| 28 Apr 2023 |
 ElvishJerricco | Yea the reason to bind things against the section contents of a UKI would be as a poor man's secure boot | 13:22:58 |
| ElvishJerricco | so if you have actual secure boot and bind to pcr 7, it's not important | 13:23:09 |
| ElvishJerricco | and at that point pcrphase is only serving the purpose of phase control, so that the TPM only unlocks things during the appropriate boot phase | 13:23:36 |
| ElvishJerricco | So I guess you still need something like systemd-measure, except if you don't care about measuring UKI sections you could leave those out and just measure the phase path | 13:27:07 |
| ElvishJerricco | which I don't think is a mode that systemd-measure will do | 13:27:30 |
 baloo | authenticode PE hash thing is just a matter of filtering out the checksum and the signature section from the hash | 17:33:19 |
| baloo | other than that, it's a plain hash of the file. | 17:33:34 |
| baloo | ( https://github.com/m4b/goblin/pull/362/files ) | 17:34:54 |
