[systemd-devel] PCR signing / enrolling on UKI and validation by systemd-cryptenroll
Andrei Borzenkov
arvidjaar at gmail.com
Tue May 28 18:21:23 UTC 2024
On 28.05.2024 17:49, Lennart Poettering wrote:
>
> systemd-cryptenroll supports pin, literal PCR, signed PCR — in any
> combination. (plus pcrlock, but that's currently cannot be combined
> with signed PCR, because afaics not expressible in the TPM policy language).
>
Why not? You can AND pcrlock with other policies just like currently
literal PCR is ANDed with signed PCR. You can even use signed PCR in
pcrlock policy - PolicyOR does not care what policies are combined,
literal PCR (like is done currently) or signed PCR. Or what semantic do
you have in mind that cannot be expressed?
More information about the systemd-devel
mailing list