checkSecureBootPolicyMeasurementsAndObtainAuthorities checks that the secure boot config measurements (EV_EFI_VARIABLE_DRIVER_CONFIG events) are well formed and that their digests are correct. What it doesn't do is verify that the event data matches the actual variable contents, and it should do.
This will need an opt out flag for the post-install case in the event that they are executed after applying a signature database update, as the variable contents will be inconsistent with the log in this case.
Unit testing for this is a bit challenging right now because the code in internal/efitest to generate mock TCG logs does not currently allow the secure boot configuration contents to be customized.
checkSecureBootPolicyMeasurementsAndObtainAuthoritieschecks that the secure boot config measurements (EV_EFI_VARIABLE_DRIVER_CONFIGevents) are well formed and that their digests are correct. What it doesn't do is verify that the event data matches the actual variable contents, and it should do.This will need an opt out flag for the post-install case in the event that they are executed after applying a signature database update, as the variable contents will be inconsistent with the log in this case.
Unit testing for this is a bit challenging right now because the code in internal/efitest to generate mock TCG logs does not currently allow the secure boot configuration contents to be customized.