[systemd-devel] PCR signing / enrolling on UKI and validation by systemd-cryptenroll

Aleksandar Kostadinov akostadi at redhat.com
Mon May 27 19:42:50 UTC 2024


On Mon, May 27, 2024 at 5:02 PM Lennart Poettering
<lennart at poettering.net> wrote:
>
> On Mo, 27.05.24 14:47, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
>
> > Excuse me for top-posting but I can second that. Earlier I had a long
> > thread about not being able to get the signed PCRs work, I never
> > figured out that a signature was only created for 11.
> >
> > It would really help people not to lose their time if documentation
> > stated - there be dragons, go only if you want to become a TPM
> > low-level details and linux boot expert.
> >
> > Eventually I went with clevis and tang. Although if systemd allowed
> > signing with more PCRs, that would definitely be very useful.
>
> clevis/tang does not allow signing PCRs, last time I looked.
>
> It's really not comparable.

I know

> if you want to use literal PCR policies like clevis does it, systemd
> can do that for you just fine?

clevis combines multiple methods and combinations. Like pin, PCRs (not
signing), tang servers, but can be combined in different ways.

> systemd-cryptenroll --tpm2-pcrs= is for literal PCR enrollments.
>
> You can combine that with --tpm2-public-key= stuff for PCR 11.

This could be a reasonable option. Because they are not supposed to
change. For now I'm good though. I'll rather wait for TPM support to
mature.

> > If somebody from systemd team managed to use signed PCRs to unlock
> > together with the new systemd-pcrlock for non-11 PCRs, please write a
> > short how to install and what to do by kernel upgrade. Presently it is
> > not usable for regular or advanced users. Which is fine as long the
> > documentation doesn't suggest it is (and it presently does).
>
> Yeah, I want a pony too, and I keep demanding one, but noone gives one
> to me for free. Weird.

It's not the problem that there was no pony. It appears that multiple
people didn't understand there were dragons over there.

> Honestly, maybe dial down your expectations a bit, both of you. All
> this TPM support in systemd is fairly new, and it's definitely not
> user facing stuff anyway (hence super-friendly docs are *not* my
> priority, sorry, got enough on my plate), it's something distros
> should integrate and we are only at the beginning of that path.

I understand very well how oss works. The tone of some emails was a
little bit over the top, I wouldn't use it. On the other hand I can
very well understand the frustration. Just stating the facts.
Of course you owe nothing to anybody and you can give a sh*t or not
give a sh*t about user's perception. That's your choice. I thought
there was a value in stating user perception.
I mean value for the project and project maintainers.
If you don't find value in this, feel free to ignore.

> And complaining that things aren't just polished yet is certainly not
> helping anyone to get the tiniest step ahead on that path. It just
> annoys the people who you apparently believe work for you for free.

I don't think I thought anybody worked for me. Many projects are
interested in feedback especially for new features. I think specific
points were raised that can help polish the feature.
If you don't have time for this feature now and/or you don't find the
feedback valuable, then feel free to ignore. I hold no offence. Again,
I only stated my perception as a user. (namely that it might be
documented more clearly that this feature is under limited and not for
the faint hearted)

Eventually my other thread was ignored and I didn't start blaming
anybody. I understood nobody was willing to help me with these and
decided on the most sensible way to proceed according to my needs.

So please don't take offence. Nobody or at least I don't blame you.

> > P.S. also would be great if systemd also supported tang so that both -
> > signed PCRs and tang to be required for automatic unlock.
>
> I am not convinced networked unlock with ssss really is something
> relevant for anyone but a select few folks who run major data centers
> and are willing to pay the price for doing the work. It's also just a
> bunch of shell scripts last time I looked, or did that change? If so,
> doubly uninterested.

Actually my use case is to keep a remote private server where I was
concerned about somebody taking the hardware away. So the network
policy based encryption pretty much covered my main concerns. + TPM to
make local data access more difficult but I don't really see this as a
likely threat. And you can build the tang server with a raspberry or
install it on an openrwt router. So definitely something close to
trivial for anybody building a home server.

I didn't go in depth into how tang and clevis worked. `tang` (the
server https://github.com/latchset/tang) seems to be using a lot of c
but also a lot of shell. If it is good for big datacenters, then it
should be fine for me also.

> Lennart
>
> --
> Lennart Poettering, Berlin
>



More information about the systemd-devel mailing list