[systemd-devel] systemd-pcrlock silently ignores user requested PCRs downgrading security
aplanas
aplanas at suse.de
Fri May 9 15:39:27 UTC 2025
On 2025-05-09 13:03, Lennart Poettering wrote:
> On Fr, 09.05.25 15:58, Andrei Borzenkov (arvidjaar at gmail.com) wrote:
>> > If you want explicit config use the simpler PCR protections
>> > systemd-cryptsetup gives you, and avoid pcrlock.
>>
>> I obviously want to use pcrlock to have alternatives (like being able
>> to
>> boot multiple kernels). Can I get it without pcrlock?
>
> No.
Sort of, it can be done. In openSUSE we are doing it via signed policy
and pcr-oracle[1]. This is a fallback form pcrlock (for cases where the
TPM2 rev does not support NVIndex policy), as pcrlock is objectively
better.
[1] https://github.com/openSUSE/pcr-oracle
More information about the systemd-devel
mailing list