[systemd-devel] PCR signing / enrolling on UKI and validation by systemd-cryptenroll

Hi everybody, For some time now I have been using UKIs, with SB enabled and tying FDE decryption on PCRs 7+11+14, with the PCR 11 being measured during UKI creation. Then, I use systemd-cryptenroll to update the secret: PCR11=$(/usr/lib/systemd/ukify -c /etc/kernel/uki.conf --measure

Re: [systemd-devel] PCR signing / enrolling on UKI and validation by systemd-cryptenroll

On 25.05.2024 10:00, Felix Rubio wrote: Hi everybody, For some time now I have been using UKIs, with SB enabled and tying FDE decryption on PCRs 7+11+14, with the PCR 11 being measured during UKI creation. Then, I use systemd-cryptenroll to update the secret: PCR11=$(/usr/lib/systemd/u