[systemd-devel] sd-boot setup and PCRs
Andrei Borzenkov
arvidjaar at gmail.com
Mon Jun 19 04:26:29 UTC 2023
On 18.06.2023 21:56, Felix Rubio wrote:
> Hi everybody,
>
> After some days offline, today I have gone through the emails exchanged
> a couple of weeks ago and agreed: UKI is the way to go. Last time I
> checked about it I read about possible problems related to when some
> modules would be loaded and so, but I see that my knowledge was
> outdated.
>
> This said, right now my setup looks like: SecureBoot is enabled, I am
> using Shim, Systemd-Boot as shim's second stage, and a UKI. As the disk
> is encrypted, for now I am making the decryption predicated to PCRs 7
> and 14, so that the decryption will only fail when either SB state
> changes, or when shim certificates/hashes change. So far so good.
>
> Out of curiosity now, I am wondering: what would happen in case somebody
> boots the system from, e.g., a USB drive that contains a signed image?
Signed by whom?
> Even if the shim is the same version, I assume it will fail to unlock
> because the MOK will not contain my certificate?
What is "your certificate"?
> Should that certificate
> had been stolen and present, be enough to then unlock the disk?
>
> I am trying to assess if I should put in the mix PCR 4, so that I can
> keep track of the UKI image that gets loaded. Do you guys think this
> would be needed, or is overkill?
>
> Regards,
>
> Felix
More information about the systemd-devel
mailing list