On Mon, 2020-11-02 at 12:26 -0800, Matthew Garrett wrote: > On Mon, Nov 2, 2020 at 12:24 PM Ard Biesheuvel <ardb@xxxxxxxxxx> > wrote: > > Does Shim use PCR 7 for the MOK key database? Are there any > > specific requirements from MS on which PCRs Shim must touch? > > Yes, shim extends PCR 7 in the same way the firmware does. There's no > requirement from MS on this, it just seemed like the right solution. That's not fully correct: it extends PCR 7 for the EV_EFI_VARIABLE_AUTHORITY event, but it measures the actual contents of the variables to PCR 14 using an EV_IPL event. I'm actually trying to persuade Peter that we should replace this latter with an EV_EFI_VARIABLE_DRIVER_CONFIG event through PCR 7 instead. James
