=
... but then I do not see what should be provided in
tpm2-public-key-pcrs. The same values I am currently giving to
--tpm2-pcrs? the signatures that I get from the .pcrsig for 11 + the
calculated signatures for the current values of the PCRs 7 and 14?
Thank you very much for your time,
--
Felix Rubio
signed policy that gets calculated
out of that register is fulfilled. Should that be the case, this
additional control will not harm but I guess is a bit redundant for my
use case?
Thank you very much for your time,
--
Felix Rubio
"Don't believe what you're told. Double check."
Hi everybody,
I am kind of lost, and after some hours giving a look at the issue...
maybe somebody can give me a hand? I am working on the PR
https://github.com/systemd/systemd/pull/28339, to provide a way to
specify literals for the PCRs. As part of this PR I am creating a
hashmap of
Nope: AMD Ryzen 7 6800H,
But thank you for the suggestion!
Felix
On 2023-07-07 09:07, Christian Hesse wrote:
Felix Rubio on Thu, 2023/07/06 18:07:
Using arch linux, I have had my kernel upgraded from 6.3.9 to 6.4.1.
After regenerating the UKI, that works, I get just a black screen when
Using arch linux, I have had my kernel upgraded from 6.3.9 to 6.4.1.
After regenerating the UKI, that works, I get just a black screen when
systemd-cryptsetup should be either using the TPM to unlock the drive or
to ask me the rescue password.
Luckily I have an old UKI with 6.3.9 (also the
extending it with the actual values of PCRs 7, 14 and 11.
Do you guys this approach is sound?
Thank you,
Felix
On 2023-07-05 14:26, Lennart Poettering wrote:
On Mi, 05.07.23 13:11, Felix Rubio (fe...@kngnt.org) wrote:
For what is explained on the the systemd-pcrphase.service(8) and
comparing
it to
I understand that, but systemd-measure is only about PCR 11. Is there
any way to provide a list of PCRs, so that additionally can be embedded
on the UKI?
Thank you,
Felix
On 2023-07-05 14:26, Lennart Poettering wrote:
On Mi, 05.07.23 13:11, Felix Rubio (fe...@kngnt.org) wrote:
For what
shim have not changed, or to have only PCR 11 so that I know that the
UKI has not changed although SB can potentially be even disabled
(please, correct me if wrong)?
Thank you!
Felix
On 2023-07-05 10:36, Lennart Poettering wrote:
On Mi, 05.07.23 08:30, Felix Rubio (fe...@kngnt.org) wrote
Hi everybody,
In my setup (sd-boot+UKI+LUKS) I am using PCRs 7+11+14 to unlock the
LUKS drive. Should I use only PCRs 7+14 everything works, but when I add
11 I need to provide the rescue password every single time I boot.
I have extracted the values of those PCRs using tpm2_pcrread in two
Hi everybody,
systemd-cryptenroll can seal/unseal the LUKS key in the TPM predicted to
the state of some registers, e.g.:
systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
--tpm2-pcrs=7+11+14
The problem is that this requires, when there are kernel / bootloader /
... updates, to
Hi Lennart, Andrei, Adrian
Understood, and thank you very much :-) then 7+11+14 it is.
Regards!
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-06-19 17:21, Lennart Poettering wrote:
On So, 18.06.23 20:56, Felix Rubio (fe...@kngnt.org) wrote:
Hi everybo
that the
use of outdated UKI is not possible.
Thank you!
Felix
On 2023-06-19 14:04, Andrei Borzenkov wrote:
On 19.06.2023 10:19, Felix Rubio wrote:
"Signed by whom?" - Signed by an actor trusted by Secure Boot, either
at
the platform level, or by any of the Shim contributors (I have not
c
;?" - The one I generated and enrolled into
MOK.
Regards!
Felix
On 2023-06-19 06:26, Andrei Borzenkov wrote:
On 18.06.2023 21:56, Felix Rubio wrote:
Hi everybody,
After some days offline, today I have gone through the emails
exchanged
a couple of weeks ago and agreed: UKI is the way to go.
Hi everybody,
After some days offline, today I have gone through the emails exchanged
a couple of weeks ago and agreed: UKI is the way to go. Last time I
checked about it I read about possible problems related to when some
modules would be loaded and so, but I see that my knowledge was
partition, and to not get involved yet with UKI.
Now I am trying to work out a way to smooth the case when after a kernel
/ modules update the TPM state changes and will not unlock
automatically... but this for another day, I guess :-)
Thank you very much for you help!
--
Felix Rubio
"
-pcrs=0+1+7+9
Then, by using PCR9 the initrd would be checked before allowing the boot
sequence to continue. By doing this, then, I do not have to switch to
UKI until I have learned more about it.
Do you guys think this reasoning is flawed?
Thank you,
---
Felix Rubio
"Don't believe what y
that it gets picked up by shim
3. Generate the UKI to /boot/
I will give it a try... and see how it goes.
Regards!
--
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-25 10:26, Lennart Poettering wrote:
On Mi, 24.05.23 19:01, Felix Rubio (fe...@kngnt.org) wrote:
initramfs on a PE envelope, as you suggested,
when then its signature be validated automatically? when it gets loaded?
Because, if so... this would work enough for this use case.
Thank you
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-24 18:11, Lenn
are your
thoughts?
Regards,
--
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-24 14:35, Lennart Poettering wrote:
On Mi, 24.05.23 12:22, Felix Rubio (fe...@kngnt.org) wrote:
I agree that having a measured boot, that decrypts the system is a
bette
-boot, or this is something that is
considered to be just out of scope?
Thank you
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-23 21:32, Andrei Borzenkov wrote:
On 23.05.2023 21:54, Felix Rubio wrote:
Hi everybody,
I am trying to understand something,
of UKI...
but this comes with its own problems about out-of-tree kernel modules
and so.
So, the question is: why the kernel image gets verified but not the
initramfs? Is this mandated by some standard, or is an engineering
decision?
Thank you very much!
--
Felix Rubio
"Don't believe
Thank you Lennart. When I separated the /boot from /boot/efi I
formatted /boot partition with ext2. After reading your answer I
reformatted it to FAT and... all works.
Regards!
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-23 10:51, Lennart Poette
?
Regards,
--
Felix Rubio
"Don't believe what you're told. Double check."
23 matches
Mail list logo