[systemd-devel] Enrolling PCR11 does not work as expected
Felix Rubio
felix at kngnt.org
Thu Jul 6 09:42:10 UTC 2023
In order to achieve the check of a number of PCRs, what do you guys
think of this approach?
1. When running ukify, add the "measure" flag so that the expected value
of the PCR11 is printed.
2. Then, script the reset of an unused PCR (in my case, 23), and the
extend it with the current value of PCRs 7 and 14, and the expected
value of PCR 11
3. Run systemd-cryptenroll against PCR 23
4. add a configuration drop to
/etc/systemd/system/systemd-cryptsetup at .service.d, so that at ExecPre a
similar script of that in 2 is run, but in this case resetting PCR 23
and extending it with the actual values of PCRs 7, 14 and 11.
Do you guys this approach is sound?
Thank you,
Felix
On 2023-07-05 14:26, Lennart Poettering wrote:
> On Mi, 05.07.23 13:11, Felix Rubio (felix at kngnt.org) wrote:
>
>> For what is explained on the the systemd-pcrphase.service(8) and
>> comparing
>> it to what I see in the log of the systemd services, there are three
>> events
>> in relation to this question:
>>
>> systemd-pcrphase-initrd.service
>> [...]
>> [systemd-ask-password-console.service]
>> [...]
>> systemd-pcrphase-sysinit
>> systemd-pcrphase
>>
>> This means that, indeed, running cryptenroll after the new kernel has
>> booted
>> will never provide the correct PCR registry for 11. But then... what
>> options
>> do I have? Do I need to choose between having PCRs 7 and 14, so that I
>> make
>> sure that SB is up and running and all the certs from shim have not
>> changed,
>> or to have only PCR 11 so that I know that the UKI has not changed
>> although
>> SB can potentially be even disabled (please, correct me if wrong)?
>
> The idea is that with systemd-measure you sign the pre-calculated PCRs
> for all phases you care about with a key, and then you use enroll the
> public key that matches that signature in the disk encryption, rather
> than literal PCR values.
>
> Using signed PCR policies enables you to do multiple things at once:
>
> 1. You can easily enroll one public key, and have it cover multiple
> phases of the boot, simply by providing multiple signatures for the
> PCR values expected in the various boot phases.
>
> 2. You can easily enroll one public key, and then update the UKI and
> still boot up correctly, by providing a new set of signatures for
> the new expected PCR values for the various boot phases.
>
> Hence, the PCR 11 logic we have in place is *not* designed with TPM
> policies that bind to explicit PCR values in mind. Instead it is
> designed in mind with policies that bind to public keys that match
> signatures of those PCR values.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
More information about the systemd-devel
mailing list