RHEL CVM on Azure relies on PCR7 measurement for Confidential OS disk encryption (full disk encryption) feature. In particular, TPM policy needs to ensure that a genuine Red Hat UKI is running. In RHEL, UKI on x86 is signed with "Red Hat Secure Boot Signing 504" while the standard kernel uses "Red Hat Secure Boot Signing 501" leaf certs and both are signed by "Red Hat Secure Boot CA 5". In standard SecureBoot environment where SecureBoot 'db' only contains Microsoft certificates both standard kernel and UKI will measure the same "Red Hat Secure Boot CA 5" into PCR7 as that's the anchor certificate in shim's 'vendor_db'. This doesn't allow to distinguish between UKI and standard kernel.

RHEL CVM Marketplace image on Azure solves this problem by injecting leaf "Red Hat Secure Boot Signing 504" into SecureBoot db. As signature check against SecureBoot 'db' comes before 'vendor_db' check in shim, we get ''Red Hat Secure Boot Signing 504" measured into PCR7 and thus TPM policy can work correctly. This method doesn't work well with custom images which customers can bring to Azure as by default, their instances will get a standard SecureBoot 'db' with Microsoft certs only.

The suggestion here is to include 'leaf' RH certs (on x86: "Red Hat Secure Boot Signing 501", "Red Hat Secure Boot Signing 504", ...) before the corresponding CA ("Red Hat Secure Boot CA 5") into shim's vendor_db. This won't change anything for the existing RHEL CVM image on Azure as certificate check against SecureBoot 'db' comes first but will allow customers to bring their own images and get a distinct PCR7 measurement without the need to have a custom SecureBoot db.

Note, including all leaf certificates will change PCR7 measurements for everyone so if we want to be conservative in RHEL, we may want to include UKIs' "Red Hat Secure Boot Signing 504" only.