On Mi, 29.05.24 14:42, Demi Marie Obenour (demi@xxxxxxxxxxxxxxxxxxxxxx) wrote: > > Hence, maybe tickets aren't the way to go, they bring complexity, they > > would make a pretty relevant feature of our policies go down the drain > > – even though they would combine the two relevant policies correctly. > > What about inserting an explicit delay into the boot process until the > ticket expires? Sorry, but no. That would be racy (since the TPM clocks are relatively inaccurate afaics, unlike system clocks). Also it's one hell of an ugly hack and given that TPMs are slow as fuck anyway and already slow down boots measurably (heh, pun!) I am sure we shouldn't try to make it even slower by inserting artificial sleeps... Lennart -- Lennart Poettering, Berlin
Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Thu, 30 May 2024 21:58:57 +0200
- Cc: Andrei Borzenkov <arvidjaar@xxxxxxxxx>, Aleksandar Kostadinov <akostadi@xxxxxxxxxx>, Felix Rubio <felix@xxxxxxxxx>, systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <Zld3GWLeFUTiPVbg@itl-email>
- References: <CAA91j0VEvO8xNE2Yc3j3gsLhCUQN+dmWfz2W9yAM+PBpZc0+qQ@mail.gmail.com> <CAPws7kaORfdcGT5qv61bU4z8POwgB9UcacvW53kJcj=2U_KRmA@mail.gmail.com> <ZlSScuqYUpcjnYaH@gardel-login> <CAPws7kZ1J53HqSC5G_Q5AZishdVip5waS_jxJ9mpE9FGZwQ5dw@mail.gmail.com> <ZlXu7_34zizcnxTw@gardel-login> <6b2f1ba9-d2a3-438c-844c-1d32e20c7871@gmail.com> <ZlY2uMEmqecQmYXU@gardel-login> <ZlZOe2nEyerG5adS@itl-email> <ZlbpDMx7eHJfpHPb@gardel-login> <Zld3GWLeFUTiPVbg@itl-email>
- References:
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Andrei Borzenkov
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Aleksandar Kostadinov
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Aleksandar Kostadinov
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Andrei Borzenkov
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Demi Marie Obenour
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Demi Marie Obenour
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Prev by Date: Re: confusion with systemd-repart
- Next by Date: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Previous by thread: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Next by thread: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Index(es):
 |