You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vendor cert is addended into MokListRT, thus when loading a vendor signed executable, the certificate check succeeds in check_allowlist in shim.c, measuring the matching certificate under the name MokListRT into PCR7. The success condition in the #if defined(VENDOR_CERT_FILE) section in verify_one_signature never executes for valid executables.
Under PCR7, I am only able to get a measurement named under MokListRT in the eventlog, never Shim.
The text was updated successfully, but these errors were encountered:
Is it possible this is a regression introduced by commit 092c2b2? Previously MokList was referenced, not MokListRT, which generally wouldn't contain copies of the vendor_cert certificates.
In the world, no every case result is what we expected. For example, when check_allowlist() returns EFU_NOT_FOUND or other errors just because the NVRAM DB or NVRAM MokListRT memory hardware is broken right at when get_variable() is running, the lines of #if defined(VENDOR_CERT_FILE) will be executed.
shim/shim.c
Line 542 in 7ba7440
How is this code-path reachable?
The vendor cert is addended into MokListRT, thus when loading a vendor signed executable, the certificate check succeeds in
check_allowlist
inshim.c
, measuring the matching certificate under the nameMokListRT
into PCR7. The success condition in the#if defined(VENDOR_CERT_FILE)
section inverify_one_signature
never executes for valid executables.Under PCR7, I am only able to get a measurement named under
MokListRT
in the eventlog, neverShim
.The text was updated successfully, but these errors were encountered: