[systemd-devel] sd-boot setup and PCRs
Felix Rubio
felix at kngnt.org
Mon Jun 19 15:33:11 UTC 2023
Hi Lennart, Andrei, Adrian
Understood, and thank you very much :-) then 7+11+14 it is.
Regards!
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-06-19 17:21, Lennart Poettering wrote:
> On So, 18.06.23 20:56, Felix Rubio (felix at kngnt.org) wrote:
>
>> Hi everybody,
>>
>> After some days offline, today I have gone through the emails
>> exchanged a
>> couple of weeks ago and agreed: UKI is the way to go. Last time I
>> checked
>> about it I read about possible problems related to when some modules
>> would
>> be loaded and so, but I see that my knowledge was outdated.
>>
>> This said, right now my setup looks like: SecureBoot is enabled, I am
>> using
>> Shim, Systemd-Boot as shim's second stage, and a UKI. As the disk is
>> encrypted, for now I am making the decryption predicated to PCRs 7 and
>> 14,
>> so that the decryption will only fail when either SB state changes, or
>> when
>> shim certificates/hashes change. So far so good.
>>
>> Out of curiosity now, I am wondering: what would happen in case
>> somebody
>> boots the system from, e.g., a USB drive that contains a signed image?
>> Even
>> if the shim is the same version, I assume it will fail to unlock
>> because the
>> MOK will not contain my certificate? Should that certificate had been
>> stolen
>> and present, be enough to then unlock the disk?
>
> MOK is persisted in an EFI var, hence it doesn't matter what you boot
> from, the MOK db will be the same.
>
> Hence if that UKI on the usb drive is signed by some key that is in
> your MOK then this will just be accepted and get access to your keys.
>
>> I am trying to assess if I should put in the mix PCR 4, so that I can
>> keep
>> track of the UKI image that gets loaded. Do you guys think this would
>> be
>> needed, or is overkill?
>
> If you use UKIs, bind to the signature for PCR 11.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
More information about the systemd-devel
mailing list