Re: Fedora 38 and signed PCR binding

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Sa, 02.09.23 22:18, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote:

> Hello,
>
> Trying to configure Signed PCR binding on Fedora 38 by following
> article [1] and adapting commands for signing.
>
> What I did was basically this:
> > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> > openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out /etc/systemd/tpm2-pcr-public-key.pem
> > sudo systemd-cryptenroll --tpm2-device=auto --tpm2-public-key-pcrs=7+9+11+12+13+14+15 /dev/sda3
> > added tpm2-device=auto,tpm2-pcrs=7+9+11+12+13+14+15
>
> But automatic unlocking does *not* work. And This is what
> systemd-measure returns:
>
> $ /usr/lib/systemd/systemd-measure status
> Warning: current kernel image does not support measuring itself, the
> command line or initrd system extension images.
> The PCR measurements seen are unlikely to be valid.
> # PCR[11] Unified Kernel Image (NOT SET!)
> 11:sha1=0000000000000000000000000000000000000000
> 11:sha256=0000000000000000000000000000000000000000000000000000000000000000
> # PCR[12] Kernel Parameters (NOT SET!)
> 12:sha1=0000000000000000000000000000000000000000
> 12:sha256=0000000000000000000000000000000000000000000000000000000000000000
> # PCR[13] initrd System Extensions (NOT SET!)
> 13:sha1=0000000000000000000000000000000000000000
> 13:sha256=0000000000000000000000000000000000000000000000000000000000000000
>
> Did I do something wrong? Is just necessary integration missing from
> Fedora 38 so I better revert to normal PCR binding?

Is your kernel built with sd-stub glued in fron of it? i.e. did you
use ukify?

Note that fedora still uses a legacy boot path with grub and
traditional kernels, instead of sd-boot/sd-stub and UKIs. PCR
measurements are messy there, and the pcr signature stuff as
implemented in systemd-measure doesn't work there.

Lennart

--
Lennart Poettering, Berlin