-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incomplete MokListTrusted measurment in binary_bios_measurements #492
Comments
baloo
added a commit
to baloo/shim
that referenced
this issue
Oct 21, 2022
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: rhboot#423 rhboot@4e51340 Fixes rhboot#484 Fixes rhboot#492
baloo
added a commit
to baloo/shim
that referenced
this issue
Oct 21, 2022
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: rhboot#423 rhboot@4e51340 Fixes rhboot#484 Fixes rhboot#492 Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
brianredbeard
pushed a commit
to brianredbeard/redhat-efi-boot-shim
that referenced
this issue
Feb 22, 2024
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: rhboot#423 rhboot@4e51340 Fixes rhboot#484 Fixes rhboot#492 Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to do boot measurements on RHEL8 machines. And I'm having issues with the following Event in the binary_bios_measurements:
PCRIndex: 7
EventType: EV_EFI_VARIABLE_AUTHORITY
DigestCount: 3
Digests:
Digest: "3efeb87af48ab5aee7fcbd3514bab719ed865c1c"
Digest: "5f62a2107fa11ce0485fd252d2e6c603cb8ed075861f9513bfed0a26bf6ed62b"
Digest: "841b29f5200c91e1a02e64a6636587bac5b85496a67e6d3c3cf52415a7ab726b4d2259134d84e9082191ac8ee15b7890"
EventSize: 61
Event:
VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
UnicodeNameLength: 14
VariableDataLength: 1
UnicodeName: MokListTrusted
VariableData: "01"
Please correct me if I'm wrong but I thinks that as in TCG PC Client PlatformFirmware ProfileSpecification page 54, since the event type is a EV_EFI_VARIABLE_AUTHORITY the UEFI_VARIABLE_DATA.VariableData should be the EFI_SIGNATURE_DATA value
from the EFI_SIGNATURE_LIST that contained the authority that was used to validate the image. And in this boot measurement the VariableData is just "01".
Really appreciate your support on this!
The text was updated successfully, but these errors were encountered: