diff options
| author | Steve Langasek <steve.langasek@canonical.com> | 2019-02-09 21:28:06 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2019-02-09 21:32:44 -0800 |
| commit | ab4c731c1dd379acd3e95971af57401fb0a650a1 (patch) | |
| tree | 6a26fb8d0746cbbaa6c2d4b242c73442bcc1df06 /README.tpm | |
| parent | 0d63079c7da8e86104ce4bbdae2f6cb8d2ea40c6 (diff) | |
| parent | 9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 (diff) | |
| download | efi-boot-shim-debian/15+1533136590.3beb971-1.tar.gz efi-boot-shim-debian/15+1533136590.3beb971-1.zip | |
* New upstream release.debian/15+1533136590.3beb971-1
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
Diffstat (limited to 'README.tpm')
| -rw-r--r-- | README.tpm | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/README.tpm b/README.tpm new file mode 100644 index 00000000..d9c7c534 --- /dev/null +++ b/README.tpm @@ -0,0 +1,33 @@ +The following PCRs are extended by shim: + +PCR4: +- the Authenticode hash of the binary being loaded will be extended into + PCR4 before SB verification. +- the hash of any binary for which Verify is called through the shim_lock + protocol + +PCR7: +- Any certificate in one of our certificate databases that matches a binary + we try to load will be extended into PCR7. That includes: + - DBX - the system blacklist, logged as "dbx" + - MokListX - the Mok blacklist, logged as "MokListX" + - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx" + - DB - the system whitelist, logged as "db" + - MokList the Mok whitelist, logged as "MokList" + - vendor_cert - shim's built-in vendor whitelist, logged as "Shim" + - shim_cert - shim's build-time generated whitelist, logged as "Shim" +- MokSBState will be extended into PCR7 if it is set, logged as + "MokSBState". + +PCR8: +- If you're using the grub2 TPM patchset we cary in Fedora, the kernel command + line and all grub commands (including all of grub.cfg that gets run) are + measured into PCR8. + +PCR9: +- If you're using the grub2 TPM patchset we cary in Fedora, the kernel, + initramfs, and any multiboot modules loaded are measured into PCR9. + +PCR14: +- MokList, MokListX, and MokSBState will be extended into PCR14 if they are + set. |