What prevents unauthorized changes to the NV index used by systemd-pcrlock? Is the secret key itself stored in the NV index, with the policy deciding who can read the key? Or does the policy on the NV index require that the policy established by systemd-pcrlock is itself satisfied before the NV index can be changed? In the latter case, does this mean that the index can be "leaked" in certain error conditions? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
signature.asc
Description: PGP signature
