Control: tags -1 wontfix Control: close -1 On Tue, 3 Sep 2024 10:23:41 +0000 "Settenvini, Matteo" <matteo.settenv...@bender.de> wrote: > Package: shim-signed > Version: 1.44~1+deb12u1+15.8-1~deb12u1 > Severity: important > > Dear Maintainer, > > after updating the shim-signed package to 1.44~1+deb12u1+15.8~deb12u1, > unlocking the LUKS drive automatically via the tpm as enrolled through > systemd-cryptenroll fails because the value of PCR 7 changes. > > This is problematic in our setup, because only the IT administrator > has the LUKS passphrase which can be used as a fallback unlock method. > Therefore, manual intervention for unlocking and re-enrolling the TPM > is needed. > > At least a NEWS entry should be displayed before the update, and > possibly a solution to automatically re-enroll after a successful unlock > via passphrase added (via systemd unit file? maybe a systemd wishlist > item? `keyctl update` to reseal?). > > In any case, a blind update causes a serious regression for us. We > understand this is intended behavior, but we should at least have > a way to know before applying the update. > > Thanks! > Matteo Settenvini
Hi, The supported disk encryption setup in Debian is created by debian- installer and managed by cryptsetup-initramfs et al. It looks like you have a custom setup, which means whatever tool/script/etc you used, also needs to be able to deal with this and re-enroll whenever any PCR you bind your key to changes. Debian is not equipped to do this automatically nor to use any other schemes, given the default setup uses GRUB and locally-generated initramfs-tools based initrds, which means there is no possibility of using predictable signed PCR policies, nor pcrlock for nvram-based policies. You might be able to experiment with these tools on your own, but it is not supported in any way, sorry.
