On Tue Oct 15, 2024 at 11:08 PM EEST, Mimi Zohar wrote: > > > > since the feature itself is useful objectively, and make sure > > > > that those fixes bring the wanted results. > > The right thing would have been to listen to my concerns when this was initially > being discussed. The right thing wasn't enabling TCG_TPM2_HMAC by default. This is debatable as for laptops and desktops having hard drive encryption do benefit with this. If systemd hadn't added systemd-cryptenroll I would agree with this. I learned about this feature two years after its inception in that project, so we needed to address this as a priority (I did not and will not follow systemd development proactively, as don't have time for that). I feel more safe using my laptop with the feature in place at least. Besides, it is complicated feature enough that it would have been impossible ever "zero glitch" land it. I don't think there is any rigid "data centers first" rule really, except maybe for those businesses that run data centers (and I'm not one of those businesses). BR, Jarkko
