[systemd-devel] PCR signing / enrolling on UKI and validation by systemd-cryptenroll

[Lennart Poettering]

On Sa, 25.05.24 13:23, Andrei Borzenkov (arvidjaar at gmail.com) wrote:

> These are PCRs for which you intend to provide signed policy. These PCRs
> must be listed in JSON file that is given to systemd-cryptsetup as
> tpm2-signature= parameter. The only PCR for which there is systemd tool to
> compute it is PCR 11. You should be able to add other PCRs to this JSON file
> and it should work, but you will need to compute the values yourself.
>
> Unfortunately, this is yet another case where systemd pretends to be generic
> while in reality it is not.

Hmm, where do we pretend anything?

We give you a tool to predict/sign the measurements for PCR 11 because
we can just do that from the UKI. For other PCRs it's a very different
story however.

(And we do provide a tool for that too nowadays btw, i.e. systemd-pcrlock).

Lennart

--
Lennart Poettering, Berlin