sd-boot setup and PCRs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi everybody,
After some days offline, today I have gone through the emails exchanged a couple of weeks ago and agreed: UKI is the way to go. Last time I checked about it I read about possible problems related to when some modules would be loaded and so, but I see that my knowledge was outdated.
This said, right now my setup looks like: SecureBoot is enabled, I am using Shim, Systemd-Boot as shim's second stage, and a UKI. As the disk is encrypted, for now I am making the decryption predicated to PCRs 7 and 14, so that the decryption will only fail when either SB state changes, or when shim certificates/hashes change. So far so good.
Out of curiosity now, I am wondering: what would happen in case somebody boots the system from, e.g., a USB drive that contains a signed image? Even if the shim is the same version, I assume it will fail to unlock because the MOK will not contain my certificate? Should that certificate had been stolen and present, be enough to then unlock the disk?
I am trying to assess if I should put in the mix PCR 4, so that I can keep track of the UKI image that gets loaded. Do you guys think this would be needed, or is overkill? 

Regards,

Felix
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux