Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/pid_eins/statuses/113859671662575674">Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 21-Jan-2025 06:03:58 JST</a><a href="https://mastodon.social/@pid_eins" title="pid_eins@mastodon.social"><img src="https://gnusocial.jp/avatar/92094-48-20230126121211.webp" width="48" height="48" alt="Lennart Poettering" style="position: absolute; left: 0; top: 0;">Lennart Poettering</a><div><a href="https://social.kernel.org/objects/1023be1a-7bbd-4303-ad9e-c368d91f3354" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://social.kernel.org/users/jarkko">@jarkko</a> It's a long text, but the person writing this is basically saying that a TPM2 policy for a disk that only locks to PCR 7 or not even that is not secure? I mean, no shit sherlock, of course it doesn't. If you policy doesn't lock to anything then it doesn't lock to anything...</p><p>A full boot chain that gets things right would include at least a UKI with a signed PCR policy + a dynamic systemd-pcrlock policy. The combination should be reasonably secure, I'd claim, but if you have neither…</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4412629#notice-8632802">In conversation</a><time datetime="2025-01-21T06:03:58+09:00" title="Tuesday, 21-Jan-2025 06:03:58 JST">about 10 days ago</time> <span>from <span><a href="https://mastodon.social/@pid_eins/113859671662575674" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@pid_eins/113859671662575674">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 21-Jan-2025 06:03:58 JSTLennart Poettering
in reply to
- Jarkko Sakkinen
@jarkko It's a long text, but the person writing this is basically saying that a TPM2 policy for a disk that only locks to PCR 7 or not even that is not secure? I mean, no shit sherlock, of course it doesn't. If you policy doesn't lock to anything then it doesn't lock to anything...
A full boot chain that gets things right would include at least a UKI with a signed PCR policy + a dynamic systemd-pcrlock policy. The combination should be reasonably secure, I'd claim, but if you have neither…
In conversationabout 10 days ago from mastodon.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice