On Mo, 29.05.23 11:42, Felix Rubio (felix@xxxxxxxxx) wrote: > Hi everybody, > > Continuing the work/learning path I started last week, I have had a > development: Still with shim loading systemd-boot, which can read the kernel > and initramfs from XBOOTLDR partition, I have introduced LUKS to encrypt the > root partition (XBOOTLDR is not encrypted). > > Originally I was planning to move from this to UKI so that I can make sure > that both kernel and initramfs are checked before booting, but today I have > considered a different course of action: Should I use the TPM to store a key > to decrypt the disk like this: > > systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+7+9 > > Then, by using PCR9 the initrd would be checked before allowing the boot > sequence to continue. By doing this, then, I do not have to switch to UKI > until I have learned more about it. > > Do you guys think this reasoning is flawed? So, fixing things to literal PCR values is problematic during updates, since you need to reseal with expected PCR versions befor you allow the updates to happen. With UKIs and the signed PCR logic you can instead sign PCR values and then bind disk encryption to the public key used for that signing, and include the signature matching a kernel in the UKI. That means updating becomes trivial, as every UKI comes with all data needed to unlock the disk safely. Lennart -- Lennart Poettering, Berlin
Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Mon, 5 Jun 2023 10:19:19 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <1436f77b9774c235367818c2e9f00f28@kngnt.org>
- References: <f7ae22d92170ecbec85fad95453e3e74@kngnt.org> <5cd240d7-d843-abed-f175-729d765efadb@gmail.com> <5628da3bebb61926448c4cae80c7b693@kngnt.org> <ZG4Eedbmya2AlFnw@gardel-login> <7feef1e1d6ed0d8699e158d047cf5ac3@kngnt.org> <ZG43MTxLHP2hLsaI@gardel-login> <cefcf40c5edf497c08146857135d4356@kngnt.org> <ZG8byYZZcKK0n1NR@gardel-login> <1436f77b9774c235367818c2e9f00f28@kngnt.org>
- References:
- why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Andrei Borzenkov
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Prev by Date: Re: triggering a remove handker manually via cmd
- Next by Date: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Previous by thread: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Next by thread: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Index(es):
 |