As it is the case of Azure.
Azure accepts:
- a base64 encoded x509 cert as PK
- a list of base64 encoded x509 certs as KEK
- a list of base64 encoded x509 certs as db
- a list of base64 encoded SHA256 hashes as dbx
Then, it will inject microsoft's GUID when creating the varstores that the virtual firmware will hold. For that reason, the efivars logged into the TPMs will contain that data.
The same could probably happen for other cloud vendors, such as aws or gcp.
Depending on the cloud vendor that each image will be published, the GUID that each cloud will inject must be taken into account when computing PCR7 events.
As it is the case of Azure.
Azure accepts:
Then, it will inject microsoft's GUID when creating the varstores that the virtual firmware will hold. For that reason, the efivars logged into the TPMs will contain that data.
The same could probably happen for other cloud vendors, such as aws or gcp.
Depending on the cloud vendor that each image will be published, the GUID that each cloud will inject must be taken into account when computing PCR7 events.