From 031e5cce385d3f96b1caa1d53495332a7eb03749 Mon Sep 17 00:00:00 2001 From: Steve McIntyre Date: Tue, 23 Mar 2021 23:49:46 +0000 Subject: New upstream version 15.3 --- README.tpm | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'README.tpm') diff --git a/README.tpm b/README.tpm index d9c7c534..9e830b72 100644 --- a/README.tpm +++ b/README.tpm @@ -9,23 +9,25 @@ PCR4: PCR7: - Any certificate in one of our certificate databases that matches a binary we try to load will be extended into PCR7. That includes: - - DBX - the system blacklist, logged as "dbx" - - MokListX - the Mok blacklist, logged as "MokListX" - - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx" - - DB - the system whitelist, logged as "db" - - MokList the Mok whitelist, logged as "MokList" - - vendor_cert - shim's built-in vendor whitelist, logged as "Shim" - - shim_cert - shim's build-time generated whitelist, logged as "Shim" + - DBX - the system denylist, logged as "dbx" + - MokListX - the Mok denylist, logged as "MokListX" + - vendor_dbx - shim's built-in vendor denylist, logged as "dbx" + - DB - the system allowlist, logged as "db" + - vendor_db - shim's built-in vendor allowlist, logged as "db" + - MokList the Mok allowlist, logged as "MokList" + - vendor_cert - shim's built-in vendor allowlist, logged as "Shim" + - shim_cert - shim's build-time generated allowlist, logged as "Shim" - MokSBState will be extended into PCR7 if it is set, logged as "MokSBState". +- SBAT will be extended into PCR7 if it is set, logged as "SBAT" PCR8: - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command line and all grub commands (including all of grub.cfg that gets run) are measured into PCR8. - + PCR9: -- If you're using the grub2 TPM patchset we cary in Fedora, the kernel, +- If you're using the grub2 TPM patchset we carry in Fedora, the kernel, initramfs, and any multiboot modules loaded are measured into PCR9. PCR14: -- cgit v1.2.3