I do not see what should be provided in
tpm2-public-key-pcrs. The same values I am currently giving to
--tpm2-pcrs? the signatures that I get from the .pcrsig for 11 + the
calculated signatures for the current values of the PCRs 7 and 14?
Thank you very much for your time,
--
Felix Rubio
gned policy that gets calculated
out of that register is fulfilled. Should that be the case, this
additional control will not harm but I guess is a bit redundant for my
use case?
Thank you very much for your time,
--
Felix Rubio
"Don't believe what you're told. Double check."
Hi everybody,
I am kind of lost, and after some hours giving a look at the issue...
maybe somebody can give me a hand? I am working on the PR
https://github.com/systemd/systemd/pull/28339, to provide a way to
specify literals for the PCRs. As part of this PR I am creating a
hashmap of hashmap
Nope: AMD Ryzen 7 6800H,
But thank you for the suggestion!
Felix
On 2023-07-07 09:07, Christian Hesse wrote:
Felix Rubio on Thu, 2023/07/06 18:07:
Using arch linux, I have had my kernel upgraded from 6.3.9 to 6.4.1.
After regenerating the UKI, that works, I get just a black screen when
Using arch linux, I have had my kernel upgraded from 6.3.9 to 6.4.1.
After regenerating the UKI, that works, I get just a black screen when
systemd-cryptsetup should be either using the TPM to unlock the drive or
to ask me the rescue password.
Luckily I have an old UKI with 6.3.9 (also the cor
t with the actual values of PCRs 7, 14 and 11.
Do you guys this approach is sound?
Thank you,
Felix
On 2023-07-05 14:26, Lennart Poettering wrote:
On Mi, 05.07.23 13:11, Felix Rubio ([email protected]) wrote:
For what is explained on the the systemd-pcrphase.service(8) and
comparing
it to what I
I understand that, but systemd-measure is only about PCR 11. Is there
any way to provide a list of PCRs, so that additionally can be embedded
on the UKI?
Thank you,
Felix
On 2023-07-05 14:26, Lennart Poettering wrote:
On Mi, 05.07.23 13:11, Felix Rubio ([email protected]) wrote:
For what is
shim have not changed, or to have only PCR 11 so that I know that the
UKI has not changed although SB can potentially be even disabled
(please, correct me if wrong)?
Thank you!
Felix
On 2023-07-05 10:36, Lennart Poettering wrote:
On Mi, 05.07.23 08:30, Felix Rubio ([email protected]) wrote
Hi everybody,
In my setup (sd-boot+UKI+LUKS) I am using PCRs 7+11+14 to unlock the
LUKS drive. Should I use only PCRs 7+14 everything works, but when I add
11 I need to provide the rescue password every single time I boot.
I have extracted the values of those PCRs using tpm2_pcrread in two
c
Hi everybody,
systemd-cryptenroll can seal/unseal the LUKS key in the TPM predicted to
the state of some registers, e.g.:
systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
--tpm2-pcrs=7+11+14
The problem is that this requires, when there are kernel / bootloader /
... updates, to r
Hi Lennart, Andrei, Adrian
Understood, and thank you very much :-) then 7+11+14 it is.
Regards!
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-06-19 17:21, Lennart Poettering wrote:
On So, 18.06.23 20:56, Felix Rubio ([email protected]) wrote:
use of outdated UKI is not possible.
Thank you!
Felix
On 2023-06-19 14:04, Andrei Borzenkov wrote:
On 19.06.2023 10:19, Felix Rubio wrote:
"Signed by whom?" - Signed by an actor trusted by Secure Boot, either
at
the platform level, or by any of the Shim contributors (I have not
c
uot; - The one I generated and enrolled into
MOK.
Regards!
Felix
On 2023-06-19 06:26, Andrei Borzenkov wrote:
On 18.06.2023 21:56, Felix Rubio wrote:
Hi everybody,
After some days offline, today I have gone through the emails
exchanged
a couple of weeks ago and agreed: UKI is the way to go.
Hi everybody,
After some days offline, today I have gone through the emails exchanged
a couple of weeks ago and agreed: UKI is the way to go. Last time I
checked about it I read about possible problems related to when some
modules would be loaded and so, but I see that my knowledge was
outdat
partition, and to not get involved yet with UKI.
Now I am trying to work out a way to smooth the case when after a kernel
/ modules update the TPM state changes and will not unlock
automatically... but this for another day, I guess :-)
Thank you very much for you help!
--
Felix Rubio
"
-pcrs=0+1+7+9
Then, by using PCR9 the initrd would be checked before allowing the boot
sequence to continue. By doing this, then, I do not have to switch to
UKI until I have learned more about it.
Do you guys think this reasoning is flawed?
Thank you,
---
Felix Rubio
"Don't believe w
fi so that it gets picked up by shim
3. Generate the UKI to /boot/
I will give it a try... and see how it goes.
Regards!
--
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-25 10:26, Lennart Poettering wrote:
On Mi, 24.05.23 19:01, Felix Rubio (fe...@kngnt
initramfs on a PE envelope, as you suggested,
when then its signature be validated automatically? when it gets loaded?
Because, if so... this would work enough for this use case.
Thank you
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-24 18:11,
What are your
thoughts?
Regards,
--
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-24 14:35, Lennart Poettering wrote:
On Mi, 24.05.23 12:22, Felix Rubio ([email protected]) wrote:
I agree that having a measured boot, that decrypts the system is
-boot, or this is something that is
considered to be just out of scope?
Thank you
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-23 21:32, Andrei Borzenkov wrote:
On 23.05.2023 21:54, Felix Rubio wrote:
Hi everybody,
I am trying to understand
the use of UKI...
but this comes with its own problems about out-of-tree kernel modules
and so.
So, the question is: why the kernel image gets verified but not the
initramfs? Is this mandated by some standard, or is an engineering
decision?
Thank you very much!
--
Felix Rubio
"Don
Thank you Lennart. When I separated the /boot from /boot/efi I
formatted /boot partition with ext2. After reading your answer I
reformatted it to FAT and... all works.
Regards!
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-23 10:51, Lenn
?
Regards,
--
Felix Rubio
"Don't believe what you're told. Double check."
23 matches
Mail list logo
