Re: sd-boot setup and PCRs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Lennart, Andrei, Adrian

Understood, and thank you very much :-) then 7+11+14 it is.

Regards!

---
Felix Rubio
"Don't believe what you're told. Double check."

On 2023-06-19 17:21, Lennart Poettering wrote:
On So, 18.06.23 20:56, Felix Rubio (felix@xxxxxxxxx) wrote:

Hi everybody,

After some days offline, today I have gone through the emails exchanged a couple of weeks ago and agreed: UKI is the way to go. Last time I checked about it I read about possible problems related to when some modules would
be loaded and so, but I see that my knowledge was outdated.

This said, right now my setup looks like: SecureBoot is enabled, I am using
Shim, Systemd-Boot as shim's second stage, and a UKI. As the disk is
encrypted, for now I am making the decryption predicated to PCRs 7 and 14, so that the decryption will only fail when either SB state changes, or when
shim certificates/hashes change. So far so good.

Out of curiosity now, I am wondering: what would happen in case somebody boots the system from, e.g., a USB drive that contains a signed image? Even if the shim is the same version, I assume it will fail to unlock because the MOK will not contain my certificate? Should that certificate had been stolen
and present, be enough to then unlock the disk?

MOK is persisted in an EFI var, hence it doesn't matter what you boot
from, the MOK db will be the same.

Hence if that UKI on the usb drive is signed by some key that is in
your MOK then this will just be accepted and get access to your keys.

I am trying to assess if I should put in the mix PCR 4, so that I can keep track of the UKI image that gets loaded. Do you guys think this would be
needed, or is overkill?

If you use UKIs, bind to the signature for PCR 11.

Lennart

--
Lennart Poettering, Berlin



[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux