Enrolling PCR11 does not work as expected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everybody,

In my setup (sd-boot+UKI+LUKS) I am using PCRs 7+11+14 to unlock the LUKS drive. Should I use only PCRs 7+14 everything works, but when I add 11 I need to provide the rescue password every single time I boot.

I have extracted the values of those PCRs using tpm2_pcrread in two consecutive boots, and they are equal, so at least the issue is reproducible.

To enroll the PCRs, after a new kernel (and, therefore, the UKI) has been generated, I run the following command:

systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7+11+14 <device>

After reading the documentation on systemd-measure (that I am not using at the moment): could it be that there are events added to PCR 11 after the unlocking has happened, so that I am enrolling the wrong PCR value? Otherwise... what am I doing wrong?

Felix



[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux