Re: Fedora 38 and signed PCR binding

[Aleksandar Kostadinov <akostadi@xxxxxxxxxx>]

Looking at the PR [1] it looks like I need to do a lot of things at
each update manually. Is the thing in the comment the only thing I
need to do or are there other things as well?

Also forgot to post link to article in my last email, here it goes [2]

[1] https://github.com/systemd/systemd/pull/24351/files#r961978027
[2] https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/

On Sat, Sep 2, 2023 at 10:18 PM Aleksandar Kostadinov
<akostadi@xxxxxxxxxx> wrote:
>
> Hello,
>
> Trying to configure Signed PCR binding on Fedora 38 by following
> article [1] and adapting commands for signing.
>
> What I did was basically this:
> > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> > openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out /etc/systemd/tpm2-pcr-public-key.pem
> > sudo systemd-cryptenroll --tpm2-device=auto --tpm2-public-key-pcrs=7+9+11+12+13+14+15 /dev/sda3
> > added tpm2-device=auto,tpm2-pcrs=7+9+11+12+13+14+15
>
> But automatic unlocking does *not* work. And This is what
> systemd-measure returns:
>
> $ /usr/lib/systemd/systemd-measure status
> Warning: current kernel image does not support measuring itself, the
> command line or initrd system extension images.
> The PCR measurements seen are unlikely to be valid.
> # PCR[11] Unified Kernel Image (NOT SET!)
> 11:sha1=0000000000000000000000000000000000000000
> 11:sha256=0000000000000000000000000000000000000000000000000000000000000000
> # PCR[12] Kernel Parameters (NOT SET!)
> 12:sha1=0000000000000000000000000000000000000000
> 12:sha256=0000000000000000000000000000000000000000000000000000000000000000
> # PCR[13] initrd System Extensions (NOT SET!)
> 13:sha1=0000000000000000000000000000000000000000
> 13:sha256=0000000000000000000000000000000000000000000000000000000000000000
>
> Did I do something wrong? Is just necessary integration missing from
> Fedora 38 so I better revert to normal PCR binding?
>
> Thank you.