On 28.05.2024 17:49, Lennart Poettering wrote:
systemd-cryptenroll supports pin, literal PCR, signed PCR — in any combination. (plus pcrlock, but that's currently cannot be combined with signed PCR, because afaics not expressible in the TPM policy language).
Why not? You can AND pcrlock with other policies just like currently literal PCR is ANDed with signed PCR. You can even use signed PCR in pcrlock policy - PolicyOR does not care what policies are combined, literal PCR (like is done currently) or signed PCR. Or what semantic do you have in mind that cannot be expressed?
