Enrolling PCR11 does not work as expected
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Enrolling PCR11 does not work as expected
- From: Felix Rubio <felix@xxxxxxxxx>
- Date: Wed, 05 Jul 2023 08:30:39 +0200
Hi everybody,
In my setup (sd-boot+UKI+LUKS) I am using PCRs 7+11+14 to unlock the
LUKS drive. Should I use only PCRs 7+14 everything works, but when I add
11 I need to provide the rescue password every single time I boot.
I have extracted the values of those PCRs using tpm2_pcrread in two
consecutive boots, and they are equal, so at least the issue is
reproducible.
To enroll the PCRs, after a new kernel (and, therefore, the UKI) has
been generated, I run the following command:
systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
--tpm2-pcrs=7+11+14 <device>
After reading the documentation on systemd-measure (that I am not using
at the moment): could it be that there are events added to PCR 11 after
the unlocking has happened, so that I am enrolling the wrong PCR value?
Otherwise... what am I doing wrong?
Felix
[Index of Archives]
[LARTC]
[Bugtraq]
[Yosemite Forum]
[Photo]