verified through shim_lock</title>
<updated>2018-03-06T19:37:07+00:00</updated>
<author>
<name>Tamas K Lengyel</name>
<email>lengyelt@ainfosec.com</email>
</author>
<published>2017-10-26T17:00:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=829d3c82652ff51cad8878c69956b78b5aabb86a'/>
<id>urn:sha1:829d3c82652ff51cad8878c69956b78b5aabb86a</id>
<content type='text'>
Currently the only measurement the shim logs in the TPM is that of the EFI
application it directly loads. However, there are no measurements being taken
of application that are being verified through the shim_lock protocol. In this
patch we extend PCR4 for any binary for which Verify is being called through
the shim_lock protocol.

Signed-off-by: Tamas K Lengyel &lt;lengyelt@ainfosec.com&gt;
</content>
</entry>
<entry>
<title>Add README.tpm to explain which PCRs we extend things to.</title>
<updated>2017-08-03T15:24:56+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2017-08-01T16:54:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=631265b7e9c447412d423ffed1b39dfd706054cd'/>
<id>urn:sha1:631265b7e9c447412d423ffed1b39dfd706054cd</id>
<content type='text'>
Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
</feed>
