On Mo, 10.03.25 19:25, Diorcet Yann (diorcet.yann@xxxxxxxxx) wrote: > Is PCR15 checked against a pre-calculated value saved in the signed initrd > before leaving initrd? If it's not the case, then when executing the init > from the chrooted malicious partition, the original /dev/sda1 LUKS will be > opened and mounted as var. I think you are misunderstanding what PCR15 is supposed to be. it's not really supposed to be consumed for FDE, but simply populated by FDE. It's usecase was to later have PCR that identifies the local system, that we can lock encrypted credentials or systemd-confext images to. To protect the order of things use the "phase" logic, i.e. in PCR 15. And to say this very clearly: the model this is designed for assumes you have one encrypted fs not many. i.e. if everything checks out then you get access to it, and if it doesn't you don't. I am not sure I understand your scenario, but you appear to work with two encrypted disks, one for the rootfs and one for /var/? Yes, there is no protection for using them for the wrong purpose (ie. the root fs for /var/ or vice versa), because that was never in the picture of being an issue. If you want multiple encrypted partitions like that, then things are a lot more complicated, but let me ask you: why even? It makes sense to split up things so that you have various sets of data with different protections (i.e. some unprotected, some verity protected, some encrypted + tpm). But if you have multiple partitions protected the same way, why split them up, and why create such a headache then. Lennart -- Lennart Poettering, Berlin
Re: Is tpm2-measure-pcr really an additional security?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Is tpm2-measure-pcr really an additional security?
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Tue, 11 Mar 2025 13:27:27 +0100
- Cc: Adrian Vovk <adrianvovk@xxxxxxxxx>, Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>, Systemd Devel <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <84a33bb5-46d6-49c7-99e0-d5518250e9e5@gmail.com>
- References: <214ba7b7-ae75-4b8e-94c6-9510216492be@gmail.com> <Z86rE9USh_yPWLDY@gardel-login> <CACPcEYkLn-zKPU0KkpfqhY7FLcgPXFGa1Gbbwh5nWB_zXApmwg@mail.gmail.com> <CAAdYy_m2yL3p2zKDuTnWQZmKHtpf9OEhzBXqM_rQ4EGMoReR2Q@mail.gmail.com> <Z88OFgp6Le4MCkj2@nuoska> <CAAdYy_kDJnqx6SpTLa7LtWmPWthbpgDXMvi1KX3Lr6CJ7+v30A@mail.gmail.com> <84a33bb5-46d6-49c7-99e0-d5518250e9e5@gmail.com>
- Follow-Ups:
- Re: Is tpm2-measure-pcr really an additional security?
- From: Lennart Poettering
- Re: Is tpm2-measure-pcr really an additional security?
- From: lacsaP Patatetom
- Re: Is tpm2-measure-pcr really an additional security?
- References:
- Is tpm2-measure-pcr really an additional security?
- From: Diorcet Yann
- Re: Is tpm2-measure-pcr really an additional security?
- From: Lennart Poettering
- Re: Is tpm2-measure-pcr really an additional security?
- From: Yann Diorcet
- Re: Is tpm2-measure-pcr really an additional security?
- From: Adrian Vovk
- Re: Is tpm2-measure-pcr really an additional security?
- From: Mikko Rapeli
- Re: Is tpm2-measure-pcr really an additional security?
- From: Adrian Vovk
- Re: Is tpm2-measure-pcr really an additional security?
- From: Diorcet Yann
- Is tpm2-measure-pcr really an additional security?
- Prev by Date: Re: Is tpm2-measure-pcr really an additional security?
- Next by Date: Re: DOSing the TPM to leak the rootfs encryption key
- Previous by thread: Re: Is tpm2-measure-pcr really an additional security?
- Next by thread: Re: Is tpm2-measure-pcr really an additional security?
- Index(es):
 |