[systemd-devel] Fedora 38 and signed PCR binding

Aleksandar Kostadinov akostadi at redhat.com
Sat Sep 2 19:18:09 UTC 2023


Hello,

Trying to configure Signed PCR binding on Fedora 38 by following
article [1] and adapting commands for signing.

What I did was basically this:
> openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out /etc/systemd/tpm2-pcr-public-key.pem
> sudo systemd-cryptenroll --tpm2-device=auto --tpm2-public-key-pcrs=7+9+11+12+13+14+15 /dev/sda3
> added tpm2-device=auto,tpm2-pcrs=7+9+11+12+13+14+15

But automatic unlocking does *not* work. And This is what
systemd-measure returns:

$ /usr/lib/systemd/systemd-measure status
Warning: current kernel image does not support measuring itself, the
command line or initrd system extension images.
The PCR measurements seen are unlikely to be valid.
# PCR[11] Unified Kernel Image (NOT SET!)
11:sha1=0000000000000000000000000000000000000000
11:sha256=0000000000000000000000000000000000000000000000000000000000000000
# PCR[12] Kernel Parameters (NOT SET!)
12:sha1=0000000000000000000000000000000000000000
12:sha256=0000000000000000000000000000000000000000000000000000000000000000
# PCR[13] initrd System Extensions (NOT SET!)
13:sha1=0000000000000000000000000000000000000000
13:sha256=0000000000000000000000000000000000000000000000000000000000000000

Did I do something wrong? Is just necessary integration missing from
Fedora 38 so I better revert to normal PCR binding?

Thank you.



More information about the systemd-devel mailing list