indeed, this is why a proposal is to change the way grub measure things. For example introducing a new PCR, for example PCR10, and a new command, "extend", that replay a command into the PCR without actually executing it. This would mean for your above example, if we only limit to the last line, you would boot first your server with initrd (hd0,gpt2)/initramfs-5.19.0-0.rc6.20220714git4a57a8400075.49.kraxel.4.fc36.x86_64.img and you read a value of PCR10 = p0 Following an upgrade, you would unbind the luks decryption, run _tpm2_pcrextend initrd (hd0,gpt2)/init.fc37.img which brings PCR10 = p1, then you can rebind the luks decryption key with PCR10 (and others) The grub configuration now looks like extend initrd (hd0,gpt2)/initramfs-5.19.0-0.rc6.20220714git4a57a8400075.49.kraxel.4.fc36.x86_64.img initrd (hd0,gpt2)/init.fc37.img Upon next boot, grub execute the extend command bringing PCR10 to p0, then measure the new "initrd (hd0,gpt2)/init.fc37.img" into it, bringing PCR10 to p1, so decryption can happen automatically. The checksum of initrd can also be checked using grub with the hashsum command. (I realize this idea is not trivial at all. Nevertheless here's a build of grub with a patch that implement part of that https://koji.fedoraproject.org/koji/taskinfo?taskID=89600764) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
