Re: [systemd-devel] Fedora 38 and signed PCR binding

/24351/files#r961978027 [2] https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/ On Sat, Sep 2, 2023 at 10:18 PM Aleksandar Kostadinov wrote: > > Hello, > > Trying to configure Signed PCR binding on Fedora 38 by following > article [

[systemd-devel] Fedora 38 and signed PCR binding

Hello, Trying to configure Signed PCR binding on Fedora 38 by following article [1] and adapting commands for signing. What I did was basically this: > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048 > openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out >

Re: [systemd-devel] Fedora 38 and signed PCR binding

8. On Tue, Sep 5, 2023 at 1:20 PM Lennart Poettering wrote: > > On Sa, 02.09.23 22:22, Aleksandar Kostadinov (akost...@redhat.com) wrote: > > > Looking at the PR [1] it looks like I need to do a lot of things at > > each update manually. Is the thing in the comment the onl

Re: [systemd-devel] Fedora 38 and signed PCR binding

On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering wrote: > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akost...@redhat.com) wrote: > > > Hi again. I tried to boot from UKI to no avail. > > > > First created a "db" certificate > > > openssl req -n

Re: [systemd-devel] Fedora 38 and signed PCR binding

Will appreciate any pointers about debugging and fixing this! On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov wrote: > > On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering > wrote: > > > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akost...@redhat.com) wrote:

Re: [systemd-devel] How to make an encrypted disk mentioned in /etc/crypttab "optional"?

Just FYI, in some situations it might be a security issue to allow booting without decrypting root volume (I know you're not doing for root). Just want to point out that it shouldn't be a default feature to skip decrypting. An example scenario where we shouldn't allow that would be where root

Re: [systemd-devel] Fedora 38 and signed PCR binding

he issue causing "Couldn't find signature for this PCR bank, PCR index and public key." ? On Sun, Oct 8, 2023 at 3:20 PM Aleksandar Kostadinov wrote: > > Also forgot to mention how I have setup the RSA keys: > > > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.

Re: [systemd-devel] Fedora 38 and signed PCR binding

quot;" > /etc/dracut.conf.d/tpm2.conf The secure boot key I assume is alright because I have secure boot enabled and it boots the kernel. On Sun, Oct 8, 2023 at 3:08 PM Aleksandar Kostadinov wrote: > > I've progressed past this point by upgrading to Fedora 39 Beta which > apparen

Re: [systemd-devel] Fedora 38 and signed PCR binding

, "pol": > "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig": > "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1

[systemd-devel] systemd-cryptenroll with TPM2

Hello, This is more of a user question but I didn't find any other suitable forum to ask. I want to install a server that should have an encrypted root but be able to reboot unattended. systemd-cryptenroll with TPM2 looks like a viable option. I'm concerned about which PCRs to pin so that an

Re: [systemd-devel] systemd-cryptenroll with TPM2

it manages to boot (without > causing the initramfs to fail earlier). Systemd already has some tools for > this; see "systemd-pcrphase". > > On Mon, Aug 21, 2023, 17:40 Aleksandar Kostadinov > wrote: > >> Hello, >> >> This is more of a user question but

Re: [systemd-devel] systemd-cryptenroll with TPM2

On Wed, Aug 23, 2023 at 10:49 AM Andrei Borzenkov wrote: <...> > > > Sure, if you allow unencrypted systems to boot in your OS then all > > > bets are off. You shouldn't do that of course. > > > > > > (in my model of mind, where automatic GPT image dissection is used the > > > image dissection

Re: [systemd-devel] systemd-cryptenroll with TPM2

On Tue, Aug 22, 2023 at 4:16 PM Lennart Poettering wrote: > > On Mo, 21.08.23 17:40, Aleksandar Kostadinov (akost...@redhat.com) wrote: > > > Hello, > > > > This is more of a user question but I didn't find any other suitable forum > > to ask. > > > >

Re: [systemd-devel] systemd-cryptenroll with TPM2

On Tue, Aug 22, 2023 at 8:10 PM Lennart Poettering wrote: > On Di, 22.08.23 19:16, Aleksandar Kostadinov (akost...@redhat.com) wrote: <...> > > If attacker replaces volume with unencrypted one, and it boots without > > messing up the sealing PCRs, then probably attac

Re: [systemd-devel] Fedora 38 and signed PCR binding

Thanks a lot for the answers. Because without them I have no clue how to progress. I'd highly appreciate your further guidance! On Fri, Nov 17, 2023 at 7:13 PM Dan Streetman wrote: > <...> > If you don't specify --tpm2-pcrs= at all, it will bind to PCR 7, even > if you bind to a signature as

Re: [systemd-devel] Fedora 38 and signed PCR binding

operation. $ sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-pcrs="" --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3  Please enter current passphrase for disk /dev/sda3: *** This PCR set is already enrolled, executing no operation. On Sat, Feb 10, 2024 at 10:23 PM Aleksand

Re: [systemd-devel] Fixup-support for kernel command line provided from UKI in systemd-stub

How do you create the UKI? What I do is adding `--cmdline=@/etc/kernel/cmdline` to the ukify command line. On Tue, Nov 28, 2023 at 11:30 AM VENKAT Nagaraj THOGARU (QUIC) wrote: > > Hi @systemd-devel@lists.freedesktop.org, > > > > We have a query on Fixup-support for kernel command line provided

Re: [systemd-devel] Fixup-support for kernel command line provided from UKI in systemd-stub

On Mon, Dec 4, 2023 at 7:24 AM VENKAT Nagaraj THOGARU (QUIC) wrote: ... > We have an application in Linux which need this information. While not a direct answer to your question, why not have the application read this data like `dmidecode` can do?

Re: [systemd-devel] Fedora 38 and signed PCR binding

On Sun, Nov 12, 2023 at 12:09 AM Aleksandar Kostadinov wrote: > > On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman wrote: > > On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov > > wrote: > > ... > > > Here's what I did: > > > > sudo systemd-cr

Re: [systemd-devel] Fedora 38 and signed PCR binding

On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman wrote: > On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov > wrote: > ... > > Here's what I did: > > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto > > > --tpm2-public-key-pcrs=11 /dev/sda3 >

[systemd-devel] enable systemd-resolved in early boot (dracut)

Hello, I want to enable systemd-resolved in early boot so that `clevis` can resolve `tang` address by mdns. This will simplify local network configuration by not relying on static IP addresses. But it seems that is not enabled by default. Is there a way to tell dracut to also include and start

Re: [systemd-devel] enable systemd-resolved in early boot (dracut)

Borzenkov wrote: > > On Thu, Mar 21, 2024 at 4:44 PM Cristian Rodríguez > wrote: > > > > On Tue, Mar 19, 2024 at 7:44 AM Aleksandar Kostadinov > > wrote: > > > > > > Hello, > > > > > > I want to enable systemd-resolved in early boot so t

Re: [systemd-devel] Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)

Shouldn't the kernel automatically load the necessary modues when devices are detected... given proper udev rules and module availability in the initrd filesystem? I guess it depends on how you build your initrd system for including them. On Wed, Apr 10, 2024 at 10:24 AM Mikko Rapeli wrote: > >