diff options
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | README.tpm | 22 |
2 files changed, 26 insertions, 0 deletions
@@ -12,5 +12,9 @@ in the shim.h header file and provides a single entry point. On 64-bit systems this entry point expects to be called with SysV ABI rather than MSABI, and so calls to it should not be wrapped. +On systems with a TPM chip enabled and supported by the system firmware, +shim will extend various PCRs with the digests of the targets it is +loading. A full list is in the file README.tpm . + To use shim, simply place a DER-encoded public certificate in a file such as pub.cer and build with "make VENDOR_CERT_FILE=pub.cer". diff --git a/README.tpm b/README.tpm new file mode 100644 index 00000000..261bcd05 --- /dev/null +++ b/README.tpm @@ -0,0 +1,22 @@ +The following PCRs are extended by shim: + +PCR4: +- the Authenticode hash of the binary being loaded will be extended into + PCR4 before SB verification. + +PCR7: +- Any certificate in one of our certificate databases that matches a binary + we try to load will be extended into PCR7. That includes: + - DBX - the system blacklist, logged as "dbx" + - MokListX - the Mok blacklist, logged as "MokListX" + - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx" + - DB - the system whitelist, logged as "db" + - MokList the Mok whitelist, logged as "MokList" + - vendor_cert - shim's built-in vendor whitelist, logged as "Shim" + - shim_cert - shim's build-time generated whitelist, logged as "Shim" +- MokSBState will be extended into PCR7 if it is set, logged as + "MokSBState". + +PCR14: +- MokList, MokListX, and MokSBState will be extended into PCR14 if they are + set. |