Skip to content

tpm2_eventlog: parse vendor_db as EFI_SIGNATURE_DATA#3507

Merged
JuergenReppSIT merged 1 commit intotpm2-software:masterfrom
sergio-correia:vendor_db
Sep 8, 2025
Merged

tpm2_eventlog: parse vendor_db as EFI_SIGNATURE_DATA#3507
JuergenReppSIT merged 1 commit intotpm2-software:masterfrom
sergio-correia:vendor_db

Conversation

@sergio-correia
Copy link
Contributor

@sergio-correia sergio-correia commented Aug 19, 2025

Since 9a47a1e, EV_EFI_VARIABLE_AUTHORITY variables should be parsed explictly, so here we add support for parsing vendor_db -- which contains the shim's built-in vendor allowlist [1] -- as EFI_SIGNATURE_DATA, in a similar way that we do with db and Shim.

[1] https://github.com/rhboot/shim/blob/afc4955/README.tpm#L16

@sergio-correia
tpm2_eventlog: parse vendor_db as EFI_SIGNATURE_DATA
e1d3879 
Since 9a47a1e, EV_EFI_VARIABLE_AUTHORITY variables should be parsed
explictly, so here we add support for parsing vendor_db -- which contains
the shim's built-in vendor allowlist [1] -- as EFI_SIGNATURE_DATA, in a
similar way that we do with db and Shim.

Signed-off-by: Sergio Correia <scorreia@redhat.com>

[1] https://github.com/rhboot/shim/blob/afc4955/README.tpm#L16
@kkaarreell
Copy link

kkaarreell commented Aug 20, 2025 

tpm2_eventlog --eventlog-version=2 /sys/kernel/security/tpm0/binary_bios_measurements

before:

- EventNum: 36
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_AUTHORITY
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "82242ec06624567b0704ae246b638fc01e1956f7b81b512d4e243136992f34ea"
  EventSize: 986
  Event:
    VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f
    UnicodeNameLength: 9
    VariableDataLength: 936
    UnicodeName: vendor_db
    VariableData: "dbed230279908843af772d65b1c35d3b308203943082027ca00302010202090083730d2b7280d15a300d06092a864886f70d01010b0500305f31163014060355040a0c0d526564204861742c20496e632e3121301f06035504030c18526564204861742053656375726520426f6f7420434120353122302006092a864886f70d0109011613736563616c657274407265646861742e636f6d301e170d3230303630393038313533365a170d3338303131383038313533365a305f31163014060355040a0c0d526564204861742c20496e632e3121301f06035504030c18526564204861742053656375726520426f6f7420434120353122302006092a864886f70d0109011613736563616c657274407265646861742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cebaea41171c81a18809bfa1d4a9fa532e9d9ebcfc3b289c3052a00bf4000f36c88341f6a9c915496564d5b2769e58c12e1eeacf93386b47d6ba92c5f800e777a55769df41b1c4905b2d20c174aa038680b6a459efa988445e5240d47715a104859ceff3c69ff30f0fd68446e466dc266ad6d88a6e474acae34c431574997a06328ce033bfe5f846673dea0e943bbf3ddd8bf67f308c45540ba4de23355a997305d880e765141a07302c7386b02da3a636a64d815d91a767bbea3b5b828a9ccf83da31d1543416bc1907172a944ef0cecf0dbaf4fbe4d44889238b8cdc8e4513d77aa8d5e5840313520206c2d590763ab5d7b89d7ab0c9d09869fb8e0d01f5850203010001a3533051301d0603551d0e04160414cc6fa5e72868ba494e939bbd680b9144769a9f8f301f0603551d23041830168014cc6fa5e72868ba494e939bbd680b9144769a9f8f300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101001de75e426a66cc723e9b5cc9afa3ca542eed64abc0b917be27a91e58b1593c4d1174d1971a520584058ad9f085c8f5ec8f9ce9e7086dbb3acbfa6f3c33e6784d75bddfc095729f0350d2752a7cb481e08762945cefcf6bda3ae3bf6e18743455500c22518eaa5830bebd3e304db697b5131b6daf6c183b714a09a18917a7e718f56d51b1d310c80ed6e43219024b1ab2d2dc29a326951d0106e452697806d3304444b07577cc54ade46e2222ff5dff93060cf9983a9c39b70c81d0f3f807a7098b6f9c8ae1adfc419850a65f0bbaa57f1cfc838d06592e9e6ebff43ec31a746625948a5dbf21b6139b9f67f87edc421f4c0edd88737d8c95d03f77c190b864f1"

after:

- EventNum: 36
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_AUTHORITY
  DigestCount: 1
  Digests:
  - AlgorithmId: sha256
    Digest: "82242ec06624567b0704ae246b638fc01e1956f7b81b512d4e243136992f34ea"
  EventSize: 986
  Event:
    VariableName: d719b2cb-3d3a-4596-a3bc-dad00e67656f
    UnicodeNameLength: 9
    VariableDataLength: 936
    UnicodeName: vendor_db
    VariableData:
    - SignatureOwner: 0223eddb-9079-4388-af77-2d65b1c35d3b
      SignatureData: 308203943082027ca00302010202090083730d2b7280d15a300d06092a864886f70d01010b0500305f31163014060355040a0c0d526564204861742c20496e632e3121301f06035504030c18526564204861742053656375726520426f6f7420434120353122302006092a864886f70d0109011613736563616c657274407265646861742e636f6d301e170d3230303630393038313533365a170d3338303131383038313533365a305f31163014060355040a0c0d526564204861742c20496e632e3121301f06035504030c18526564204861742053656375726520426f6f7420434120353122302006092a864886f70d0109011613736563616c657274407265646861742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cebaea41171c81a18809bfa1d4a9fa532e9d9ebcfc3b289c3052a00bf4000f36c88341f6a9c915496564d5b2769e58c12e1eeacf93386b47d6ba92c5f800e777a55769df41b1c4905b2d20c174aa038680b6a459efa988445e5240d47715a104859ceff3c69ff30f0fd68446e466dc266ad6d88a6e474acae34c431574997a06328ce033bfe5f846673dea0e943bbf3ddd8bf67f308c45540ba4de23355a997305d880e765141a07302c7386b02da3a636a64d815d91a767bbea3b5b828a9ccf83da31d1543416bc1907172a944ef0cecf0dbaf4fbe4d44889238b8cdc8e4513d77aa8d5e5840313520206c2d590763ab5d7b89d7ab0c9d09869fb8e0d01f5850203010001a3533051301d0603551d0e04160414cc6fa5e72868ba494e939bbd680b9144769a9f8f301f0603551d23041830168014cc6fa5e72868ba494e939bbd680b9144769a9f8f300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101001de75e426a66cc723e9b5cc9afa3ca542eed64abc0b917be27a91e58b1593c4d1174d1971a520584058ad9f085c8f5ec8f9ce9e7086dbb3acbfa6f3c33e6784d75bddfc095729f0350d2752a7cb481e08762945cefcf6bda3ae3bf6e18743455500c22518eaa5830bebd3e304db697b5131b6daf6c183b714a09a18917a7e718f56d51b1d310c80ed6e43219024b1ab2d2dc29a326951d0106e452697806d3304444b07577cc54ade46e2222ff5dff93060cf9983a9c39b70c81d0f3f807a7098b6f9c8ae1adfc419850a65f0bbaa57f1cfc838d06592e9e6ebff43ec31a746625948a5dbf21b6139b9f67f87edc421f4c0edd88737d8c95d03f77c190b864f1

@JuergenReppSIT JuergenReppSIT merged commit c2d1ee7 into tpm2-software:master Sep 8, 2025
23 checks passed
@sergio-correia sergio-correia deleted the vendor_db branch September 8, 2025 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sergio-correia @kkaarreell @JuergenReppSIT