[systemd-devel] Enrolling PCR11 does not work as expected
Felix Rubio
felix at kngnt.org
Wed Jul 5 06:30:39 UTC 2023
Hi everybody,
In my setup (sd-boot+UKI+LUKS) I am using PCRs 7+11+14 to unlock the
LUKS drive. Should I use only PCRs 7+14 everything works, but when I add
11 I need to provide the rescue password every single time I boot.
I have extracted the values of those PCRs using tpm2_pcrread in two
consecutive boots, and they are equal, so at least the issue is
reproducible.
To enroll the PCRs, after a new kernel (and, therefore, the UKI) has
been generated, I run the following command:
systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
--tpm2-pcrs=7+11+14 <device>
After reading the documentation on systemd-measure (that I am not using
at the moment): could it be that there are events added to PCR 11 after
the unlocking has happened, so that I am enrolling the wrong PCR value?
Otherwise... what am I doing wrong?
Felix
More information about the systemd-devel
mailing list