In order to achieve the check of a number of PCRs, what do you guys
think of this approach?
1. When running ukify, add the "measure" flag so that the expected value
of the PCR11 is printed.
2. Then, script the reset of an unused PCR (in my case, 23), and the
extend it with the current value of
I understand that, but systemd-measure is only about PCR 11. Is there
any way to provide a list of PCRs, so that additionally can be embedded
on the UKI?
Thank you,
Felix
On 2023-07-05 14:26, Lennart Poettering wrote:
On Mi, 05.07.23 13:11, Felix Rubio (fe...@kngnt.org) wrote:
For what is ex
On Mi, 05.07.23 14:17, Mantas Mikulėnas (graw...@gmail.com) wrote:
> On Wed, Jul 5, 2023 at 2:11 PM Felix Rubio wrote:
>
> > For what is explained on the the systemd-pcrphase.service(8) and
> > comparing it to what I see in the log of the systemd services, there are
> > three events in relation t
On Mi, 05.07.23 13:11, Felix Rubio (fe...@kngnt.org) wrote:
> For what is explained on the the systemd-pcrphase.service(8) and comparing
> it to what I see in the log of the systemd services, there are three events
> in relation to this question:
>
> systemd-pcrphase-initrd.service
> [...]
> [syst
On Wed, Jul 5, 2023 at 2:11 PM Felix Rubio wrote:
> For what is explained on the the systemd-pcrphase.service(8) and
> comparing it to what I see in the log of the systemd services, there are
> three events in relation to this question:
>
> systemd-pcrphase-initrd.service
> [...]
> [systemd-ask-p
For what is explained on the the systemd-pcrphase.service(8) and
comparing it to what I see in the log of the systemd services, there are
three events in relation to this question:
systemd-pcrphase-initrd.service
[...]
[systemd-ask-password-console.service]
[...]
systemd-pcrphase-sysinit
system
On Mi, 05.07.23 08:30, Felix Rubio (fe...@kngnt.org) wrote:
> Hi everybody,
>
> In my setup (sd-boot+UKI+LUKS) I am using PCRs 7+11+14 to unlock the LUKS
> drive. Should I use only PCRs 7+14 everything works, but when I add 11 I
> need to provide the rescue password every single time I boot.
>
> I
Hi everybody,
In my setup (sd-boot+UKI+LUKS) I am using PCRs 7+11+14 to unlock the
LUKS drive. Should I use only PCRs 7+14 everything works, but when I add
11 I need to provide the rescue password every single time I boot.
I have extracted the values of those PCRs using tpm2_pcrread in two
c
