Hi Lennart, Andrei, Adrian
Understood, and thank you very much :-) then 7+11+14 it is.
Regards!
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-06-19 17:21, Lennart Poettering wrote:
On So, 18.06.23 20:56, Felix Rubio ([email protected]) wrote:
Hi everybody,
After som
On So, 18.06.23 20:56, Felix Rubio ([email protected]) wrote:
> Hi everybody,
>
> After some days offline, today I have gone through the emails exchanged a
> couple of weeks ago and agreed: UKI is the way to go. Last time I checked
> about it I read about possible problems related to when some modul
(whoops accidentally send this only to Felix. Resending to the mailing list
too)
I wouldn't bind anything to PCR4, because it'll wipe out your decryption
key on any update of any component in the boot chain. In other words: PCR4
is not rollback prevention, it's also roll forward prevention as well
On 19.06.2023 17:12, Felix Rubio wrote:
Hi Andrei,
In that case, could happen that a malicious actor that has had in the
past access to the systemd-boot, shim, and the UKI, comes back with
those 3 on a USB stick and boots the machine?
The malicious actor does not need USB. If malicious actor
Hi Andrei,
In that case, could happen that a malicious actor that has had in the
past access to the systemd-boot, shim, and the UKI, comes back with
those 3 on a USB stick and boots the machine? Then it would indeed make
sense to bind the LUKS key to PCR 4, this making it 4+7+14, so that the
On 19.06.2023 10:19, Felix Rubio wrote:
"Signed by whom?" - Signed by an actor trusted by Secure Boot, either at
the platform level, or by any of the Shim contributors (I have not
checked yet if it comes with a list of certificates, or only contains
the one I enrolled)
"What is \"your certificat
"Signed by whom?" - Signed by an actor trusted by Secure Boot, either at
the platform level, or by any of the Shim contributors (I have not
checked yet if it comes with a list of certificates, or only contains
the one I enrolled)
"What is \"your certificate\"?" - The one I generated and enroll
