search

rhboot / shim

UEFI shim loader
Other
819 stars 289 forks source link

mok: remove MokListTrusted from PCR 7 #519

Closed baloo closed 1 year ago

baloo commented 1 year ago

MokListTrusted was added by mistake to PCR 7 in 4e513405. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7.

See: https://github.com/rhboot/shim/pull/423 https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f

Fixes https://github.com/rhboot/shim/issues/484 Fixes https://github.com/rhboot/shim/issues/492

baloo commented 1 year ago

Before:

``` - EventNum: 24 PCRIndex: 7 EventType: EV_EFI_VARIABLE_AUTHORITY DigestCount: 4 Digests: - AlgorithmId: sha1 Digest: "15875d39b8872f8aff3a92fc9f9e40ac75268e04" - AlgorithmId: sha256 Digest: "922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d" - AlgorithmId: sha384 Digest: "f143e2948d63fcd3442e841bb36a7e180871f0a8946541961fe9d12e70d0727874600956264dba531e2edd8729c5eb38" - AlgorithmId: sha512 Digest: "b26c6842867487f14a6e326f96b6c19d1278d02d099862d70355cec886d97a2b7a7209569189fd0ce6d94c3302f18e8f5b157327288b5ef4f6447415d8af292b" EventSize: 68 Event: VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23 UnicodeNameLength: 9 VariableDataLength: 18 UnicodeName: SbatLevel VariableData: "736261742c312c323032313033303231380a" - EventNum: 25 PCRIndex: 7 EventType: EV_EFI_VARIABLE_AUTHORITY DigestCount: 4 Digests: - AlgorithmId: sha1 Digest: "3efeb87af48ab5aee7fcbd3514bab719ed865c1c" - AlgorithmId: sha256 Digest: "5f62a2107fa11ce0485fd252d2e6c603cb8ed075861f9513bfed0a26bf6ed62b" - AlgorithmId: sha384 Digest: "841b29f5200c91e1a02e64a6636587bac5b85496a67e6d3c3cf52415a7ab726b4d2259134d84e9082191ac8ee15b7890" - AlgorithmId: sha512 Digest: "92b03acd457b86effba0b8f3886ab8fafbba745b1a4714d9c86c5b78204291fe0fb4e883db9b89d4dedfe6c12f2e72b8ec00d1dbf3a78302814e1ace570c2d22" EventSize: 61 Event: VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23 UnicodeNameLength: 14 VariableDataLength: 1 UnicodeName: MokListTrusted VariableData: "01" - EventNum: 26 PCRIndex: 14 EventType: EV_IPL DigestCount: 4 Digests: - AlgorithmId: sha1 Digest: "bf8b4530d8d246dd74ac53a13471bba17941dff7" - AlgorithmId: sha256 Digest: "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a" - AlgorithmId: sha384 Digest: "8d2ce87d86f55fcfab770a047b090da23270fa206832dfea7e0c946fff451f819add242374be551b0d6318ed6c7d41d8" - AlgorithmId: sha512 Digest: "7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339" EventSize: 15 Event: String: |- MokListTrusted ```

After:

``` - EventNum: 24 PCRIndex: 7 EventType: EV_EFI_VARIABLE_AUTHORITY DigestCount: 4 Digests: - AlgorithmId: sha1 Digest: "15875d39b8872f8aff3a92fc9f9e40ac75268e04" - AlgorithmId: sha256 Digest: "922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d" - AlgorithmId: sha384 Digest: "f143e2948d63fcd3442e841bb36a7e180871f0a8946541961fe9d12e70d0727874600956264dba531e2edd8729c5eb38" - AlgorithmId: sha512 Digest: "b26c6842867487f14a6e326f96b6c19d1278d02d099862d70355cec886d97a2b7a7209569189fd0ce6d94c3302f18e8f5b157327288b5ef4f6447415d8af292b" EventSize: 68 Event: VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23 UnicodeNameLength: 9 VariableDataLength: 18 UnicodeName: SbatLevel VariableData: "736261742c312c323032313033303231380a" - EventNum: 25 PCRIndex: 14 EventType: EV_IPL DigestCount: 4 Digests: - AlgorithmId: sha1 Digest: "bf8b4530d8d246dd74ac53a13471bba17941dff7" - AlgorithmId: sha256 Digest: "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a" - AlgorithmId: sha384 Digest: "8d2ce87d86f55fcfab770a047b090da23270fa206832dfea7e0c946fff451f819add242374be551b0d6318ed6c7d41d8" - AlgorithmId: sha512 Digest: "7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339" EventSize: 15 Event: String: |- MokListTrusted ```
chrisccoulson commented 1 year ago

This looks ok to me as long as others are agreed that MokListTrusted shouldn't be measured to PCR7 (I don't think it should be for the reasons in https://github.com/rhboot/shim/issues/484)