On 2025-05-09 13:03, Lennart Poettering wrote:
On Fr, 09.05.25 15:58, Andrei Borzenkov (arvidj...@gmail.com) wrote:
> If you want explicit config use the simpler PCR protections
> systemd-cryptsetup gives you, and avoid pcrlock.
I obviously want to use pcrlock to have alternatives (like being able
to
boot multiple kernels). Can I get it without pcrlock?
No.
Sort of, it can be done. In openSUSE we are doing it via signed policy
and pcr-oracle[1]. This is a fallback form pcrlock (for cases where the
TPM2 rev does not support NVIndex policy), as pcrlock is objectively
better.
[1] https://github.com/openSUSE/pcr-oracle
