search

rhboot / shim

UEFI shim loader
Other
848 stars 290 forks source link

Should MokListTrusted be measured to PCR7? #484

Closed chrisccoulson closed 1 year ago

chrisccoulson commented 2 years ago

Shim 15.6 changes the value of PCR7 because of the addition of MokListTrusted in https://github.com/rhboot/shim/pull/423, which gets measured to PCR7:

$ sudo ./tcglog-dump -v --pcrs 7,14
PCR  DIGEST                                    TYPE                           DETAILS
7    d4fdd1f14d4041494deb8fc990c45343d2277d08  EV_EFI_VARIABLE_DRIVER_CONFIG  SecureBoot: 1
7    d9a7a63f7e87e7fb20a477b5b5e9407c9d57497f  EV_EFI_VARIABLE_DRIVER_CONFIG  PK: entries(x509)=1
7    2ebbf8ca84499166ca8f12aa7f259381c316b9b6  EV_EFI_VARIABLE_DRIVER_CONFIG  KEK: entries(x509)=2
7    e05b5af1ec98a42bf6e43c9ab29279a6a0415bef  EV_EFI_VARIABLE_DRIVER_CONFIG  db: entries(x509)=3
7    6fb84686442a1854a047ce1451978ad041119aff  EV_EFI_VARIABLE_DRIVER_CONFIG  dbx: entries(sha256)=78
7    9069ca78e7450a285173431b3e52c5c25299e473  EV_SEPARATOR                   
7    80c10f87c17b60c3dcfb9fae39556b46bdcc77d2  EV_EFI_VARIABLE_AUTHORITY      subject: "CN=UEFI key for <redacted>", owner: 00000000-0000-0000-0000-000000000000, source: db
14   92748cc7c270de6c169469f1de795e8378bf05cd  EV_IPL                         MokList
14   525ff70d4cfa4b2c76a2e23fc4490797932bd3f2  EV_IPL                         MokListX
7    15875d39b8872f8aff3a92fc9f9e40ac75268e04  EV_EFI_VARIABLE_AUTHORITY      SbatLevel: sbat,1,2021030218 ...
7    3efeb87af48ab5aee7fcbd3514bab719ed865c1c  EV_EFI_VARIABLE_AUTHORITY      Invalid authority event for MokListTrusted - not a hash or X509 certificate: x509: malformed certificate
14   bf8b4530d8d246dd74ac53a13471bba17941dff7  EV_IPL                         MokListTrusted
7    80c10f87c17b60c3dcfb9fae39556b46bdcc77d2  EV_EFI_VARIABLE_AUTHORITY      subject: "CN=UEFI key for  <redacted>", owner: 00000000-0000-0000-0000-000000000000, source: db
7    e50033c9db382a1fa2788f7ebe521fdcc87cc34a  EV_EFI_VARIABLE_AUTHORITY      subject: "CN=Canonical Ltd. Master Certificate Authority,O=Canonical Ltd.,L=Douglas,ST=Isle of Man,C=GB", source: Shim

PCR7 is used to record secure boot policy information which is a combination of secure boot configuration and how each application is verified. Shim does currently use it for measuring some additional non standard variables (MokSBState and SbatLevel), but that's ok because those directly affect secure boot policy.

MokListTrusted affects how the kernel uses entries in MokList after ExitBootServices, and so it feels a bit weird here because it's not directly related to secure boot policy. The existing MokList and MokListX variables are only measured to PCR14.

frozencemetery commented 2 years ago

Per https://bugzilla.redhat.com/show_bug.cgi?id=2098338 , clevis automatic unlock seems to be broken by this.