On Wed, Aug 23, 2023 at 12:50 PM Aleksandar Kostadinov
wrote:
>
> On Wed, Aug 23, 2023 at 10:49 AM Andrei Borzenkov wrote:
> <...>
> > > > Sure, if you allow unencrypted systems to boot in your OS then all
> > > > bets are off. You shouldn't do that of course.
> > > >
> > > > (in my model of mind
On Wed, Aug 23, 2023 at 10:49 AM Andrei Borzenkov wrote:
<...>
> > > Sure, if you allow unencrypted systems to boot in your OS then all
> > > bets are off. You shouldn't do that of course.
> > >
> > > (in my model of mind, where automatic GPT image dissection is used the
> > > image dissection pol
On Tue, Aug 22, 2023 at 10:45 PM Aleksandar Kostadinov
wrote:
>
> On Tue, Aug 22, 2023 at 8:10 PM Lennart Poettering
> wrote:
> > On Di, 22.08.23 19:16, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> <...>
> > > If attacker replaces volume with unencrypted one, and it boots without
> > > me
On Di, 22.08.23 22:35, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> On Tue, Aug 22, 2023 at 8:10 PM Lennart Poettering
> wrote:
> > On Di, 22.08.23 19:16, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> <...>
> > > If attacker replaces volume with unencrypted one, and it boots withou
On Tue, Aug 22, 2023 at 8:10 PM Lennart Poettering
wrote:
> On Di, 22.08.23 19:16, Aleksandar Kostadinov (akost...@redhat.com) wrote:
<...>
> > If attacker replaces volume with unencrypted one, and it boots without
> > messing up the sealing PCRs, then probably attacker can query the TPM
> > and o
On Di, 22.08.23 19:16, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> > > I'm concerned though about an attacker replacing the encrypted root volume
> > > with a non-encrypted one. Which may result in system booting an attacker
> > > controlled environment while PCRs may be in a state that a
On Tue, Aug 22, 2023 at 4:16 PM Lennart Poettering
wrote:
>
> On Mo, 21.08.23 17:40, Aleksandar Kostadinov (akost...@redhat.com) wrote:
>
> > Hello,
> >
> > This is more of a user question but I didn't find any other suitable forum
> > to ask.
> >
> > I want to install a server that should have an
On Mo, 21.08.23 19:56, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> Thanks, this is what I was also considering the feasibility of. And whether
> it made sense to begin with. Any idea how can this be done with systemd?
>
> In man I read:
>
> > Note that currently when enrolling a new
On Mo, 21.08.23 17:40, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> Hello,
>
> This is more of a user question but I didn't find any other suitable forum
> to ask.
>
> I want to install a server that should have an encrypted root but be able
> to reboot unattended.
>
> systemd-cryptenroll
Thanks, this is what I was also considering the feasibility of. And whether
it made sense to begin with. Any idea how can this be done with systemd?
In man I read:
> Note that currently when enrolling a new key of one of the five
> supported types listed above, it is required to first
Have your initramfs *extend* a PCR after it retrieves the key from the TPM,
before it switches to (or even unlocks) the rootfs. As most PCRs cannot be
rolled back without a reboot, this would prevent the key from being
unsealed from a running system even if it manages to boot (without causing
the i
Hello,
This is more of a user question but I didn't find any other suitable forum
to ask.
I want to install a server that should have an encrypted root but be able
to reboot unattended.
systemd-cryptenroll with TPM2 looks like a viable option. I'm concerned
about which PCRs to pin so that an ave
12 matches
Mail list logo
