Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete MokListTrusted measurment in binary_bios_measurements #492

Closed
GastonMeghi opened this issue Jul 25, 2022 · 0 comments · Fixed by #519
Closed

Incomplete MokListTrusted measurment in binary_bios_measurements #492

GastonMeghi opened this issue Jul 25, 2022 · 0 comments · Fixed by #519

Comments

@GastonMeghi
Copy link

I'm trying to do boot measurements on RHEL8 machines. And I'm having issues with the following Event in the binary_bios_measurements:

  • EventNum: 27
    PCRIndex: 7
    EventType: EV_EFI_VARIABLE_AUTHORITY
    DigestCount: 3
    Digests:
    • AlgorithmId: sha1
      Digest: "3efeb87af48ab5aee7fcbd3514bab719ed865c1c"
    • AlgorithmId: sha256
      Digest: "5f62a2107fa11ce0485fd252d2e6c603cb8ed075861f9513bfed0a26bf6ed62b"
    • AlgorithmId: sha384
      Digest: "841b29f5200c91e1a02e64a6636587bac5b85496a67e6d3c3cf52415a7ab726b4d2259134d84e9082191ac8ee15b7890"
      EventSize: 61
      Event:
      VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
      UnicodeNameLength: 14
      VariableDataLength: 1
      UnicodeName: MokListTrusted
      VariableData: "01"

Please correct me if I'm wrong but I thinks that as in TCG PC Client PlatformFirmware ProfileSpecification page 54, since the event type is a EV_EFI_VARIABLE_AUTHORITY the UEFI_VARIABLE_DATA.VariableData should be the EFI_SIGNATURE_DATA value
from the EFI_SIGNATURE_LIST that contained the authority that was used to validate the image. And in this boot measurement the VariableData is just "01".

Really appreciate your support on this!
@baloo baloo mentioned this issue Oct 18, 2022
Closed
baloo added a commit to baloo/shim that referenced this issue Oct 21, 2022
@baloo
mok: remove MokListTrusted from PCR 7
e7901a8 
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of
MokListTrusted does not alter the behavior of secure boot so, as per
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36
(section 3.3.4 PCR usage) so it should not be factored in the value of
PCR 7.

See:
  rhboot#423
  rhboot@4e51340

Fixes rhboot#484
Fixes rhboot#492
@baloo baloo mentioned this issue Oct 21, 2022
Merged
baloo added a commit to baloo/shim that referenced this issue Oct 21, 2022
@baloo
mok: remove MokListTrusted from PCR 7
fbdab04 
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of
MokListTrusted does not alter the behavior of secure boot so, as per
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36
(section 3.3.4 PCR usage) so it should not be factored in the value of
PCR 7.

See:
  rhboot#423
  rhboot@4e51340

Fixes rhboot#484
Fixes rhboot#492

Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
brianredbeard pushed a commit to brianredbeard/redhat-efi-boot-shim that referenced this issue Feb 22, 2024
@baloo @brianredbeard
mok: remove MokListTrusted from PCR 7
16ff88a 
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of
MokListTrusted does not alter the behavior of secure boot so, as per
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36
(section 3.3.4 PCR usage) so it should not be factored in the value of
PCR 7.

See:
  rhboot#423
  rhboot@4e51340

Fixes rhboot#484
Fixes rhboot#492

Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

mok: remove MokListTrusted from PCR 7 baloo/shim
1 participant
@GastonMeghi