okirch / pcr-oracle Goto Github PK

View Code? Open in Web Editor NEW

6.0 6.0 7.0 293 KB

Predict TPM PCR values for future boot

License: GNU General Public License v2.0

Makefile 0.42% C 97.24% Shell 2.33%

pcr-oracle's People

Contributors

Stargazers

Watchers

Forkers

vogtinator aplanas lcp bmwiedemann wenhuachang fazerxlo

pcr-oracle's Issues

PCR0 mismatch on Dell Precision 5570

(This is mainly for the record since fwupdtpmevlog also got the same result.)

When running ./pcr-oracle --from eventlog all --verify current on my laptop (Dell Precision 5570), I got the following result:

sha256:0 bbbc23465991571a907e53aee35da58d4fe12b4d6e177bdc765c7f1f4b6dfb34 MISMATCH; actual=525082467a96970c9dd6373f33bca0e7a8aa78bdddda8c3bb1089d10e47fb739
sha256:1 883f741d12ecacc4195a6cb61d886966c05e4416517055017e98d616765d60a1 MISMATCH; actual=94dde583ee8b5a95d63bacc5a4e68e3bab6f805890b46c1488a84a4242ff237b
sha256:2 ee7295e4527c7216e3f73d905bfcf6c2568cb992780e4a99b8ec79bc686153e9 OK
sha256:3 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 OK
sha256:4 da382da7b667bb0f57b7c96e8cdbcad6e1d1b613a640f2b380428c4f80bfc2e7 OK
sha256:5 130eb4a6b5c981987bdcbf465dbf8306126acb388ae54d741eb578b6325e241b OK
sha256:6 41d536047ad9b1dee727fe0dc489f9d12341fa3b90aa17d8bde660933800825c OK
sha256:7 e2375965dc638b53a40ba87ad19121e7f7579ab8c8b908f978e920cacbc5e49c MISMATCH; actual=c5e47b6168dbc0b3226ef701858545e213688b977cd69bab02361d985720bd2a
sha256:8 0000000000000000000000000000000000000000000000000000000000000000 OK
sha256:9 0000000000000000000000000000000000000000000000000000000000000000 OK
sha256:11 0000000000000000000000000000000000000000000000000000000000000000 OK
sha256:12 0000000000000000000000000000000000000000000000000000000000000000 OK
sha256:13 0000000000000000000000000000000000000000000000000000000000000000 OK
sha256:14 f695c46d865d91250e113909a6d405f1022ec884949006fc758393f15a7b471a OK
sha256:15 0000000000000000000000000000000000000000000000000000000000000000 OK
sha256:16 0000000000000000000000000000000000000000000000000000000000000000 OK
sha256:23 0000000000000000000000000000000000000000000000000000000000000000 OK

PCR7 mismatch is expected and PCR1 mismatch is due to the change of Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9. However, both pcr-oracle and fwupdtpmevlog got the same PCR0 value (bbbc234659...) based on the event log but it's different from the output oftpm2_pcrread (525082467a9...).

The current firmware version is 1.4.0, and fwupdmgr shows that 1.7.0 is available. Maybe updating the firmware could fix the issue.

Error: Unable to parse EVENT_EVENT_TAG event from TPM log

on real hardware:

# pcr-oracle --from eventlog --verify current predict 0,2,4,7,9 -d
::: Initializing predictor for sha256:0,2,4,7,9 from eventlog
::: Detected TPMv2 event log
::: Successfully read 36 events from TPM event log
::: Created new predictor
::: runtime_read_efi_application(/dev/sda2, /EFI/systemd/shim.efi)
::: Reading EFI application (/dev/sda2)/EFI/systemd/shim.efi
::: runtime_read_efi_application(/dev/sda2, /EFI/systemd/grub.efi)
::: Reading EFI application (/dev/sda2)/EFI/systemd/grub.efi
Error: Unable to parse EVENT_EVENT_TAG event from TPM log
::: 039fb: event type=EVENT_EVENT_TAG pcr=5 digests=2 data=32 bytes
:::   sha1       01d4e1ca16f118f6fcd954e175c0116c4a4f746b
:::   sha256     bdbea6dbc6791de89a483abc3a61af8e910249e7565682ff2011c910a490520a
:::   Data:
:::         0000  2a 58 bc f5 18 00 00 00 6c 00 6f 00 61 00 64 00 65 00 72 00 2e 00 63 00 6f 00 6e 00 66 00 00 00 *X......l.o.a.d.e.r...c.o.n.f...
Fatal: Aborting.

tpm2_eventlog works fine though. The event in question looks like this:

- EventNum: 32
  PCRIndex: 5
  EventType: EV_EVENT_TAG
  DigestCount: 2
  Digests:
  - AlgorithmId: sha1
    Digest: "01d4e1ca16f118f6fcd954e175c0116c4a4f746b"
  - AlgorithmId: sha256
    Digest: "bdbea6dbc6791de89a483abc3a61af8e910249e7565682ff2011c910a490520a"
  EventSize: 32
  Event: "2a58bcf5180000006c006f0061006400650072002e0063006f006e0066000000"

help text should go to stdout

pcr-oracle prints it's help output to stderr which is inconvenient if one wants to read it in a pager or grep for something. It's much better and more common to write to stdout.

sd-boot: handle switch from UKI to split kernel/initrd

At the moment, PCR prediction in pcr-oracle relies on the sequence of events in the UEFI eventlog to always be the same. pcr-oracle will just re-compute a new hash for each event, taking into account the system's current state.

On machines that use systemd-boot, it's possible that users might switch from booting a split kernel/initrd/options to a unified kernel image (UKI). These two scenarios generate a different sequence of events, meaning pcr-oracle will not be able to predict a correct set of PCR values.

The simple approach would be to document that and tell the user that switching between a split kernel and a UKI means they have to reboot, supply the recovery pass phrase to unlock their root partition, and then re-run pcr-oracle (or whatever shell script would be used to wrap the whole thing).

A more complex approach would be a major revision to the mode of operation of pcr-oracle, and I'm not looking forward to that :-)

free(): invalid next size (fast) in certain registers

Hi,

thank you for this tool. I recently came get the following problem, after it had been working for a while. As recommended I am making a:

pcr-oracle --from eventlog all --verify current

but this just leads to the problem:

Excluding PCR 10 from prediction (used by IMA)
free(): invalid next size (fast)
Abgebrochen (Speicherabzug geschrieben)

so trying to dig deeper I am going over those registers one by one:

pcr-oracle --from eventlog --before --stop-event grub-file=grub.cfg predict 0
sha256:0 d7f1b635cbf5ee8453ed92a1a41537a87a44018a6ca5cb562cec14f7ae081fbd

pcr-oracle --from eventlog --before --stop-event grub-file=grub.cfg predict 1
Error: Unable to extend PCR sha256:0: register was not initialized
free(): invalid pointer
Abgebrochen (Speicherabzug geschrieben)

pcr-oracle --from eventlog --before --stop-event grub-file=grub.cfg predict 2
Error: Unable to extend PCR sha256:0: register was not initialized
sha256:2 77e4f658f7b74581976910eb63f6ad085c13ddcd1031a546a3ac322306ad6def

which then continues like this. Said:

pcr-oracle --from eventlog all --verify current -d \
	--create-testcase /tmp/pcr-oracle.test

print a lot of stuff but also ends up in a:

8...xp..L.......E.e...~i.u.
:::         0640  92 9b f5 a6 bc 59 83 58                                                                         .....Y.X
:::   Firmware hashed entire event data
::: __pecoff_process_certificate_table: returning 2 cert blobs
::: Trying to extract signer's certificate from Authenticode cert
free(): invalid next size (fast)
Abgebrochen (Speicherabzug geschrieben)

No idea where the problem is. But at least the error for the free() seems not what should happen.

GPT rehashing does not work with NVMe

runtime_disk_for_partition does not work for device names such as /dev/nvme0p1, it tries to open /dev/nvme0p instead of /dev/nvme0:

:::   Trying to re-hash GPT for /dev/nvme0n1p
Error: Unable to open disk device /dev/nvme0n1p: No such file or directory
Fatal: Cannot re-hash PCR for event type EFI_GPT_EVENT

IIRC disk names like /dev/sdp are also possible, so just removing p as well is not correct either. Maybe there's a way to use sysfs for this?

PCR1 mismatch on Dell Precision 5570

There is another PCR mismatch in the laptop, and here is the event that causes it:

::: 06100: event type=EFI_VARIABLE_DRIVER_CONFIG pcr=1 digests=1 data=71 bytes
:::   --> EFI variable Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9: 29 bytes of data
:::   sha256     75fcc65085d44213ad1d54ede22099fb7e185888bf5e84cf14eafff069a4cde8
:::   Data:
:::         0000  43 d6 87 ec a4 eb b5 4b a1 e5 3f 3e 36 b2 0d a9 05 00 00 00 00 00 00 00 1d 00 00 00 00 00 00 00 C......K..?>6...................
:::         0020  53 00 65 00 74 00 75 00 70 00 00 00 01 01 02 01 00 01 01 00 01 01 00 00 00 01 01 01 01 01 00 00 S.e.t.u.p.......................
:::         0040  01 01 01 01 01 01 02                                                                            .......
:::   Firmware hashed entire event data
::: Read 3282 bytes from /sys/firmware/efi/efivars/Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
:::   Remarshaled event for EFI variable Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9:
:::         0000  43 d6 87 ec a4 eb b5 4b a1 e5 3f 3e 36 b2 0d a9 05 00 00 00 00 00 00 00 ce 0c 00 00 00 00 00 00 C......K..?>6...................
:::         0020  53 00 65 00 74 00 75 00 70 00 40 01 00 01 01 00 00 00 00 00 02 01 20 00 00 01 06 01 00 01 01 00 S.e.t.u.p.@.....................
:::         0040  00 00 00 00 00 00 01 01 01 03 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 00 01 00 00 ................................
:::         0060  00 00 00 00 94 11 00 00 03 01 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................................
:::         0080  00 00 00 00 00 00 00 00 01 20 40 00 00 00 00 00 03 4d 00 29 00 00 00 00 00 01 03 05 0b 0b 0b 0b [email protected].)............
:::         00a0  0b 03 08 08 08 08 08 00 00 0c 00 00 00 01 01 01 01 01 01 00 00 00 00 00 00 01 20 40 00 00 00 01 ...........................@....
...
:::         0ca0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
:::         0cc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
:::         0ce0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                         ........................
::: Digest for EFI_VARIABLE_DRIVER_CONFIG changed
:::   Old digest: sha256: 75fcc65085d44213ad1d54ede22099fb7e185888bf5e84cf14eafff069a4cde8
:::   New digest: sha256: eb780e72a6f93f39e457225f9abc17a5582f300a72314b9751e33acee11c0acf

Setup-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9 is not in the "Globally Defined Variables" in UEFI SPEC, and the implementation varies among different platforms. For example, in the Minnowboard firmware, it's "NV+BS":
https://github.com/tianocore/edk2-platforms/blob/master/Platform/Intel/Vlv2TbltDevicePkg/PlatformSetupDefaults.dsc#L10
But in WhitleyOpenBoard, it's "NV+BS+RT":
https://github.com/tianocore/edk2-platforms/blob/master/Platform/Intel/WhitleyOpenBoardPkg/StructurePcd.dsc#L24
In general, it's a variable to reflect the system setings.

It seems to me that the firmware of the laptop doesn't count on "Setup" to record the system settings but adds the information gradually during the boot process. Thus, the content of "Setup" contains lots of additional information in Runtime.

I wonder if we should calculate PCR 1 and 3 only based on the data recorded in the TPM event log.

Function names starting with __ are undefined behaviour

According to https://en.cppreference.com/w/c/language/identifier:

The following identifiers are reserved and may not be declared in a program (doing so invokes undefined behavior):
...

All identifiers that begin with an underscore followed by a capital letter or by another underscore (these reserved identifiers allow the library to use numerous behind-the-scenes non-external macros and functions).

So function names like __system_read_efi_variable are not allowed.

Tries to read nonexisting (?) EFI variable Shim-605dab50-e046-4300-abb6-3dd810dd8b23

::: 0659a: event type=EFI_VARIABLE_AUTHORITY pcr=7 digests=1 data=1184 bytes
:::   --> EFI variable Shim-605dab50-e046-4300-abb6-3dd810dd8b23: 1144 bytes of data
:::   sha256     855e3fe36acc277b003154a875a1d822e28b92e8163c8227dbb406822cb95ddc
:::   Data:
:::         0000  50 ab 5d 60 46 e0 00 43 ab b6 3d d8 10 dd 8b 23 04 00 00 00 00 00 00 00 78 04 00 00 00 00 00 00 P.]`F..C..=....#........x.......
:::         0020  53 00 68 00 69 00 6d 00 30 82 04 74 30 82 03 5c a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 S.h.i.m.0..t0..\........0...*.H.
:::         0040  f7 0d 01 01 0b 05 00 30 81 81 31 20 30 1e 06 03 55 04 03 0c 17 6f 70 65 6e 53 55 53 45 20 53 65 .......0..1.0...U....openSUSE.Se
:::         0060  63 75 72 65 20 42 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 12 30 10 06 03 55 cure.Boot.CA1.0...U....DE1.0...U
:::         0080  04 07 0c 09 4e 75 72 65 6d 62 65 72 67 31 19 30 17 06 03 55 04 0a 0c 10 6f 70 65 6e 53 55 53 45 ....Nuremberg1.0...U....openSUSE
:::         00a0  20 50 72 6f 6a 65 63 74 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12 62 75 69 6c 64 40 6f .Project1!0...*.H........build@o
:::         00c0  70 65 6e 73 75 73 65 2e 6f 72 67 30 1e 17 0d 31 33 30 38 32 36 31 36 31 32 30 37 5a 17 0d 33 35 pensuse.org0...130826161207Z..35
:::         00e0  30 37 32 32 31 36 31 32 30 37 5a 30 81 81 31 20 30 1e 06 03 55 04 03 0c 17 6f 70 65 6e 53 55 53 0722161207Z0..1.0...U....openSUS
:::         0100  45 20 53 65 63 75 72 65 20 42 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 12 30 E.Secure.Boot.CA1.0...U....DE1.0
:::         0120  10 06 03 55 04 07 0c 09 4e 75 72 65 6d 62 65 72 67 31 19 30 17 06 03 55 04 0a 0c 10 6f 70 65 6e ...U....Nuremberg1.0...U....open
:::         0140  53 55 53 45 20 50 72 6f 6a 65 63 74 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12 62 75 69 SUSE.Project1!0...*.H........bui
:::         0160  6c 64 40 6f 70 65 6e 73 75 73 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 [email protected].."0...*.H......
:::         0180  05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 de df 61 92 7a a4 fe 83 d1 7d 3b 68 0e b1 a7 f0 .......0..........a.z....};h....
:::         01a0  4e 92 93 fc 47 3e 70 2d 4e 88 dc 9a 9e fa 33 b4 a6 db 0e 23 c1 0d a8 c1 d5 65 04 84 04 ff 3a 48 N...G>p-N.....3....#.....e....:H
:::         01c0  18 4f 39 32 e4 ca 4e f9 04 9e 9f 0f cd 20 5d 61 ab a7 00 d8 a5 ff 2b 7f be e8 47 c3 2f 5b 02 c8 .O92..N.......]a......+...G./[..
:::         01e0  bb de 8e 1a e9 46 d3 86 ef ff 88 99 90 eb 10 89 b8 8b 3f 3e a8 07 c6 55 7a 6e d3 5f fc 83 3c 3d .....F............?>...Uzn._..<=
:::         0200  16 ed 26 c5 13 73 92 b1 70 1e 22 95 c8 00 6c 25 76 46 f1 a2 d9 d0 b0 98 68 0f a7 2d b1 0d 67 89 ..&..s..p."...l%vF......h..-..g.
:::         0220  ca 94 4a ea 12 c5 91 55 76 7f 6c 7a 2e f9 18 89 9f f8 f4 24 43 d5 35 6a cb 00 0e 2e ed 4b e2 5d ..J....Uv.lz.......$C.5j.....K.]
:::         0240  09 d8 1b 97 70 99 9e 5a 6f a6 81 a8 9d a9 58 76 7d 69 71 82 d3 ba 3a 96 43 9b f0 da 15 c6 4e e9 ....p..Zo.....Xv}iq...:.C.....N.
:::         0260  c8 15 b9 e9 cb c7 e4 71 ce ea 10 1b 6b c4 2a 70 01 a9 52 b4 17 de 00 52 cf 7d e4 fd 0f 4d 03 18 .......q....k.*p..R....R.}...M..
:::         0280  b2 90 28 d4 6f c4 ae 56 bc 36 60 49 46 8b 6b 0b 02 03 01 00 01 a3 81 f4 30 81 f1 30 0f 06 03 55 ..(.o..V.6`IF.k.........0..0...U
:::         02a0  1d 13 01 01 ff 04 05 30 03 01 01 ff 30 1d 06 03 55 1d 0e 04 16 04 14 68 42 60 0d e2 2c 4c 47 7e .......0....0...U......hB`..,LG~
:::         02c0  95 be 23 df ea 95 13 e5 97 17 62 30 81 ae 06 03 55 1d 23 04 81 a6 30 81 a3 80 14 68 42 60 0d e2 ..#.......b0....U.#...0....hB`..
:::         02e0  2c 4c 47 7e 95 be 23 df ea 95 13 e5 97 17 62 a1 81 87 a4 81 84 30 81 81 31 20 30 1e 06 03 55 04 ,LG~..#.......b......0..1.0...U.
:::         0300  03 0c 17 6f 70 65 6e 53 55 53 45 20 53 65 63 75 72 65 20 42 6f 6f 74 20 43 41 31 0b 30 09 06 03 ...openSUSE.Secure.Boot.CA1.0...
:::         0320  55 04 06 13 02 44 45 31 12 30 10 06 03 55 04 07 0c 09 4e 75 72 65 6d 62 65 72 67 31 19 30 17 06 U....DE1.0...U....Nuremberg1.0..
:::         0340  03 55 04 0a 0c 10 6f 70 65 6e 53 55 53 45 20 50 72 6f 6a 65 63 74 31 21 30 1f 06 09 2a 86 48 86 .U....openSUSE.Project1!0...*.H.
:::         0360  f7 0d 01 09 01 16 12 62 75 69 6c 64 40 6f 70 65 6e 73 75 73 65 2e 6f 72 67 82 01 01 30 0e 06 03 [email protected]...
:::         0380  55 1d 0f 01 01 ff 04 04 03 02 01 86 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 U...........0...*.H.............
:::         03a0  8a a3 89 c2 8e d9 f9 82 0b f3 33 ce e9 19 17 17 a3 65 80 cd 33 ae 06 51 56 29 b6 38 87 7b f4 9d ..........3......e..3..QV).8.{..
:::         03c0  fc 28 8e aa e0 53 12 0e 3a 60 c7 06 d8 3a 61 76 3b 77 08 f4 94 a4 8c 7c 47 3a 99 d8 84 9b 17 cc .(...S..:`...:av;w.....|G:......
:::         03e0  20 62 2e e2 76 e4 c6 36 0d 26 e9 2e 53 35 0a fb 3a 35 93 45 c3 93 82 c1 0b f3 08 e9 57 1f 59 37 .b..v..6.&..S5..:5.E........W.Y7
:::         0400  a9 d0 6c 69 fb 68 ea 7f 3b af d3 f7 59 27 8e d4 c7 96 73 f4 0c 0a f7 3e e4 af 6c 8c c7 7a 6f 09 ..li.h..;...Y'....s....>..l..zo.
:::         0420  79 f4 41 1f e3 6f 11 fb 3e 6c b1 a0 7b e4 92 b7 ca f9 32 f5 de c3 b0 73 7d e3 b3 82 5d cd ec 61 y.A..o..>l..{.....2....s}...]..a
:::         0440  dc fe 0c 3e c6 b5 e7 6c 2d 5d 92 73 ff ed aa 6a a9 9b 66 9e 5e 3a 6d 70 b0 31 c0 ce df 2f 21 10 ...>...l-].s...j..f.^:mp.1.../!.
:::         0460  68 0c 87 f3 77 a0 33 31 0a 0f 15 f6 ee 32 88 c5 9a 53 71 cd 0d 1a a1 28 89 d0 bf f6 56 ac 4b 3b h...w.31.....2...Sq....(....V.K;
:::         0480  36 06 2b 01 c5 eb e5 dc 72 83 3d 94 ac 28 83 13 fb c1 5d 27 9c 13 f6 32 5f f6 1f 4a b7 3e 53 8a 6.+.....r.=..(....]'...2_..J.>S.
:::   Firmware hashed entire event data
::: Reading /sys/firmware/efi/efivars/Shim-605dab50-e046-4300-abb6-3dd810dd8b23
::: Reading /sys/firmware/efi/vars/Shim-605dab50-e046-4300-abb6-3dd810dd8b23/data
Fatal: Unable to open file /sys/firmware/efi/vars/Shim-605dab50-e046-4300-abb6-3dd810dd8b23/data: No such file or directory

The event data of EV_EFI_VARIABLE_AUTHORITY may not cover the whole EFI variable

Per TCG Trusted Boot Chain in EDK II:

When UEFI secure boot is enabled, the DxeImageVerificationLib verifies the PE image signature based upon the EFI_SIGNATURE_DATA in the EFI_SIGNATURE_LIST of an image signature database. If an EFI_SIGNATURE_DATA is used to verify the image, then this EFI_SIGNATURE_DATA will be measured with EV_EFI_VARIABLE_AUTHORITY in DxeImageVerificationLib Measurement.c MeasureVariable().

So the EV_EFI_VARIABLE_AUTHORITY events for db or MokList only cover EFI_SIGNATURE_DATA, i.e. the x509 certificate used to verify the EFI image, not the whole variable. In such case, we have to check if the event data is really in the EFI variable and rehash the event data.

add verbose option

The (undocumented) -d option leads to massive amount of output. It's really hard to spot what pcr-oracle is really doing. For my purposes I'd love to simply see the predictions that were used as basis for generating the signed policy. For my purposes pcr-oracle is called like this:
pcr-oracle --private-key /etc/systemd/tpm2-pcr-private-key.pem --from eventlog --output /etc/systemd/tpm2-pcr-signature.json --policy-format systemd sign "$pcrs"

When unlocking doesn't work I can call systemd-cryptsetup with debug log level which would output something like this:

Read PCR selection: [sha256(0+2+4+7)]
PCR value: 0:sha256=2865a435e0833d2fd31a83c570038df20d31be1090270facfee83e70c3772ca2
PCR value: 2:sha256=90c6861f7d79b77c8cab72fa6f7d96ebcfadc51f8413507ca4f6cc4f0d849e81
PCR value: 4:sha256=7e3c6a404af041697cb15340b13d215a8111a1d6bd5ff0a753b40f4aad063aee
PCR value: 7:sha256=281f383382d05ae8987e4ff4ebeedd31f8c4624763e39ba42c2c7dba1d7e02d1

Would be great if pcr-oracle could have a similar easy to grasp output, eg with a --verbose switch, for the predictions. That way it would be possible to see which pcr has a mismatch with the prediction.

MokList VARIABLE_AUTHORITY events for kernel are not handled properly

On recent openSUSE systems, something generates a VARIABLE_AUTHORITY event for MokList when verifying the kernel's Authenticode signature. Most likely grub - waiting for @lcp to confirm.

Unfortunately, pcr-oracle does not know where the kernel resides, so it's not possible to recreate this event properly. For this to work, we would need the preceding BSA event to provide some hints in the Device Path (currently, it shows a zero length path). Plus, we would need the certificate the kernel was signed with - somewhere on disk, preferably in the same directory the kernel is in.

This is a continuation of issue #9