From 489af5efca492140ea40bd83ea2f3b021f0725e9 Mon Sep 17 00:00:00 2001 From: Jan Setje-Eilers Date: Tue, 25 Feb 2025 09:57:59 -0800 Subject: README.tpm: reflect that vendor_db is in fact logged as "vendor_db" README.tpm incorrectly stated that vendor_db is logged as "db" when in fact it logs as "vendor_db". This caused confusion like https://github.com/keylime/keylime/issues/1725 Fixing the code risks breaking existing logs, so we're updating the doc instead. vendor_dbx is in fact logged as "dbx", so that remains unchanged. Thanks to Morten Linderud for raising this. Signed-off-by: Jan Setje-Eilers --- README.tpm | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.tpm b/README.tpm index 9e830b72..96ee6c9c 100644 --- a/README.tpm +++ b/README.tpm @@ -13,7 +13,7 @@ PCR7: - MokListX - the Mok denylist, logged as "MokListX" - vendor_dbx - shim's built-in vendor denylist, logged as "dbx" - DB - the system allowlist, logged as "db" - - vendor_db - shim's built-in vendor allowlist, logged as "db" + - vendor_db - shim's built-in vendor allowlist, logged as "vendor_db" - MokList the Mok allowlist, logged as "MokList" - vendor_cert - shim's built-in vendor allowlist, logged as "Shim" - shim_cert - shim's build-time generated allowlist, logged as "Shim" @@ -21,6 +21,12 @@ PCR7: "MokSBState". - SBAT will be extended into PCR7 if it is set, logged as "SBAT" +Note: In the past this document called out that vendor_db was logged as + "db", when in fact the code didn't do that. Since changing the code + risks breaking recorded logs, the documentation is update to reflect + reality. vendor_dbx is in fact logged as "dbx". + + PCR8: - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command line and all grub commands (including all of grub.cfg that gets run) are -- cgit v1.2.3