Closed baloo closed 1 year ago
MokListTrusted was added by mistake to PCR 7 in 4e513405. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7.
See: https://github.com/rhboot/shim/pull/423 https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f
Fixes https://github.com/rhboot/shim/issues/484 Fixes https://github.com/rhboot/shim/issues/492
Before:
After:
This looks ok to me as long as others are agreed that MokListTrusted shouldn't be measured to PCR7 (I don't think it should be for the reasons in https://github.com/rhboot/shim/issues/484)
MokListTrusted was added by mistake to PCR 7 in 4e513405. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7.
See: https://github.com/rhboot/shim/pull/423 https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f
Fixes https://github.com/rhboot/shim/issues/484 Fixes https://github.com/rhboot/shim/issues/492