On Do, 22.08.24 22:29, Pingfan Liu (piliu@xxxxxxxxxx) wrote: > > Hmm, I'd really think about this with some priority. The measurement > > stuff should not be an afterthought, it typically has major > > implications on how you design your transitions, because measurements > > of some component always need to happen *before* you pass control to > > it, otherwise they are pointless. > > > > At present, my emulator returns false to is_efi_secure_boot(), so > systemd-stub does not care about the measurement, and moves on. > > Could you enlighten me about how systemd utilizes the measurement? I > grepped 'TPM2_PCR_KERNEL_CONFIG', and saw the systemd-stub asks to > extend PCR. But where is the value checked? I guess the systemd will > hang if the check fails. systemd's "systemd-pcrlock" tool will look for measurements like that and generate disk encryption TPM policies from that. Lennart -- Lennart Poettering, Berlin _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
