[systemd-devel] sd-boot setup and PCRs
Felix Rubio
felix at kngnt.org
Sun Jun 18 18:56:48 UTC 2023
Hi everybody,
After some days offline, today I have gone through the emails exchanged
a couple of weeks ago and agreed: UKI is the way to go. Last time I
checked about it I read about possible problems related to when some
modules would be loaded and so, but I see that my knowledge was
outdated.
This said, right now my setup looks like: SecureBoot is enabled, I am
using Shim, Systemd-Boot as shim's second stage, and a UKI. As the disk
is encrypted, for now I am making the decryption predicated to PCRs 7
and 14, so that the decryption will only fail when either SB state
changes, or when shim certificates/hashes change. So far so good.
Out of curiosity now, I am wondering: what would happen in case somebody
boots the system from, e.g., a USB drive that contains a signed image?
Even if the shim is the same version, I assume it will fail to unlock
because the MOK will not contain my certificate? Should that certificate
had been stolen and present, be enough to then unlock the disk?
I am trying to assess if I should put in the mix PCR 4, so that I can
keep track of the UKI image that gets loaded. Do you guys think this
would be needed, or is overkill?
Regards,
Felix
More information about the systemd-devel
mailing list