summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.tpm2
-rw-r--r--shim.c4
2 files changed, 6 insertions, 0 deletions
diff --git a/README.tpm b/README.tpm
index 261bcd05..b7314f12 100644
--- a/README.tpm
+++ b/README.tpm
@@ -3,6 +3,8 @@ The following PCRs are extended by shim:
PCR4:
- the Authenticode hash of the binary being loaded will be extended into
PCR4 before SB verification.
+- the hash of any binary for which Verify is called through the shim_lock
+ protocol
PCR7:
- Any certificate in one of our certificate databases that matches a binary
diff --git a/shim.c b/shim.c
index 2ab3dfe7..8fe70cb8 100644
--- a/shim.c
+++ b/shim.c
@@ -1820,7 +1820,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
if (status != EFI_SUCCESS)
goto done;
+ /* Measure the binary into the TPM */
+ tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4);
+
status = verify_buffer(buffer, size, &context, sha256hash, sha1hash);
+
done:
in_protocol = 0;
return status;
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-25 12:44:08 +0000