[systemd-devel] sd-boot setup and PCRs
Felix Rubio
felix at kngnt.org
Mon Jun 19 07:19:16 UTC 2023
"Signed by whom?" - Signed by an actor trusted by Secure Boot, either at
the platform level, or by any of the Shim contributors (I have not
checked yet if it comes with a list of certificates, or only contains
the one I enrolled)
"What is \"your certificate\"?" - The one I generated and enrolled into
MOK.
Regards!
Felix
On 2023-06-19 06:26, Andrei Borzenkov wrote:
> On 18.06.2023 21:56, Felix Rubio wrote:
>> Hi everybody,
>>
>> After some days offline, today I have gone through the emails
>> exchanged
>> a couple of weeks ago and agreed: UKI is the way to go. Last time I
>> checked about it I read about possible problems related to when some
>> modules would be loaded and so, but I see that my knowledge was
>> outdated.
>>
>> This said, right now my setup looks like: SecureBoot is enabled, I am
>> using Shim, Systemd-Boot as shim's second stage, and a UKI. As the
>> disk
>> is encrypted, for now I am making the decryption predicated to PCRs 7
>> and 14, so that the decryption will only fail when either SB state
>> changes, or when shim certificates/hashes change. So far so good.
>>
>> Out of curiosity now, I am wondering: what would happen in case
>> somebody
>> boots the system from, e.g., a USB drive that contains a signed image?
>
> Signed by whom?
>
>> Even if the shim is the same version, I assume it will fail to unlock
>> because the MOK will not contain my certificate?
>
>
> What is "your certificate"?
>
>> Should that certificate
>> had been stolen and present, be enough to then unlock the disk?
>>
>> I am trying to assess if I should put in the mix PCR 4, so that I can
>> keep track of the UKI image that gets loaded. Do you guys think this
>> would be needed, or is overkill?
>>
>> Regards,
>>
>> Felix
More information about the systemd-devel
mailing list