And one strange thing --tpm2-public-key-pcrs=11 doesn't seem to change
how TMP is enrolled:
$ sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
--tpm2-pcrs="" /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: ***
This PCR set is already enrolled, executing no operation.
$
Thanks a lot for the answers. Because without them I have no clue how
to progress. I'd highly appreciate your further guidance!
On Fri, Nov 17, 2023 at 7:13 PM Dan Streetman wrote:
> <...>
> If you don't specify --tpm2-pcrs= at all, it will bind to PCR 7, even
> if you bind to a signature as well
On Sat, Nov 11, 2023 at 5:10 PM Aleksandar Kostadinov
wrote:
>
> On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman wrote:
> > On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
> > wrote:
> > ...
> > > Here's what I did:
> > > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
> > >
On Sun, Nov 12, 2023 at 12:09 AM Aleksandar Kostadinov
wrote:
>
> On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman wrote:
> > On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
> > wrote:
> > ...
> > > Here's what I did:
> > > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
> > >
On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman wrote:
> On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
> wrote:
> ...
> > Here's what I did:
> > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
> > > --tpm2-public-key-pcrs=11 /dev/sda3
>
> This probably isn't what you want, b
On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
wrote:
>
> I've progressed past this point by upgrading to Fedora 39 Beta which
> apparently has a newer ukify version. The issue now though is that
> automatic unlock does not work. I need to enter password manually and
> I see no errors in con
Console didn't show anything but I found these lines in system log.
> Oct 08 18:34:51 systemd-sysusers[228]: Creating group 'tss' with GID 59.
> Oct 08 18:34:51 systemd-sysusers[228]: Creating user 'tss' (Account used for
> TPM access) with UID 59 and GID 59.
> Oct 08 18:34:51 systemd-tmpfiles[23
Also forgot to mention how I have setup the RSA keys:
> openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out
> /etc/systemd/tpm2-pcr-public-key.pem
and
> echo "add_dracutmodules+=\" tpm2-tss \"" > /etc/dracut.conf.d/
I've progressed past this point by upgrading to Fedora 39 Beta which
apparently has a newer ukify version. The issue now though is that
automatic unlock does not work. I need to enter password manually and
I see no errors in console output.
Here's what I did:
> sudo systemd-cryptenroll --wipe-slot
Will appreciate any pointers about debugging and fixing this!
On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
wrote:
>
> On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> wrote:
> >
> > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> >
> > > Hi again. I tried
On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
wrote:
>
> On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akost...@redhat.com) wrote:
>
> > Hi again. I tried to boot from UKI to no avail.
> >
> > First created a "db" certificate
> > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new
On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> Hi again. I tried to boot from UKI to no avail.
>
> First created a "db" certificate
> > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256
> > -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > op
Hi again. I tried to boot from UKI to no avail.
First created a "db" certificate
> openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256
> -days 3650 -subj "/CN=My DB cert/" -out db.pem
> openssl x509 -outform DER -in db.pem -out db.crt
Then uploaded it to secure boot trust
On Sa, 02.09.23 22:22, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> Looking at the PR [1] it looks like I need to do a lot of things at
> each update manually. Is the thing in the comment the only thing I
> need to do or are there other things as well?
There's nowadays "ukify" that does a
On Sa, 02.09.23 22:18, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> Hello,
>
> Trying to configure Signed PCR binding on Fedora 38 by following
> article [1] and adapting commands for signing.
>
> What I did was basically this:
> > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem
Looking at the PR [1] it looks like I need to do a lot of things at
each update manually. Is the thing in the comment the only thing I
need to do or are there other things as well?
Also forgot to post link to article in my last email, here it goes [2]
[1] https://github.com/systemd/systemd/pull/2
Hello,
Trying to configure Signed PCR binding on Fedora 38 by following
article [1] and adapting commands for signing.
What I did was basically this:
> openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out
> /etc/syste
17 matches
Mail list logo
