[systemd-devel] PCR signing / enrolling on UKI and validation by systemd-cryptenroll
Lennart Poettering
lennart at poettering.net
Thu May 30 19:58:57 UTC 2024
On Mi, 29.05.24 14:42, Demi Marie Obenour (demi at invisiblethingslab.com) wrote:
> > Hence, maybe tickets aren't the way to go, they bring complexity, they
> > would make a pretty relevant feature of our policies go down the drain
> > – even though they would combine the two relevant policies correctly.
>
> What about inserting an explicit delay into the boot process until the
> ticket expires?
Sorry, but no. That would be racy (since the TPM clocks are relatively
inaccurate afaics, unlike system clocks). Also it's one hell of an
ugly hack and given that TPMs are slow as fuck anyway and already slow
down boots measurably (heh, pun!) I am sure we shouldn't try to make
it even slower by inserting artificial sleeps...
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list