On Mo, 27.05.24 14:47, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote: > Excuse me for top-posting but I can second that. Earlier I had a long > thread about not being able to get the signed PCRs work, I never > figured out that a signature was only created for 11. > > It would really help people not to lose their time if documentation > stated - there be dragons, go only if you want to become a TPM > low-level details and linux boot expert. > > Eventually I went with clevis and tang. Although if systemd allowed > signing with more PCRs, that would definitely be very useful. clevis/tang does not allow signing PCRs, last time I looked. It's really not comparable. if you want to use literal PCR policies like clevis does it, systemd can do that for you just fine? systemd-cryptenroll --tpm2-pcrs= is for literal PCR enrollments. You can combine that with --tpm2-public-key= stuff for PCR 11. > If somebody from systemd team managed to use signed PCRs to unlock > together with the new systemd-pcrlock for non-11 PCRs, please write a > short how to install and what to do by kernel upgrade. Presently it is > not usable for regular or advanced users. Which is fine as long the > documentation doesn't suggest it is (and it presently does). Yeah, I want a pony too, and I keep demanding one, but noone gives one to me for free. Weird. Honestly, maybe dial down your expectations a bit, both of you. All this TPM support in systemd is fairly new, and it's definitely not user facing stuff anyway (hence super-friendly docs are *not* my priority, sorry, got enough on my plate), it's something distros should integrate and we are only at the beginning of that path. And complaining that things aren't just polished yet is certainly not helping anyone to get the tiniest step ahead on that path. It just annoys the people who you apparently believe work for you for free. > P.S. also would be great if systemd also supported tang so that both - > signed PCRs and tang to be required for automatic unlock. I am not convinced networked unlock with ssss really is something relevant for anyone but a select few folks who run major data centers and are willing to pay the price for doing the work. It's also just a bunch of shell scripts last time I looked, or did that change? If so, doubly uninterested. Lennart -- Lennart Poettering, Berlin