Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mo, 27.05.24 14:47, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote:

> Excuse me for top-posting but I can second that. Earlier I had a long
> thread about not being able to get the signed PCRs work, I never
> figured out that a signature was only created for 11.
>
> It would really help people not to lose their time if documentation
> stated - there be dragons, go only if you want to become a TPM
> low-level details and linux boot expert.
>
> Eventually I went with clevis and tang. Although if systemd allowed
> signing with more PCRs, that would definitely be very useful.

clevis/tang does not allow signing PCRs, last time I looked.

It's really not comparable.

if you want to use literal PCR policies like clevis does it, systemd
can do that for you just fine?

systemd-cryptenroll --tpm2-pcrs= is for literal PCR enrollments.

You can combine that with --tpm2-public-key= stuff for PCR 11.

> If somebody from systemd team managed to use signed PCRs to unlock
> together with the new systemd-pcrlock for non-11 PCRs, please write a
> short how to install and what to do by kernel upgrade. Presently it is
> not usable for regular or advanced users. Which is fine as long the
> documentation doesn't suggest it is (and it presently does).

Yeah, I want a pony too, and I keep demanding one, but noone gives one
to me for free. Weird.

Honestly, maybe dial down your expectations a bit, both of you. All
this TPM support in systemd is fairly new, and it's definitely not
user facing stuff anyway (hence super-friendly docs are *not* my
priority, sorry, got enough on my plate), it's something distros
should integrate and we are only at the beginning of that path.

And complaining that things aren't just polished yet is certainly not
helping anyone to get the tiniest step ahead on that path. It just
annoys the people who you apparently believe work for you for free.

> P.S. also would be great if systemd also supported tang so that both -
> signed PCRs and tang to be required for automatic unlock.

I am not convinced networked unlock with ssss really is something
relevant for anyone but a select few folks who run major data centers
and are willing to pay the price for doing the work. It's also just a
bunch of shell scripts last time I looked, or did that change? If so,
doubly uninterested.

Lennart

--
Lennart Poettering, Berlin
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux