Another idea is to measure the initrd and the boot configuration, for example taking a hash of the grub configuration and initrd and extending a PCR register. To make it work across upgrades, the grub configuration could be put into a git repository. Each commit hash is computed using the TPM and changes are appended to the repository. During boot, grub would extend the PCR, one time per commit, with the commit content. Grub would then execute the git working tree. This makes it possible to, after a grub config change / kernel upgrade / dracut change etc. to precalculate the PCR values (as suggested on https://github.com/latchset/clevis/issues/366) that can then be used to bind luks passphrases. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
