On Tue, Jun 6, 2023 at 8:20 AM Mantas Mikulėnas wrote:
>
> On Mon, Jun 5, 2023 at 11:38 PM Adrian Vovk wrote:
>>
>>
>> 2. The alternative approach involves pre-calculating PCR[7] on the
>> client if we're updating DBX or Shim. Here's how I envision this
>> going:
>> - We read the TPM log (which
On Mon, Jun 5, 2023 at 11:38 PM Adrian Vovk wrote:
>
> 2. The alternative approach involves pre-calculating PCR[7] on the
> client if we're updating DBX or Shim. Here's how I envision this
> going:
> - We read the TPM log (which we can trust because we're currently
> booted to system verified
Hello all,
I'm working on a general-purpose distro modeled after the proposal
made in "Fitting Everything Together". I'm planning to, by default,
seal the data partition's encryption with the following PCRs:
- PCR[7]: If secure boot gets turned off, or keys get replaced -> fail
decryption
-