/24351/files#r961978027
[2]
https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/
On Sat, Sep 2, 2023 at 10:18 PM Aleksandar Kostadinov
wrote:
>
> Hello,
>
> Trying to configure Signed PCR binding on Fedora 38 by following
> article [
Hello,
Trying to configure Signed PCR binding on Fedora 38 by following
article [1] and adapting commands for signing.
What I did was basically this:
> openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out
>
8.
On Tue, Sep 5, 2023 at 1:20 PM Lennart Poettering
wrote:
>
> On Sa, 02.09.23 22:22, Aleksandar Kostadinov (akost...@redhat.com) wrote:
>
> > Looking at the PR [1] it looks like I need to do a lot of things at
> > each update manually. Is the thing in the comment the onl
On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
wrote:
>
> On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akost...@redhat.com) wrote:
>
> > Hi again. I tried to boot from UKI to no avail.
> >
> > First created a "db" certificate
> > > openssl req -n
Will appreciate any pointers about debugging and fixing this!
On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
wrote:
>
> On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> wrote:
> >
> > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akost...@redhat.com) wrote:
Just FYI, in some situations it might be a security issue to allow
booting without decrypting root volume (I know you're not doing for
root). Just want to point out that it shouldn't be a default feature
to skip decrypting.
An example scenario where we shouldn't allow that would be where root
he issue causing "Couldn't find signature for
this PCR bank, PCR index and public key." ?
On Sun, Oct 8, 2023 at 3:20 PM Aleksandar Kostadinov
wrote:
>
> Also forgot to mention how I have setup the RSA keys:
>
> > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.
quot;" > /etc/dracut.conf.d/tpm2.conf
The secure boot key I assume is alright because I have secure boot
enabled and it boots the kernel.
On Sun, Oct 8, 2023 at 3:08 PM Aleksandar Kostadinov
wrote:
>
> I've progressed past this point by upgrading to Fedora 39 Beta which
> apparen
, "pol":
> "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig":
> "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1
Hello,
This is more of a user question but I didn't find any other suitable forum
to ask.
I want to install a server that should have an encrypted root but be able
to reboot unattended.
systemd-cryptenroll with TPM2 looks like a viable option. I'm concerned
about which PCRs to pin so that an
it manages to boot (without
> causing the initramfs to fail earlier). Systemd already has some tools for
> this; see "systemd-pcrphase".
>
> On Mon, Aug 21, 2023, 17:40 Aleksandar Kostadinov
> wrote:
>
>> Hello,
>>
>> This is more of a user question but
On Wed, Aug 23, 2023 at 10:49 AM Andrei Borzenkov wrote:
<...>
> > > Sure, if you allow unencrypted systems to boot in your OS then all
> > > bets are off. You shouldn't do that of course.
> > >
> > > (in my model of mind, where automatic GPT image dissection is used the
> > > image dissection
On Tue, Aug 22, 2023 at 4:16 PM Lennart Poettering
wrote:
>
> On Mo, 21.08.23 17:40, Aleksandar Kostadinov (akost...@redhat.com) wrote:
>
> > Hello,
> >
> > This is more of a user question but I didn't find any other suitable forum
> > to ask.
> >
> >
On Tue, Aug 22, 2023 at 8:10 PM Lennart Poettering
wrote:
> On Di, 22.08.23 19:16, Aleksandar Kostadinov (akost...@redhat.com) wrote:
<...>
> > If attacker replaces volume with unencrypted one, and it boots without
> > messing up the sealing PCRs, then probably attac
Thanks a lot for the answers. Because without them I have no clue how
to progress. I'd highly appreciate your further guidance!
On Fri, Nov 17, 2023 at 7:13 PM Dan Streetman wrote:
> <...>
> If you don't specify --tpm2-pcrs= at all, it will bind to PCR 7, even
> if you bind to a signature as
operation.
$ sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-pcrs=""
--tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
Please enter current passphrase for disk /dev/sda3: ***
This PCR set is already enrolled, executing no operation.
On Sat, Feb 10, 2024 at 10:23 PM Aleksand
How do you create the UKI?
What I do is adding `--cmdline=@/etc/kernel/cmdline` to the ukify command line.
On Tue, Nov 28, 2023 at 11:30 AM VENKAT Nagaraj THOGARU (QUIC)
wrote:
>
> Hi @systemd-devel@lists.freedesktop.org,
>
>
>
> We have a query on Fixup-support for kernel command line provided
On Mon, Dec 4, 2023 at 7:24 AM VENKAT Nagaraj THOGARU (QUIC)
wrote:
...
> We have an application in Linux which need this information.
While not a direct answer to your question, why not have the
application read this data like `dmidecode` can do?
On Sun, Nov 12, 2023 at 12:09 AM Aleksandar Kostadinov
wrote:
>
> On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman wrote:
> > On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
> > wrote:
> > ...
> > > Here's what I did:
> > > > sudo systemd-cr
On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman wrote:
> On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
> wrote:
> ...
> > Here's what I did:
> > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
> > > --tpm2-public-key-pcrs=11 /dev/sda3
>
Hello,
I want to enable systemd-resolved in early boot so that `clevis` can
resolve `tang` address by mdns. This will simplify local network
configuration by not relying on static IP addresses.
But it seems that is not enabled by default.
Is there a way to tell dracut to also include and start
Borzenkov wrote:
>
> On Thu, Mar 21, 2024 at 4:44 PM Cristian Rodríguez
> wrote:
> >
> > On Tue, Mar 19, 2024 at 7:44 AM Aleksandar Kostadinov
> > wrote:
> > >
> > > Hello,
> > >
> > > I want to enable systemd-resolved in early boot so t
Shouldn't the kernel automatically load the necessary modues when
devices are detected... given proper udev rules and module
availability in the initrd filesystem? I guess it depends on how you
build your initrd system for including them.
On Wed, Apr 10, 2024 at 10:24 AM Mikko Rapeli wrote:
>
>
23 matches
Mail list logo