Conversation

Notices

1. Embed this notice
   Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 21-Jan-2025 06:03:57 JST Lennart Poettering

   in reply to

   • Jarkko Sakkinen

   @jarkko … then you have only a very weak model, probably to the point it's not worth it.

   What matters is that distributions actually start deploying UKIs like this, and enable systemd-pcrlock by default. This is not trivial, but some distros are further ahead there then others.

   • James Morris likes this.
   • Embed this notice
     Jarkko Sakkinen (jarkko@social.kernel.org)'s status on Tuesday, 21-Jan-2025 06:03:58 JST Jarkko Sakkinen

     in reply to

     • Jarkko Sakkinen
     @pid_eins any thoughts on this one?
   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 21-Jan-2025 06:03:58 JST Lennart Poettering

     in reply to

     • Jarkko Sakkinen

     @jarkko It's a long text, but the person writing this is basically saying that a TPM2 policy for a disk that only locks to PCR 7 or not even that is not secure? I mean, no shit sherlock, of course it doesn't. If you policy doesn't lock to anything then it doesn't lock to anything...

     A full boot chain that gets things right would include at least a UKI with a signed PCR policy + a dynamic systemd-pcrlock policy. The combination should be reasonably secure, I'd claim, but if you have neither…

   • Embed this notice
     Jarkko Sakkinen (jarkko@social.kernel.org)'s status on Tuesday, 21-Jan-2025 06:03:59 JST Jarkko Sakkinen
     https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock/ #systemd #tpm #tpm2