1 files changed, 33 insertions, 0 deletions

diff --git a/README.tpm b/README.tpm
new file mode 100644
index 00000000..d9c7c534
--- /dev/null
+++ b/README.tpm
@@ -0,0 +1,33 @@
+The following PCRs are extended by shim:
+
+PCR4:
+- the Authenticode hash of the binary being loaded will be extended into
+  PCR4 before SB verification.
+- the hash of any binary for which Verify is called through the shim_lock
+  protocol
+
+PCR7:
+- Any certificate in one of our certificate databases that matches a binary
+  we try to load will be extended into PCR7.  That includes:
+  - DBX - the system blacklist, logged as "dbx"
+  - MokListX - the Mok blacklist, logged as "MokListX"
+  - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx"
+  - DB - the system whitelist, logged as "db"
+  - MokList the Mok whitelist, logged as "MokList"
+  - vendor_cert - shim's built-in vendor whitelist, logged as "Shim"
+  - shim_cert - shim's build-time generated whitelist, logged as "Shim"
+- MokSBState will be extended into PCR7 if it is set, logged as
+  "MokSBState".
+
+PCR8:
+- If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
+  line and all grub commands (including all of grub.cfg that gets run) are
+  measured into PCR8.
+  
+PCR9:
+- If you're using the grub2 TPM patchset we cary in Fedora, the kernel,
+  initramfs, and any multiboot modules loaded are measured into PCR9.
+
+PCR14:
+- MokList, MokListX, and MokSBState will be extended into PCR14 if they are
+  set.